Thursday, July 23, 2009

ORG2 currently lives at Google Project Hosting:

The vision:

ORG2 will be a reporting tool that sets the standard for reporting tools.

I spend a great deal of time when I put together reports, proposals and documentation in general. I believe that documentation is one of the most important tasks we do as professionals and a reflection on our professionalism. Because of this, I will invest the time to seek out the best of class documents, or the industry standard template.

For example, when I started out as a software developer I was asked to produce a design document. First question that I asked was, what is the standard? Does the company that requested the design use a standard template? At the time, no, there was no standard at the company. So my next step was to look beyond the company. Using the power of the internets I found several decent documents and proposals. Some of these documents seem to follow a pattern and I was able to narrow my search to find that pattern. Turns out IEEE 830 is the pro forma standard and so it became my source. I tailored it for the company and my timeline, but I at least had some idea of what proposals and designs could include.

That was over a decade ago.

Today, I have a folder of templates that I use to maintain my professional standard. I have comprehensive Technical Design Document templates, templates for Executive Summaries, Threat Models, Analysis Results and other business forms. I have various disparate applications that I use to create documents and reports. Beyond my personal process, my clients have similar needs and similar “organization” techniques and challenges.

A little better for sure, but not optimal.

I see ORG2 as an opportunity to create an optimal tool for documentation to replace my manual, inefficient method.

The vision is to create a Reporting Framework with components for specialized data collection, comprehensive reporting libraries, checklists, knowledgebases, visualization tools, wikis, notetaking and collaboration tools. More detail and brainstorming on each of these areas will follow this blog.

On top of this framework, “Report Providers” will be created and can be plugged in for specialized documentation. For our first report provider, we will rebuild the Penetration Tester tool produced in the original ORG application as a proof of concept.

We hope to continue to use the framework to develop other report providers for OWASP. We are looking at Secure Development Lifecycle documentation and potential for an SDL Report Provider. Beyond OWASP, the ORG can be leveraged for a myriad of reporting and documentation needs and it’s my hope that ORG will be the gold standard of documentation tools.

Pie in the sky, over ambitious, maybe. Potential for a great tool, definitely. I can’t wait to see this come to life. Tags: ,,

Saturday, March 7, 2009

Hi everyone, I'm putting a call out for any .NET security content to add the OWASP .NET project site. What is everyone's current .NET Security concern or challenge? Is it a matter of sorting through resources or lack thereof, lack of tooling, communication to stakeholders? I've seen increased activity in client concerns, not sure if the economy has people more security conscious or what, but I would be interested in your observations.

I have a few items that I've been tracking:

ASP.NET MVC Security - Securing Controller Actions

Silverlight Security - Security Guidance for Writing and Deploying Silverlight Applications

I'm interested in assurance of security controls and real world testing of these platforms. If anyone has related information or has other topics of interest, let me know.

I've been heads down on a few projects and hope to contribute some primary research to the project soon. Specifically, I'm doing some Sharepoint security reviews and best practice checklists that may be of interest to this group. Office Small Business Live is also on my radar as it is Sharepoint and allows for developers to create business applications in .NET, but lives in the "cloud". What concerns do we have for cloud computing?

On a formatting note, I will also be tabifying the .NET project page, like OWASP ESAPI. I expect to see a lot of the OWASP primary project pages adopt the tabification.