Static analysis is fun… again
Here it is. We started.
From now, we’re moving from a tool that is usable but not so good as Owasp need to the next major release planned for June 2010.
To improve visibility and communication between the community, I will publish a montly report about the decisions take, what we done and which kind of help we need.
This is the first update.
In this slideshow we will discuss where do we start, the major goals to achieve and an improvement roadmap.
Check this out.
In my blip.tv channel I just uploaded the video of the presentation I took the last Owasp Italy Day, 6th November 2009 in Milan.
The video is in Italian language and is about how much the code review activity is like a sort of art.
My life has changed a lot in this week. I’m a dad now.
Nevertheless, some updates about Orizon will follow really soon…
I want to make the things running smooth from the beginning.
I’m also using 37 Signals book as guideline to build a Getting Things Done stuff.
First structural change: already happened, the blog has been moved from a self-managed installation @sourceforge.net into a free hosted installation here @wordpress.com
Second structural change: the source code repository. I’ll separate source code that will become release 2.0 from the old code and I’ll host the newer source code @github.com
Third structrural change: the tool used for source versioning won’t be subversion anymore, I’ll use git instead.
Reading the Dragon book, I’ll wondering about a way of managing Mirage engine and its dependencies from FreeCC. But this will be in a separated post.
Here is the video about Owasp Orizon v 1.19.20 crawling Apache Tomcat source code.
It is a test for java parser module.
A lot of working will be done starting by today in order to reach a next major bump for Owasp AppSEC 2010 in Stockholm.
We’ll split up the project in smaller units and we’ll use the KISS approach and we’ll start improving the Orizon site in order to give a lot of informations to developers and in order to give feedbacks on overall improvements done.
Orizon 2.0 will be completely different in terms of functionalities and in terms of APIs exposed.
The Italian official invitation for Owasp Italy Day 4 conference that will be held in Milan, next 6th November 2009.
I’ll make a talk titled “The art of code reviewing” that will be a non too much technical talk about what does code review means, which skills are involved and a feasible approach using Orizon.
Of course, keynote slides will be published the day after the conference.
Il prossimo 6 Novembre si terrà a Milano la IV edizione dell’OWASP Day.
Speaker d’eccezione tratteranno le nuove tematiche di Web Application
Security per una delle più rinomate
e attese conferenze di Information Security sul territorio nazionale.
In questa occasione CIO, CTO, CISO, Auditor, Responsabili IT, Security
Manager e responsabili della Security Governance avranno l’occasione di aggiornarsi sull’evoluzione della sicurezza applicativa e sulle nuove iniziative di Software Security presenti nel panorama internazionale.
Informazioni e registrazione all’evento:
http://www.owasp.org/index.php/Italy_OWASP_Day_4
We are planning the next OWASP-Italy Day the 6th November in Milan.
The following is the Call for Sponsorship information:
=============================================================
OWASP-Italy Day IV: “Secure Software Initiatives”
Milan – 6th November 2009
=============================================================
Introduction:
=========
Following on from the great successes of last OWASP Days, the new
conference will take place next 6th November 2009 in Milan.
The event is dedicated to CEO, CIO, CISO, Security Manager, Security
Consultant.
We expect more the 200 attendees covering all the major industrial sectors.
Organization and goals:
=================
* The event will show several points of discussion: we will present
the state of the art of the Secure Software Initiatives and technical
speeches about the new researches in Application Security.
* As conclusion of the day, we organize a round table discussing the
most interesting subjects came out during the event.
* Conference goal is creating a debate on which will be the evolution
of the research for the Web Application Security, and how to start a
secure software initiative.
Invited Speaker:
===========
As special guest we invited Gary McGraw
(http://www.informit.com/authors/bio.aspx?a=B283E5A4-703C-47DF-AFBF-A9CFA311D46B),
Pravir Chandra (Director of Strategic Services at Fortify Software),
Marco Morana (http://www.owasp.org/index.php/Marco_Morana) and Giorgio
Maone (ideatore di NoScript e ABE, http://maone.net/).
Call for Sponsorship:
===============
The OWASP-Italy community encourages Industries, Research Institutions
and Individuals to sponsor their activities and events.
Two types of sponsorships are available:
* Silver sponsorship: 2500 euro. It Includes: the publication of the
sponsor logo on the web site
* Gold Sponsorship: 3500 euro. It includes: the publication of the
sponsor logo in the agenda, on the web site, on the flyers and in all
the official communications with the attendees at the conference. The
possibility to distribute the Company brochures, CDs or other
materials to the participants during the event.
Important dates:
============
We would like to have the agenda and sponsors defined by the first
week of October.
Additional information:
================
* Conference website: http://www.owasp.org/index.php/Italy_OWASP_Day_4
* OWASP Speaker Agreement: http://www.owasp.org/index.php/Speaker_Agreement
* About OWASP: http://www.owasp.org/ || http://www.owasp.org/index.php/Italy
I was looking at org.owasp.orizon.mirage.Modeler class, in order to draw the data flow for information about fields scope and I just discovered that, by my mistake, Collectors information never leaves Mirage, they would be put in the SessionInfo object instead…
Refactoring this phase is a top priority now
Jericho was the first Orizon subsystem, even before Twilight.
In the very first Orizon versions you were able to find some kind of input not validated. This is done by Jericho engine, however that code was buggy and it was not compliant to newer Orizon engine based architecture.
That’s why I renamed Jericho class in OldJericho and started rewriting from scratch a new Jericho engine, extending Engine class.
The first task newer Jericho has to accomplish is to check source code for design weakness. In the Orizon library JAR file, there is now a folder called Design/ containing ORL rule files describing what is bad in source file design.
The “scan” command will added in Orizon SHell in order to invoke Jericho asking for static analysis features.
In SVN trunk I committed the bug fix for the annoying trailing characters for Orizon Shell.
The bug was that after a command displaying the progress bar on the screen, the progress bar was consumed by shell main loop as next command resulting in a OSH parser lexical error.
JSP Collector now is able to detect page’s outgoing links, this will lead next week Orizon to build a map of active pages for J2EE application.
Sounds really cool…
Hello there, I know… I didn’t update this blog regulary… sometimes I write stuff in my tumblr… sometimes I tweet… or sometimes I code and no more.
That’s it. Monday I released version 1.19, with some improvements over JSP language and today I committed some code that makes JSP inspecting more powerful.
In next release we’ll focus the development over finding XSS, just to pump up Orizon value as security tool… and we’ll start talking about thread and daemons… just like old day shool…
