The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
Tuesday, November 14, 2017
OWASP CODE SPRINT 2017
At OWASP, we were thrilled to sponsor our Second OWASP Code Sprint 2017. Our partnership with students and universities to grow OWASP Projects was a success since we participated in the GSOC programs. We received more than 29 proposals. We were able to select 13 students who worked on a diverse range of application security projects. Below, we highlight the activity. OWASP also provided an additional incentive and had a OWASP Raffle for an APPSEC Ticket and Funding Initiative to award on lucky student for great work done. Congratulations Sourav Badami !
OWASP OWTF Project
Project Leaders:Abraham Aranguren,Viyat Bhalodia
Student: Anshul Singhal
Great work from Anshul Singhal by adding dynamic report generation from the database with user selected template, and code refactor to separate the UI into a separate React app from the backend. Anshul also added report generation currently still working on code separation. Ansul is very committed to complete the work outside the program ifwasthat is what it takes.
Feedback from Anshul: OWASP Code Sprint was a such a great experience. Viyat and Abraham both helped me a lot during whole duration. I learnt a lot in working with OWTF. Thank you OWASP for this opportunity.
OWASP Hackademic Project
Project Leader: Spyros Gasteratos
Student: Pavlos Zianos
Pavlos Zianos worked successfully on dynamic provisioning, launching and networking of new challenges without any blocking io calls, refactored existing codebase to accept modular drivers for both docker and vagrant provisioning, flexible networking and service discovery.
Feedback from Pavlos: OWASP Code Sprint has been a very valuable experience for me mainly because I got to bootstrap the project which gave me insight into issues that I had never experienced before. Spyros has been a very good mentor all this time.
Eric Anderson successfully accomplished a variety of difficult assignments while contributing to OWASP’s DefectDojo Project including: feature development, debugging, and bug fixes. His assignments required professional caliber skill and dedication to complete. We are very grateful for his contributions which improved DefectDojo for our entire community. For technical details, all the information is in our public issues tracker found here.
Feedback from Eric: OWASP Code Sprint was an overall a great experience on getting an idea of how certain jobs and processes of the Cybersecurity field work and function. Learning how to use Django and Python in a professional manner was nice and cool.
Rutuja Surve successfully built web server log analysis functions for security. A minor portion of the effort was to include basic statistical metrics and evaluations. The major portion of the effort was to use machine learning, particularly clustering, to evaluate the log file with a view towards anomaly detection. Some of the analysis was based on intelligent thresholds, and some was based on pure clustering analysis.
Project Leaders: Glenn ten Cate, Riccardo ten Cate
Students: Heeraj H Nair and Wojciech Reguła
Heeraj H Nair successfully added code examples for python flask and python django. Heeraj helped us update the current knowledgebase and iterated over the items to improve them. He delivered fully working apps for both code languages so we could effectively test the quality of the code with both manual testing and code reviews. Details can be found here.
Feedback from Heeraj: OWASP Code Sprint gave me the opportunity to to learn a lot of things while doing codesprint. Mentors were really awesome, they have helped me a lot. Thanks for everything OWASP
Wojciech Reguła successfully created the Ruby on Rails code examples and fixed an expert team of RoR to also help with the review. Created an RoR app for us to test the code examples. Details can be found here.
Feedback from Wojciech: Absolutely amazing program! I learnt a lot about securing application from the other site (currently I'm a pentester and student😊). OWASP Code Sprint gave me an opportunity to test my programming skills, writing real production code, be a part of the most used security knowledge base in the future 😉 and get to know very cool people like Glenn and Riccardo! Mentoring !
Nikhil R successfully added +12 features, shellcodes (OSX also) and obfuscating method. commits are available in here. Great work performed!
Feedback from Nikhil: The project is perfect for learning about the win32 api and writing custom shellcode which I think would help me immensely. In the second part of the project I worked on writing more functional shellcode for windows with abilities to download and execute files. I learned a lot about writing shellcode for windows which I feel is a quite an achievement by itself apart from the open source contributions.
Anamika Das successfully implemented a new add-on for field enumeration. Its nearly there, just needs a few minor tweaks in order to be merged. Details can be found here.
Feedback from Anamika:It is a great opportunity for us to be a part of a well known organization - OWASP! My mentor Simon and Ricardo were great enthusiast! Without them, the project wouldn't have accomplished. Honestly, I have learnt a lot from them especially from Ricardo. It would be great to see more projects in security. Also, it would be great to have research based project as well (maybe not funded).
Blay Kevin Cedric Achi successfully completed and continues to work on the scope of the project deliverables.
Feedback from Blay:OWASP Code Sprint program is amazing because it helped me to work a lot, learn new things and work with amazing, passionate and influential people (Simon and Ricardo 😊). Also, it is important for student to work sometimes on Community projects.
Students: Sourav Badami,Mohit Anand,Raghav Jajodia and Siddharth Goyal
Sourav Badami successfully implemented Travis CI integration. (#286), Vagrant development server implementation. (#258), Implement internationalization and localization. (#351, #353), Integrate Chinese translation. (#358), Integrate French translation. (#351, #353), Integrate German translation. (#371), Integrating code compression on production site. (TBD), Reformatting code base to pass new linter definition. (#364), Integrate a debug toolbar. (#430), Speed improvements. (#443), Redesign application home. (#445), Embedded script to report bug from any website. (#454), Revamp add issue page. (#455), New issues page for adding issues and corresponding test. (#338), Minor Fixes. (#335, Bugheist/extension#1, #409, #431, #440, #451, #453, #456), Improved activity strips with carded design and hover effect. (#506), Redesigned bug hunt page form for consistency. (#516), Redesigned homepage by re-positioning featured website block and leader board section. (#532), Redesigned change password form. (#538), Redesigned login form. (#542), Design homepage from mockup final. (#549), Optimised and reformatted codebase. (#567)
Feedback from Sourav: Amazing experience to work with Sean! Worked mostly in the backend to improve codebase in terms of tests and code readability. In all, didn't got bored at all :)
Mohit Anand: Successfully added gamification of bugheist.com by providing badges(Gold,Silver,Bronze), . User profiles would include information regarding types of bugs found., . Comment add without refresh., . Comment delete without refresh., . Added confirm before delete comment., . Comment edit without refresh., . Added cancel button when editing., . Tagging user in comments., . Added toggle to issue status button., . Updated total number of bugs., . Tagged user would be notified through email, . Reply to a comment, . Add chart in domain, . Follow/Unfollow a user, . Upvote an issue, . Added feature to send notification when an issue is liked., . Added feature to send notification when someone follows a profile., . Search users using "user:"., . Search issues using "issue:"., . Search domain using "domain:<domain_name>"., . List of users following you., . List of users you are following, . Model of likers, . Added regex for domain validation during domain edit ( #562 ), . Empty description and domain is handled while editing., . Added pagination buttons on top of pages and Added security against XSS attack (#563).
Feedback from Mohit: My first open source experience. Learnt a lot about Django and other technologies. Would love to keep contributing to the source.
Raghav Jajodia: Successfullyadded a search feature for issues/bugs, Add a search feature for users and domains, Improve design for allauth pages, Add copy-to-clipboard feature, Improvements to avatar upload, Pagination in required lists, Design of header, Integrate search to header, Styling the lightbox plugin, Add tiles for labels, Add Open and close issue count for each user, Make flash messages more elegant, Make issue update [Open <=> Close] asynchronous, Make issue edit asynchronous, Add tabs in /domain, Allow Search by labels, Improvement in Check-for-duplicates, Monthly summary on stats [Monthly User Signups], Popover for user details on activity-strip, Show issue type distribution in /domain, Add Pie-chart for issue distribution in /stats, Add ability to switch domain to another domain, Update the wiki with some internal code-style guidelines, Revamp comments, Add feature to "Bookmark" issues, Listing bookmarks, Listing Followers and Followings in tabs (/profile), Add option to remove a bookmark, Fix Featured section.
Feedback from Raghav: I had a really amazing experience with OWASP and Bugheist. My 3 month long involvement with Bugheist improved my understanding of Django and Cyber security. I would love to see BLT grow as an open source project. We could further improve the repository by selectively opening proper issues and improving the PR reviewing method to prevent introduction of bugs and poor quality code to the repository.
Siddharth Goyal:Responsive cards for errors, Added onto search functionality for labels, Examples for all types of errors using added label search, Implementation of Footer (Desktop), Implementation of Footer (Mobile), Functionality to check for bug domain in report, Added graph for stats on number of bugs reported, Bug reporting on mobile, Work on activity section., Pagination for company scoreboard, Pagination of domain specific issues., List bugs by type for user profiles, New templates for emails, Color fix for charts, Issue and domain wise duplicate check, Floating Navbar for desktop/mobile, Label specific and open/close based listing of issues for users with pagination, Custom 404/500 pages.
Feedback from Siddarth: The OWASP Code Sprint 2017 program has been an absolute dream for me. The work and other people in the project have made a huge impact on my knowledge and understanding of Django, front-end and open source in general. I would love to further contribute in BLT. Also thanks to OWASP for this awesome opportunity.