1 / 5

The OWASP Orizon Project: A Comprehensive Framework for Static Code Analysis

The OWASP Orizon Project, initiated in 2006, is an open-source static analysis framework offering APIs and security checks for source code. Completely rewritten over the past nine months, it has gained visibility following the OWASP AppSec NYC 08. The project aims to provide language-independent security checks described in XML, adhering to open-source principles. With version 1.0 released, future versions promise improved GUIs and integrations with security tools. The project seeks to strengthen application security while enlisting community support for development and engagement.

ira
Télécharger la présentation

The OWASP Orizon Project: A Comprehensive Framework for Static Code Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Owasp Orizon Project • Paolo Perego, thesp0nge@owasp.org • Project Leader

  2. Overview • Project started in 2006 • Another opensource alternative in source code static analysis • Not only a tool but a static analysis framework • Completely rewritten in the last 9 months • Web exposure boosted after Owasp AppSec NYC’08 last september

  3. Objectives • Provide a set of APIs that anyone can use in a source code static analysis tool • Provide a set of security checks to be applied to source code • Knowledge is open here, so only opensourced security checks will be included • Best of breed best practices • Owasp Code Review Guide • Cigital Java Security Rulepack (http://www.cigital.com/securitypack/view/index.html) • Custom written security checks • Language independent • Use XML as meta-language to describe source code • Apply security checks to the XML interpreted language

  4. Status and Future Steps • Project reached version 1.0 • Now the real fun is going to start • Usable • To perform basic code reviews • To build security tools • Fancy • Very basic GUI • Mac OS X standalone application • Near future (end 2008): version 1.2 • Security library to be consolidated with more checks • GUI improvement • Mid term future (2Q 2009): version 1.4 • Integration with: • Code Crawler (Alessio Marziali) • O2 (Dinis Cruz) • Java Bytecode security code review

  5. Closing • 2009, the turning away year • Library will be almost complete • Standalone application will be released for Win32 and Unix too • A network of great security related tools • O2 • Code Crawler • Marketing • Blog (http://orizon.sf.net/blog) • Twitter usage (check OWASPOrizon user) • AppSecs (Poland ‘09, …) • Recruiting developers • Thanks • For the criticisms • For the support • For believing http://orizon.sourceforge.net thesp0nge@owasp.org

More Related