Monday, January 16, 2017

OWASP 2017 Graduation Reviews - Volunteers Needed!

OWASP is reviewing projects who wish to graduate from Incubator to Lab.  The purpose of this assessment is to determine whether a project meets the minimum criteria to graduate as outlined in the Project Health Assessment Criteria Document.  The review process begins with an initial self-assessment done by the project leader and reviewed by Matt Tesauro.  Next the the assessment enters the peer review phase where we ask volunteers in our OWASP Community to participate and finalize the results.   


It is our goal to have at least two or three reviewers per project to provide their expertise and feedback for each OWASP Project listed below.  If you would like to help sign up by February 15th.

I have included a Sample of a Project Assessment for your review and consideration.


 



Type of Project:  Tool
Project Leader: Bjoern Kimminich
Project Name: OWASP Juice Shop Project
Wiki Page:  https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Github Linkhttps://github.com/bkimminich/juice-shop

Description:​
OWASP Juice Shop is a professionally developed application using all sorts of quality assurance tools and automation processes to ensure it is working as intended. The project is in development since October 2014 and just recently joined the OWASP project inventory. It would be unfortunate to leave it in "Incubator" state longer that absolutely necessary given the maturity the project gained over the last 2 years.





Type of Project:  Code
Project Name: OWASP DefectDojo Project
Project Leader:  Greg Anderson
Project Web Page:  https://www.owasp.org/index.php/OWASP_DefectDojo_Project
Project Github: https://github.com/OWASP/django-DefectDojo

Description:
An open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools.  DefectDojo is a tracking tool written in Python / Django. DefectDojo was created in 2013 and open-sourced on March 13th, 2015. The project was started to make optimizing vulnerability tracking less painful. The top goal of DefectDojo is to reduce the amount of time security professionals spend logging vulnerabilities. DefectDojo accomplishes this by offering a templating system for vulnerabilities, imports for common vulnerability scanners, report generation, and metrics.




Type of Project: Tool 
Project Name: OWASP Benchmark Project
Project Leader:  Dave Wichers
Project Web Page:  https://www.owasp.org/index.php/Benchmark
Project Github: https://github.com/google/benchmark

Description:
An enormous amount of work has gone into this project already and we are planning to do a lot more. The ability to run the Benchmark in just a few minutes, and then score a large set of tools automatically once their results files have been produced is a significant capability that required a huge amount of work to produce. There is nothing else like it in the industry and the quality of the scorecard output is very high.






Project Type: Code
Project Name: OWASP Node.js Goat Project
Project Leader:  Chetan Karande
Project Web Page:  https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project
Project Github: https://github.com/OWASP/NodeGoat

Description:
Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.






Project Type: Documentation
Project Name: OWASP Automated Threats to Web Application
Project Leader (s):  Colin Watson & Tin Zaw
Project Web Page: https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
PDF Doc Link: https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf

Description:
Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.




No comments: