Roxberry's OWASP Blog

Saturday, August 7, 2010

Here’s the tentative schedule I have for my stab at the ORG2 project:

  1. August 2010 – Prototyping, Envisioning, Backlog
    Using Flex 4, I’ve developed a capability app to make sure that the features I want to deliver are possible.  I have been able to preview PDF’s, generate PDFs from XML based templates, read log files and a few other high priority ideas.  There are a few more exploratory ideas that I need to prototype, e.g. drag and drop report design to export to XML.  Then I will revise my UI envision, throw anything that cannot be done quickly but is not mission critical into the backlog and get cranking on the Shell.
  2. September 2010 – Shell Development Phase 1, release to select OWASP folks for initial impressions.
    Get a Shell out for look and feel.  Get it set up to work with a provider model.
  3. October 2010 – Provider Development Phase 1
    Start to convert the original ORG stuff.
  4. November 2010 – Community Preview, Open up development to contributors
    Depending on our progress in the previous 3 sprints, open up to the public and start a feedback loop (and contribution loop)
  5. December 2010 – Alpha Release, KB/Training materials
    When we have something is usable, start the promotion cycle.

Stay tuned!

Thursday, July 23, 2009

ORG2 currently lives at Google Project Hosting:

The vision:

ORG2 will be a reporting tool that sets the standard for reporting tools.

I spend a great deal of time when I put together reports, proposals and documentation in general. I believe that documentation is one of the most important tasks we do as professionals and a reflection on our professionalism. Because of this, I will invest the time to seek out the best of class documents, or the industry standard template.

For example, when I started out as a software developer I was asked to produce a design document. First question that I asked was, what is the standard? Does the company that requested the design use a standard template? At the time, no, there was no standard at the company. So my next step was to look beyond the company. Using the power of the internets I found several decent documents and proposals. Some of these documents seem to follow a pattern and I was able to narrow my search to find that pattern. Turns out IEEE 830 is the pro forma standard and so it became my source. I tailored it for the company and my timeline, but I at least had some idea of what proposals and designs could include.

That was over a decade ago.

Today, I have a folder of templates that I use to maintain my professional standard. I have comprehensive Technical Design Document templates, templates for Executive Summaries, Threat Models, Analysis Results and other business forms. I have various disparate applications that I use to create documents and reports. Beyond my personal process, my clients have similar needs and similar “organization” techniques and challenges.

A little better for sure, but not optimal.

I see ORG2 as an opportunity to create an optimal tool for documentation to replace my manual, inefficient method.

The vision is to create a Reporting Framework with components for specialized data collection, comprehensive reporting libraries, checklists, knowledgebases, visualization tools, wikis, notetaking and collaboration tools. More detail and brainstorming on each of these areas will follow this blog.

On top of this framework, “Report Providers” will be created and can be plugged in for specialized documentation. For our first report provider, we will rebuild the Penetration Tester tool produced in the original ORG application as a proof of concept.

We hope to continue to use the framework to develop other report providers for OWASP. We are looking at Secure Development Lifecycle documentation and potential for an SDL Report Provider. Beyond OWASP, the ORG can be leveraged for a myriad of reporting and documentation needs and it’s my hope that ORG will be the gold standard of documentation tools.

Pie in the sky, over ambitious, maybe. Potential for a great tool, definitely. I can’t wait to see this come to life. Tags: ,,

Saturday, March 7, 2009

Hi everyone, I'm putting a call out for any .NET security content to add the OWASP .NET project site. What is everyone's current .NET Security concern or challenge? Is it a matter of sorting through resources or lack thereof, lack of tooling, communication to stakeholders? I've seen increased activity in client concerns, not sure if the economy has people more security conscious or what, but I would be interested in your observations.

I have a few items that I've been tracking:

ASP.NET MVC Security - Securing Controller Actions

Silverlight Security - Security Guidance for Writing and Deploying Silverlight Applications

I'm interested in assurance of security controls and real world testing of these platforms. If anyone has related information or has other topics of interest, let me know.

I've been heads down on a few projects and hope to contribute some primary research to the project soon. Specifically, I'm doing some Sharepoint security reviews and best practice checklists that may be of interest to this group. Office Small Business Live is also on my radar as it is Sharepoint and allows for developers to create business applications in .NET, but lives in the "cloud". What concerns do we have for cloud computing?

On a formatting note, I will also be tabifying the .NET project page, like OWASP ESAPI. I expect to see a lot of the OWASP primary project pages adopt the tabification.

Monday, September 8, 2008

Scheduled for 10/16 and 10/17 this year, the thrust of the Fall session is the Security Development Lifecycle, :

Microsoft BlueHat Security Briefings

What is BlueHat?

BlueHat is a twice a year, by-invitation-only Microsoft security conference aimed at bringing Microsoft security professionals and external security researchers together in a relaxed environment to promote the sharing of ideas and social networking. BlueHat is a cutting-edge conference aimed at improving the security of Microsoft products. BlueHat continuously seeks out new and innovative material, highlighting important emergent technologies, techniques, and industry best practices.

  • Vulnerability economy
  • Web application security
  • Mobile/Wireless devices
  • Crimeware
  • Penetration testing and fuzzing
  • Architecture flaws
  • Network design and compromise
  • Reverse engineering
  • Exploit development
  • Intrusion prevention
  • Cryptography
  • Lions and tigers and bears