OWASP Projects Spring 2009 Self Update
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
TimestampWhat is your name and email address?Who are you?What is the name of your project?Project TypeProject Home PageMailing ListLicenseRelated ProjectsIs the project actively maintained?What is the latest version of your project?When was this latest version released (if applicable)?AvailabilityAvailability LinkAvailability ExplanationProject SponsorsWould you be interested in the OWASP Global Projects Committee considering your project for an industry sponsorship?If not, what is the reason that you do not wish to be considered for industry partnership?What is the current quality level of the project?Quality RatingQuality ExplanationUsability RatingUsability ExplanationUsage RatingUsage ExplanationRelevance RatingRelevance Explanation
3/19/2009 5:45:13christian.heinrich@owasp.orgProject OwnerGoogle HackingToolshttp://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-google-hackingApache License 2.0Can you please clarify if you are seeking relationships to other OWASP Project or other projects within the webappsec community? Google is revoking the SOAP Search API late August 2009 i.e. http://googleajaxsearchapi.blogspot.com/2009/03/google-code-labs-and-soap-search-api.html PoC v0.1Closed Release to Reviewer - Public Release at OWASP EU, 5th CONFidence and BlackHat USA/DefConGoogle Code (tools)http://code.google.com/p/dic/NoPrior to OWASP USA Conference 2008, Google approached Tom Brennan to explain the intent of this project and he deliberately kept me at arms length by refusing to provide their contact information so I was unable to leverage their initial contact to discuss sponsorship.

I doubt Google would sponsor this now due deprecating their SOAP Search API.
Beta4The quality at the moment is down due to the inclusion of new features but it is increasing due to the following in the SDL:

1. Refactoring the perl code.
2. Incorporating perltidy and Perl::Critic CPAN Module.
3. Incorporating POD.
3It is used from the command line.

The Google SOAP Search API is limited to Search Result 1 to 1000.
1Use is limited to Closed Alpha and Beta Tester. I expect this to increase after OWASP European Conference and 5th CONFidence.10"Download Indexed Cache" is an implementation of the Search Engine Discovery/Recon section of the OWASP Testing Guide v3, which is a superior methodology to the GHDB maintained by Johnny Long.
3/19/2009 7:52:35Achim ah@securenet.deProject OwnerEnDeToolshttps://www.owasp.org/index.php/Category:OWASP_EnDemailto:owasp-ende-project@lists.owasp.orgGNU General Public License v2 (GPLv2)http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
Yes, the project is actively maintained.0.1.592/16/2009currently on its own domainhttp://ende.my-stp.net/NoThe main usage area -as far as I know- is pentesting web applications. Sometimes it helps me configuering WAFs. However, it's usefull for educational purpose to demonstrate devolpers how and why things go wrong.
In that area I don't see a "industrial usage". But I'm open to change my mind here:)

As the tool also offers an API to all its internal functions, I can imagine to use it in real web applications. I can imagine to build something like an
If anyone (industry partner) is interested to drive in that direction, you're welcome.
Alpha7+ ready to use, just click
+ full online documentation
+ huge support of codings
+ browser tool, runs anywhere (remote from server, local from file system)
+ API available
- API not yet fully tested (lack of contributors)
- API design needs to be improved (nned some ideas from real world usage)

Note according "Alpha quality":
I've choosen alpha 'cause not all OWASP Project Assessment criterias are fullfilled. IMHO the code is release quality, at least beta.
8+ ready to use, just click
+ platform-independent
- non-w3c compliant and/or non ECMA-compliant browsers are not well supported
2Most people, in particular those not yet ensnared in webappsec, don't understand the purpose and hence the usage of the tool 'cause they often don't understand what coding/hashing/crypting is used for and which problems to solve.5Should have rated low, 'cause it's not widely used.
Should have rated high 'cause it's very usefull for pentesters and people analyzing "obfuscated" traffic and data (WAF, forensic, etc.).
If people understand how coding works in the webappsec area, and what are the dragons there, and where coding (input and/or output) should --better: has to-- take place, then I'd tend to 10 (at least 'til someone has a functional comparable tool).
3/19/2009 9:55:04Andrew Petukhov <petand@lvk.cs.msu.su>Project OwnerAccess Control Rules TesterToolshttp://www.owasp.org/index.php/Category:OWASP_Access_Control_Rules_Tester_Projectowasp-access-control-rules-tester-project@lists.owasp.orgGNU General Public License v2 (GPLv2)OWASP WebScarab. AcCoRuTe depends on WebScarab as a library
I do not know what is "actively". A am going to move it from Beta to Release. Beta, Code (tools)http://code.google.com/p/accorute/Summer of Code (2008)YesBeta3As for now, much training is needed to start using this tool. Besides, the process of building sitemaps is cumbersome.
1. Implement GUI.
2. Automate navigation by incorporatin web spider into the tool. As for now, a third-party spider is used
3. Implement supoport anti-automation (CAPTCHA processing with operator's assistance) and multi-step logins (i.e. one time passwords and so on)
In fact I insist that the real value of Beta Quality AcCORuTe is added scientific value. I 'd split the overal value of the deliviries into 60% value of the method, and 40% - its implementation.
What's really new, is a method for a complete web application traversal. Previous works viewed web application as a graph, but this project views web application as a state transiotion system.
2See above. User requires much time and effort to collect initial data for the tool to run upon.1There are no lexternal links to this project and I haven't received any feedback.7There are no open source products that test access control flaws. Scientific papers did not address this problem either.
Besides, I think that the developed method to test for access control inconsistencies should be integrated into Testing Guide.
3/19/2009 10:22:28Paolo Perego <thesp0nge@owasp.org>Project OwnerOrizon ProjectToolshttp://www.owasp.org/index.php/Category:OWASP_Orizon_Projectowasp-orizon@lists.owasp.orgGNU General Public License v3 (GPLv3)Owasp Code review Guide
Owasp Source Code Flaws Top 10
Yes, the project is actively maintained.v1.02009-03-18 v1.15.fSourceForge (tools)http://orizon.sourceforge.netSpring of Code (2007), Summer of Code (2008)YesBeta4To raise the quality I have to work hard in analysis features and over documentation. These two are my top priority goals for this season of cleaning.
I plan to release a stable version (v1.20) for next AppSec EU (with some functionalities available) and a more mature stable version (v1.40) later this year with further improvement.

I started recording some short screencast, I'm considering the opportunity to start a podcast series of using orizon.
5Poor documentation help you in issuing the commands. In the future it would be more documented how to use the engine, how to embed it in a web app.4Just by now Orizon can be used (without being embedded in a web app) standalone as shell.
A command interpreter is spawned and you can interact with the engine.
To improve usability a fancy GUI have to be created but this is a 2010 goal by the moment.
10Well, Orizon aims to be a static (and in future hybrid) analysis tool that is:
* opensource
* embeddable in other applications
* able to analyze source written in various languages (php, java, cobol, c and other)
* able to scan sources without the need of compile them!

For a lot of reasons (the most important to me is the last one), Orizon can be a cutting edge tool for a security specialist in the next future (like O2 e.g.).
The work that must be done is huge, but I think that Orizon is a tool the community will love... or at least, I hope so :-)
3/19/2009 12:02:41Leo Cavallari <leocavallari@owasp.org>Project OwnerASDRDocumentationwww.owasp.org/index.php/Category:OWASP_ASDR_Projectowasp-asdr-project@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0OWASP Honeycomb Projects (that should be replaced by ASDR)
Yes, the project is actively maintained.0.94/1/2008OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_ASDR_ProjectThe alpha version of ASDR book is available at OWASP in wikimedia format and at Lulu.com in PDF format.Spring of Code (2007), Summer of Code (2008)YesAlpha5ASDR contains 324 articles, some of them very mature but others only a draft or even just the title. The project's structure is well defined and we need are some focused volunteers to review what is done and produce contents for remaining articles in order to raise project to beta or release quality.
10As it is to be unique reference for Webapp security at OWASP, we need to keep integrating with other guides (Testing, Devel, Review) and reference their articles at every OWASP project, instead of reinventing the wheel every time.7I believe it's is highly used, since it can be used by every OWASP project that deal with security concepts and for security and IT professionals.7Even though it can be seen as a App Security Encyclopedia, it's much more than that once it is "a basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics".
3/19/2009 13:15:26vanderaj@owasp.orgProject OwnerOWASP Developer GuideDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Guide_Projecthttp://lists.owasp.org/mailman/listinfo/owasp-guideCreative Commons Attribution ShareAlike 3.0OWASP Testing Guide
OWASP Code Review Guide
OWASP Top 10 2007
OWASP Application Security Verification Standard
Yes, the project is actively maintained.http://www.owasp.org/index.php/Guide_Table_of_Contents7/29/2005Wiki, Lulu, PDF, Wordhttp://www.owasp.org/index.php/Guide_Table_of_ContentsThe survey is not able to choose multiple options. All are hosted by OWASP except for the Lulu books. Please add Lulu and the other options and make the survey a multi-selection. YesRelease7The project is undergoing change from one state to another state. Those chapters are in flux and need help to finish them up to 3.0 Release Standards.

What could help? Industry funding or OWASP Grants to allow me to finish the project - it's just too huge to do as a part time thing.

More volunteers are also welcome, but I have only had two offers in the last two times at asking for help in the last twelve months. The quality of the submissions from these folks was also quite low, requiring extensive re-writes.
10Available by many means
Widely used
Widely downloaded

Good structure and helpful to target audience.
10I don't have access to the web site stats, but if you search for links to the Guide's home page from outside OWASP, it's one of the highest (I think second after the Top 10).

There's also over 500 internal links from inside owasp.org itself to the Guide, making it most likely one of the most hyperlinked documents.
7The Developer Guide covers 95% of the things we look for day to day in reviews and in developing secure applications. There are heaps of things in it that most applications still do not do today.

The advice it gives could be improved, and there are controls that are missing, which is to be expected for a four year old document - things like click jacking and so on.
3/19/2009 13:48:34Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>Project OwnerEnigformToolshttps://www.owasp.org/index.php/Category:OWASP_OpenPGP_Extensions_for_HTTP_-_Enigform_and_mod_openpgpOwasp-Enigform-and-mod-OpenPGP@lists.owasp.orgmultiple licenses, multiple tools within project, all freegnu privacy guard
gpgme library
mozilla firefox
Yes, the project is actively maintained.0.5.0, and 1.2.13/15/2009owasp, wiki.buanzo.org, mozdev.org, wordpress.orghttp://wiki.buanzo.org/index.php?n=Main.Wp-enigform-authenticationThe Firefox extension is hosted in the mozilla development site mozdev.org.
The wordpress extension is hosted in Wordpress' facilities.
The apache module is hosted in my own resources. I pay a dedicated server every month. It makes no sense to waste resources from others (sf.net, google) when I have them myself.
Spring of Code (2007), Summer of Code (2008)YesBeta7It works great, but there are still lots of features in my head. Also, being the first beta release, the amount of community feedback will drive the project. In my country, a rating of 7 means "just ok!" :)
8One guide is missing: web developers guide. Also, the protocol rfc is on it's way.
7It's an experimental research technology... no one ever implemented any pgp features on http... today, it's FULLY usable (see the wordpress enigform authentication plugin as a poof of concept), and it's quite easy.

10PGP + HTTP, do I need to say more? Never ever implemented or researched before.
3/19/2009 14:09:09Ryan Barnett <rcbarnett@gmail.com>Project OwnerModSecurity Core RulesDocumentationhttp://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projectowasp-modsecurity-core-rule-set@lists.owasp.orgGNU General Public License v3 (GPLv3)ModSecurity - Open Source WAF - www.modsecurity.org
OWASP - Securing WebGoat using ModSecurity (SoC Project)
Yes, the project is actively maintained.None - this is a new projectNone - this is a new projectOWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_ProjectBreach Security LabsNoWe are already sponsored by Breach Security Labs (www.breach.com).Alpha1I need to populate the project site with the Core Rules data. This will be happening soon as we were waiting for the release of Core Rule Set (CRS) v1.6.2.1Same as above. This is a brand new project.1Same as above. This is a brand new project.9Using a WAF as an initial shield from reconnaissance, automated and known attacks is critical. It is also relevant for HTTP level auditing and virtual patching for identified issues. Industry regulations such as PCI also recommend WAF usage.
3/19/2009 15:10:09stephen@twisteddelight.orgProject OwnerJava ProjectDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Java_Projectjava-project@lists.owasp.orgGNU General Public License v3 (GPLv3)ESAPI
No, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Java_ProjectCorsaireYesUnrated6The project is a wiki based collectin of articles, rather than one complete document. The quality of each article varies considerably, some articles are release quality having gone through peer review, other are incomplete as they stand.9Wiki based documentation project.4Unkown, since it is a documentation based project.9The information is very relevant to Java programmers
3/20/2009 0:27:57boberski_michael@bah.comProject OwnerASVSDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_ProjectOwasp-Application-Security-Verification-Standard@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0OWASP Top Ten
OWASP Legal Project
Yes, the project is actively maintained.Beta12/5/2008OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Web_Application_EditionSummer of Code (2008)NoIt is already co-sponsored by Aspect and Booz Allen.Beta10The ASVS team hardened ASVS as it is OWASP's first standard, to proceed cautiously.10Comments resulting from test-driving the standard on pilot security assessments, and comments collected from the community while working on the release draft, are not identifying any major changes either in approach or in detailed requirements.7There are a large number of organizations that are in the process of reviewing ASVS requirements in detail, working to figure out how to integrate ASVS security assessments into their SDLC. These insights are based on first-hand knowledge of civil US Government agencies, and indirect insight into other organizations.10It is the first and only standard in this space.
3/20/2009 3:01:55Michael Coates <michael.coates@aspectsecurity.com>Project OwnerAppSensorDocumentationhttp://www.owasp.org/index.php/Category:OWASP_AppSensor_ProjectOWASP-AppSensor-Projec@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.1.12/4/2009OWASP Wiki (documetation)https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdfSummer of Code (2008)YesBeta8The documentation project is a very solid release with its current information. I will be updating it again shortly and releasing version 1.2. This new version will include specific architecture notes and examples. I expect Version 1.2 to be a quality rating of 10.

In addition, in about 3 months I will be releasing an alpha version of the AppSensor tool. I have a tool working, but a little more work is needed.
8It is a documentation guide intended to provide information for the reader. I think it is very usable and easy to read.9The AppSensor project is designed to be utilized by any size application. The concepts described be AppSensor are a necessary addition for any application concerned with security. 10The concepts prescribed in AppSensor are not currently in widespread use. However, the threats facing applications are continuing to grow and the attackers are becoming more belligerent. It is time for applications to begin adopting a more defensive position.

Applications currently do not take any action to detect malicious users. The concept of AppSensor would add significant security enhancements to any application. By strategically recording attack events AppSensor can detect a malicious user that is probing for vulnerabilities. At this point AppSensor can take action against the user (such as locking the user's account) in order to protect the application from compromise.

3/20/2009 12:33:50webgoat@owasp.orgProject OwnerWebGoatToolshttp://www.owasp.org/index.php/Category:OWASP_WebGoat_Projectowasp-webgoat@lists.owasp.orgGNU General Public License v2 (GPLv2)Yes, the project is actively maintained.5.2google and sourceforgehttp://code.google.com/p/webgoat/Aspect, Ounce, SANS, OWASPNoToo much posturing and entitlement beliefsRelease7Some known bugs, help is out of date, solutions are out of date, needs to incorporate defensive best practice in lesson plans 7OWASP wiki is out of date, User guide is based on 4.07over 600,000 downloads of webapp. I think google's number counter is skewed7Attacks could be improved
3/20/2009 15:42:55Matthew Chalmers <matthew.chalmers@owasp.org>Project OwnerApplication Security RequirementsDocumentationhttps://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Projectowasp-appsec-requirements@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0OWASP_Secure_Software_Contract_AnnexActive attempts to garner participation from mail-list subscribers has yielded no input/results. As 'interim' PM I have tried to contact the former PM to no avail. I have not yet had time to familiarise myself enough with the project templates & requirements to be able to update our pages. The OWASP project page templates/requirements, IMHO, are overly complicated and too general purpose. I have more available time now and am committed to giving the project a shot in the arm, including updating its wiki pages--that's why I'm doing this survey.n/an/aOWASP Wiki (documetation)https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Projectn/aNoI do not believe this project would benefit from funding. It will benefit most from active contributions from a large group of volunteers from a variety of organisations involved with projects having security requirements.Unrated1Extremely few messages were exchanged on the mail-list before I took over--as if all the work was done by the PM only. The former PM created one single document (a file attached to the wiki page) that may have some salvageable content going forward but is no real basis for the project. I believe, but have no real support for it, that the people "involved" with the project are more looking to get answers than looking to provide them and, further, may not really understand project lifecycles or requirements to begin with. This project would benefit from an in-person discussion at a large OWASP event, unfortunately, I do not seem to be in the loop for advance notice of events. This is a major source of contention for me personally, not just as a PM but as being generally involved with OWASP: events are not announced well enough in advance in order to get involved as a contributor rather than a consumer.1See Quality Explanation: There is the project page and one file attachment. It needs to be cleaned up and I am working on it.1It would be nice, in the first place, for PMs to have some easily gotten idea of the number of times their project pages have been accessed. I have to assume this project's usage is extremely low based on the content available and the very low number of mail-list subscriptions since I assumed ownership and the virtually nil traffic in the mail-list.7There has been much (relatively speaking) talk recently about different project lifecycles such as Agile but I haven't seen anything specifically mentioned about Requirements. I believe this project's intended product would benefit such "cutting edge" SDLCs the most as they tend to make the most assumptions and being work the quickest. That being said, I firmly believe that most organisations are still following a more traditional waterfall methodology and Requirements is a major part of that.
3/20/2009 15:56:33Dan Cornell dan@denimgroup.comProject OwnerSprajaxToolshttp://www.owasp.org/index.php/Category:OWASP_Sprajax_Projectowasp-sprajax@lists.owasp.orgGNU Lesser General Public License (LGPL v2)No, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.10/5/2006Google Code (tools)http://code.google.com/p/sprajax/YesAlpha2This was an early version of an AJAX testing application that was surpassed by commercial tools. It only supports testing Microsoft Atlas applications at the current time.2This was an early version of an AJAX testing application that was surpassed by commercial tools. It only supports testing Microsoft Atlas applications at the current time.2Because of the limited supported platforms (MS Atlas), there is not a tremendous amount of usage.4Because of the limited supported platforms (MS Atlas), there is not a tremendous amount of usage. However, some of the code for Sprajax could be extended to act as a general web application fuzzer.
3/20/2009 16:07:20Dan Cornell dan@denimgroup.comProject OwnerOpen Review ProjectToolshttp://www.owasp.org/index.php/Category:OWASP_Open_Review_Projectreview-project@lists.owasp.orgNo license - SaaSYes, the project is actively maintained.Not applicablehttps://owasp.fortify.com/https://owasp.fortify.com/Fortify provides access to their SCA technology via a SaaS platform. So the tool isn't downloadable - it involves submitting an open source project to be scanned.YesBeta8The software is in use but we have occasional issues with availability and some bugs in the implementation.7The web application is reasonably usable but some sections can be a little hard to figure out.5We have worked with a couple of 3rd open source projects such as Moodle. We have also worked with OWASP projects such as AntiSAMY.NET. Kuai has been working with higher education institutions to start running open source software commonly used in education through the service.8The project provides commercial-grade static analysis to open source projects.
3/20/2009 19:30:48Chris Loomis cal9000tool@mac.comProject OwnerCAL9000Toolshttp://www.owasp.org/index.php/Category:OWASP_CAL9000_Projecthttp://lists.owasp.org/mailman/listinfo/owasp-cal9000GNU General Public License v2 (GPLv2)LiveCDNo, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.211/15/2006Google Code (tools)http://owasp-code-central.googlecode.com/svn/trunk/labs/cal9000/zip file located at:

A copy of this zip file should be hosted at OWASP, as the digilantesecurity domain is about to expire and I will not be renewing it.
Autumn of Code (2006)YesAlpha7Needs to be updated for use in current browsers.7Needs to be updated for use in current browsers.7At least 50,000 downloads to date, also included on the LiveCD.7Still handy for those who want to be able to test without having to install anything, though much of the functionality is redundant when compared to other OWASP tools.
3/21/2009 9:18:58James Fisher james@dirbuster.sittinglittleduck.comProject OwnerDirBusterToolshttp://www.owasp.org/index.php/Category:OWASP_DirBuster_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-dirbusterGNU Lesser General Public License (LGPL v2)Yes, the project is actively maintained.0.121.0-RC1SourceForge (tools)http://sourceforge.net/projects/dirbuster/Can't remember why I put it on sourceforge. Moving will require work, for which I see the end result not providing any extra benefit.

No SponsorYesBeta9Dirbuster is stable, well packaged, full featured. The only think it is lacking are help pages and documentation. Which I have started but never have the drive to finish!8DirBuster's interface is simple and im my option intuitive to use (but I would say that as I wrote it). Error messages inform the user of issues, which text bow tips give examples of valid input for the fields.

I only issue involves people sometimes don't know how to set some of the more advanced features. This situation could be improved if I publish some help files and faq's etc etc.
8This is a hard one to measure, but I guesed based on downloads, taking into account what the tool actually does, and the fact there are not many other tools that do the same thing. Thoes that do (or did in the case of Jbrofuzz), often use the lists provided by dirbuster.

download stats

Mar 2009 * 752 11.6 GB
Feb 2009 733 12.2 GB
Jan 2009 806 15.2 GB
Dec 2008 892 17.0 GB
Nov 2008 981 18.6 GB
Oct 2008 1,108 21.3 GB
Sep 2008 934 17.6 GB
Aug 2008 1,126 21.4 GB

hits on the update page (only ever once per day) - which gives some indication of how often it is used is about 1200 per month

6DirBuster performs a simple task very well (ie it produces very very false positives). I do not consider it to cutting Edge, but I think there will always be the requirement to for dir and file brute forcing to try to find files and dir that are not linked.

3/22/2009 9:10:13Stephen Craig Evans <stephencraig.evans@gmail.com>Project OwnerSecuring WebGoat using ModSecurityDocumentationhttps://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Projectowasp-webgoat-using-modsecurity@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0WebGoat(https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)
new OWASP ModSecurity Ruleset project (don't have link for it)

Yes, the project is actively maintained.11/29/2008OWASP Wiki (documetation)http://www.owasp.org/index.php/OWASP_Securing_WebGoat_using_ModSecurity_ProjectSummer of Code (2008)YesBeta8
Please see the Project News section of the home page for references and discussion of this project: https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project

I probably spent 2/3 to 3/4 of my time from May until the end of November on this project.

I strongly believe it can go through another generation of development and perhaps Breach would be an industry sponsor. If so, I would love to do it.

Version 2.0 could improve on the work that I originally did on mitigating business logic flaws. I could develop pre-packaged modules (Lua scripts with instructions) that a network/sysadmin security type of person could more easily understand.

For example:

1. Password retry max / account lockout (14. Sublesson 4.2: Forgot Password )

2. "Static" parameter tampering: modifying read-only HTML values such as from check boxes and drop-down lists; similar to what part of the Secure Parameter Filter for IIS project does (http://www.gdssecurity.com/l/spf/) - (15. Parameter Tampering -> 15.1 Exploit Hidden Fields)

3. Role-based access control, including using SQL database calls (Sublesson 2.3: LAB: Role Based Access Control)

4. Concurrency flaws (Sublesson 7.2: Shopping Cart Concurrency Flaw)
- The wiki is a little disorganized (learning on the fly) and could use re-organization.

- Once OWASP documentation guidelines and standards are set, the Doc file and Lula book should be modified to conform to them so that it will have the same look and feel as other OWASP documents
The project is starting to get noticed; check the references in the Project News section of the home page for references and discussion (Ryan Barnett, Ken van Wyk, Arshan D., etc) of this project: https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project

- The project is ahead of its time; it's the first time a WAF has been programmed to mitigate business logic flaws
- Probably 99% of ModSecurity users only use the core rulesets out of the box. Using a WAF for virtual patching hasn't taken off yet.
- Network/sysadmins that are in charge of a WAF are scared of programming and not smart enough :-) to figure out that they just have to go out and hire a developer to do a small amount of work.
10It's the first time a WAF has been programmed to mitigate business logic flaws.

Perhaps using a WAF to do Virtual Patching will get a boost from this (per Ryan Barnett's BlackHat prezo).
3/23/2009 14:57:50Matt Tesauro <mtesauro@gmail.com>Project OwnerOWASP Live CDToolshttp://www.owasp.org/index.php/Category:OWASP_Live_CD_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-projectCC Attribution ShareAlike for docs, GPL v3 for codeOWASP Education ProjectYes, the project is actively maintained.AustinTerrier-Feb20092/14/2009Modules are on Google Code, ISO/VMs on seperate sitehttp://code.google.com/p/owasp-livecd-2008/The reason for splitting the repository into two places is that Google code has a max file upload limit of 100 MB which won't work for a ISO image. Therefore, I put the individual modules up on Google Code and host the ISO and VM images on a host that I personally own.Summer of Code (2008)YesRelease10I've had several releases since the original Summer of Code 2008 release and have continually improved the release. The only work to be done is some fine tuning of the tools and more polished integration. Also, the Live CD has been used for several training classes at several conferences which would seem to suggest its fully baked.9Ever effort has been made to make the tool very usable from startup on. The only reason I didn't give it a 10 is I do not have a formal published user guide.10As of March 7th 2009, some form of the OWASP Live CD has been downloaded 75,219 times. Just for the first seven days of March, 6,257 downloads of some form have occurred. By some form, I mean one of the ISO releases (Beta1, Beta2, SoC, Portugal or AustinTerrier) or one of the VM images (VMware or Virtual box). Also, I've had approx. 888 GB of download bandwidth since the project started.10As of the AustinTerrier release (the current) all the tools were updated to the latest versions and several were either compiled from the latest available source or pulled from SVN.
3/24/2009 10:40:11Rogan Dawes <rogan@dawes.za.net>Project OwnerWebScarabToolshttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Projectowasp-webscarab@lists.owasp.orgGNU General Public License v2 (GPLv2)OWASP-ProxyNo, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.A current version is always availableA current version is always availableGIT on my personal sitehttp://dawes.za.net/gitweb.cgi?p=rogan/webscarab/webscarab.git;a=summaryI prefer to use git as a VCS due to its offline capability, speed and flexibility.

Now that SF is providing GIT hosting, I would be happy to push a copy of the repo there whenever I make any updates. This requires that the OWASP admins enable GIT hosting for the OWASP project
Autumn of Code (2006)YesRelease9I think technically, it does what is required without any problems.7It could do with a thorough going over, particularly the User Interface. There are a number of things which as not intuitively obvious.8One of the oldest and most popular OWASP projects8I think it is still very relevant, even though there are now more and more competing tools.
3/24/2009 10:52:11Rogan Dawes <rogan@dawes.za.net>Project OwnerOWASP-ProxyToolshttp://www.owasp.org/index.php/Category:OWASP_Proxyowasp-proxy-project@lists.owasp.orgGNU General Public License v2 (GPLv2)OWASP-WebScarab
Yes, the project is actively maintained.A current version is always availableA current version is always availableGIT on my personal sitehttp://dawes.za.net/gitweb.cgi?p=rogan/owasp-proxy/owasp-proxy.git;a=summaryI prefer to use git as a VCS due to its offline capability, speed and flexibility.

Now that SF is providing GIT hosting, I would be happy to push a copy of the repo there whenever I make any updates. This requires that the OWASP admins enable GIT hosting for the OWASP project
YesUnrated1The project is still very new, and is untested in the field4The project is still very new, and is untested in the field1The project is still very new, and is untested in the field8I think it is relevant as a component of new and innovative tools built on top of it.
3/25/2009 14:29:27Carlo Pelliccioni <carlo.pelliccioni@gmail.com>Project OwnerBackend SecurityDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Backend_Security_Projectowasp-backend-security@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Testing GuideYes, the project is actively maintained.1.0 beta11/3/2008OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Backend_Security_ProjectSummer of Code (2008)YesBeta7The Backend Security is a beta project but several sections are very close to the release version. However there are 2/3 sections not adequate to the high OWASP standards.9The guide is composed by 183 pages. The project is focused on security development, security hardening and security testing explaining step-by-step how to resolve security issues so it is very useful to different kind of IT professional figures.9The project is focused on security development, security hardening and security testing explaining step-by-step how to resolve security issues so it is very useful to different kind of IT professional figures.9The main focus on the web application security is oriented on the backend field; in the current version of Backend Security Project are collected information about the DBMS security but in the next version it will be added also several section about the LDAP componentes. So I think it will be a good point of reference for developers, testers and system integrators.
3/26/2009 14:19:32alessio marziali <alessio.marziali@cyphersec.com>Project OwnerOWASP Code CrawlerToolshttp://www.owasp.org/index.php/Category:OWASP_Code_Crawlerowasp-code-crawler(at)lists.owasp.orgCreative Commons Attribution ShareAlike 3.0OWASP Code Review ProjectYes, the project is actively maintained.2.13/1/2009my websitehttp://www.cyphersec.com/software_archive/OWASP_Code_Crawler.zipSummer of Code (2008)YesBeta8Has passed the BETA quality. Eoin Keary and Paulo coimbra could confirm.9There is a two weeks task to be completed.7It can scan .NET and JAVA, currently implementing PHP.7Sister project of Code Review.
3/26/2009 23:15:49Federico Casani <f.casani@owasp.org>Project OwnerOWASP Learn About Encoding ProjectToolshttps://www.owasp.org/index.php/Category:OWASP_Learn_About_Encoding_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-learn-about-encodingCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.the project is very very young and it is still "incubation"Google Code (tools)http://code.google.com/p/learn-about-encoding/This is the future repo of code: it 's empty now.YesAlpha2This is a very very young project, now we cannot rate the quality of it.2This is a very very young project, now we cannot rate the usability of it.2This is a very very young project, now we cannot rate the usage of it.2This is a very very young project, now we cannot rate the relevance of it.
3/30/2009 9:11:43Heiko Webers <42@bauland42.de>Project OwnerRuby on Rails Security GuideDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2OWASP-Ruby-on-Rails-V2@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.OWASP Wiki, book, official Ruby on Rails sitehttp://www.rorsecurity.info/the-book/The official Rails site wants its own corporate designSpring of Code (2007), Summer of Code (2008)YesRelease7There are still quite some topics I should cover so it would be a fully-fledged guide. However the content provided is good, helpful and more than just the basics.6We should get the standard vulnerability explnations in. It's hard to say which expert level do you need for the understanding. The guide is problem-based though, which makes it highly usable in every-day programming life.7It is widely used by nearly every Rails programmer. It's the only security guide for Ruby on Rails.8The project is highly active and very wide-spread. Everyone who takes security serious read the book. It should be really kept up-to-date.
3/31/2009 8:52:06Paolo Perego <thesp0nge@owasp.org>Project OwnerOwasp Source code flaws Top 10Documentationhttp://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Projectowasp-source-code-flaws-top-10@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Owasp Code review guide
Owasp Orizon
Owasp Code crawler
Yes, the project is actively maintained.none yetnone yetOWASP Wiki (documetation)http://www.owasp.org/index.php/OWASP_Source_Code_Flaws_Top_10_Project_IndexYesUnrated1I started this "little top 10" project in latest December and I'm working over it in the very few time Orizon leave me... so we're quite at the beginning2The Top 10 index has been released but it can be improved with detailed description and source code that falls in the flaw's category10Potentially this Top 10 can be used by any Code review guide related project to describe how organize code review findings.8I think that using classic Top 10 to organize findings is not enough and something specific to source code must be used instead.
Since code review is cutting edge in IT security field nowadays, I think that also those categories can be considered cutting edge as well.
3/31/2009 16:51:00Juan C Calderon <johnccr@yahoo.com>Project OwnerOWASP Internationalization Project and OWASP Spanish ProjectDocumentationhttp://www.owasp.org/index.php/OWASP_Internationalization, http://www.owasp.org/index.php/OWASP_Spanishowasp-spanish(at)lists.owasp.org, mailto:OWASP-Internationalization-Guidelines(at)lists.owasp.orgCreative Commons Attribution ShareAlike 3.0OWASP Internationalization Project and OWASP Spanish Project respectivelyYes, the project is actively maintained.no version in general as documentation translated has its own version9/15/2008OWASP Wiki (documetation)http://www.owasp.org/index.php/OWASP_Internationalization, http://www.owasp.org/index.php/OWASP_SpanishSummer of Code (2008)YesBeta7Most of the documentation is usable and working for current translation, we have faced no major issues during translations but still the internationalization documentation do not considers all the mayor language families.10There are complete guidelines on how to make translations and for spanish project there is a full document of considerations for the translation including organization of a translation effort for this language2Although there is interes from people from brazil and France to start translations to OWASP web site and documentation there is no formal communities that use it and maintain it except for the Spanish one.7For OWASP "spredding the word about application security" is its mission, having documentation and tools in native languages will definitelly boost the adoption of them. Although many people on the internet knows/speaks English and I think that producing new documentation and tools is more important than translating them
3/31/2009 17:01:34Juan C Calderon <johnccr@yahoo.com>Project OwnerOWASP Classic ASP Security ProjectToolshttp://www.owasp.org/index.php/Classic_ASP_Security_ProjectOWASP-Classic-ASP-Security-Project(at)lists.owasp.orgBSD LicenseOWASP Stinger Project
OWASP Enterprise Security API (ESAPI) Project
OWASP Code Review Project
OWASP Validation Documentation Project
Yes, the project is actively maintained.Alpha version no release number3/16/2009OWASP Wiki (Tools)http://www.owasp.org/index.php/Classic_ASP_Security_ProjectGoogle code reporsitory has not yest being created so we are hosting on WikiPages as zip filesSummer of Code (2008)YesAlpha5Stinger version is actually beta level (not release just for lack of spread but documentation is reato to release level). ESAPI implementation on the other hand is just Alpha level, ESAPI .NET could be used as alternative documentation giveng that the Classic ASP is based on it, though. Other changes to code review tool and code review guide are implemented on those toducments/tools and correspond to its quality level.7Everything if fully functional and documented except for Classic ASP ESAPI, there is no installer for Classic ASP yet and we are lacking some specific documentation.2Given the novelty and mature level is not very used so far, but I expect a boom once it is at least in beta version and we start promoting in on forums9There is nothing like this for Classic ASP so far not even from the vendor (MS), all the tools existent are very specific like Sql Injection Scanners, but there is no protection mechanism for such an old and widely used technology.
3/31/2009 23:58:03mark.roxberry@owasp.orgProject OwnerOWASP .NETDocumentationhttp://www.owasp.org/index.php/Category:OWASP_.NET_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-dotnetCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_.NET_ProjectSummer of Code (2008)NoOne of the tenets of the project is to provide objective information regarding the technology. Specifically, projects with research elements that are related to .NET will need to remain objective. Sponsorship may open up the project for conflict of interest.Release8The project has many articles and substantive, useful content. There are still placeholders for ongoing research and documentation. I consider this an expectation of the project as new technologies and areas of concern emerge.8OWASP .NET contains relevant documentation for all levels of web application and service security needs.5I do not have statistics or methodology and have not measured usage. This would be a great task for the project going forward.8OWASP .NET attempts to cover the gamut of the .NET web application and service space with best practice documentation to cutting edge research on emerging technologies.
4/1/2009 10:35:00ferruh@mavituna.comProject OwnernetbouncerToolshttp://www.owasp.org/index.php/Category:OWASP_NetBouncer_Projectowasp-netbouncer-project@lists.owasp.orgBSD LicenseIt's still in Beta stage, not actively maintained btu planned to be completed within 6-12 months.Google Code (tools)http://code.google.com/p/netbouncer/YesAlpha3Some new *must* features need to be added
All features should be tested
4Usage should be more developer friendly and hassle-free
Documentation should be updated according the latest code changes
It should be *almost* bug-free otherwise developers won't use it
It should be integrate itself to Intellisense (VS.NET and maybe for SharpDevelop)
1It's still in Alpha therefore hasn't been pitched in any where yet.9It's new and secure way to approach input validation by taking the advanced features of .NET Framework.
4/1/2009 22:38:33giorgio.fedon@mindedsecurity.comProject OwnerOwasp Anti MalwareToolshttp://www.owasp.org/index.php/Category:OWASP_Anti-Malware_Projectowasp-anti-malware@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.Will be released in MayOWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Project#Alpha_Status_ProjectsMinded SecurityYesAlpha3Still Working on the project alpha version is going to be released at the end of the month.2This scorecard will be updated as soon as the main documents will be released2This scorecard will be updated as soon as the main documents will be released8Malware is very widespread; the aim of the project is to give to the industry guidelines to improve Web defense strategy angainst banking malware.
4/1/2009 22:38:55giorgio.fedon@mindedsecurity.comProject OwnerOwasp Anti MalwareToolshttp://www.owasp.org/index.php/Category:OWASP_Anti-Malware_Projectowasp-anti-malware@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.Will be released in MayOWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Project#Alpha_Status_ProjectsMinded SecurityYesAlpha3Still Working on the project alpha version is going to be released at the end of the month.2This scorecard will be updated as soon as the main documents will be released2This scorecard will be updated as soon as the main documents will be released8Malware is very widespread; the aim of the project is to give to the industry guidelines to improve Web defense strategy angainst banking malware.
4/2/2009 0:00:39matteo.meucci@owasp.orgProject OwnerOWASP Testing GuideDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Testing_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-testingCreative Commons Attribution ShareAlike 3.0OWASP Development Guide Project
OWASP Code Review Project
Yes, the project is actively maintained.v3January 2009OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Testing_ProjectAutumn of Code (2006), Spring of Code (2007), Summer of Code (2008)NoWe already have a sponsorRelease9First version of the Testing Guide came out in 2004.
Version 2 in 2006 (50 authors and 20 reviewers). Now we have the Testing Guide v3 that is the OWASP consolidated methodology for the Web Application Penetration Testing. Many organizations adopt this guide as standard to verify the security of their applications.
9We do a great brainsorming with the OWASP leaders and community to create a reference guide. Every control to test is fully described, and for each one we have the following standard template:

Brief Summary
Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive)

Description of the Issue
Short Description of the Issue: Topic and Explanation

Black Box testing and example
How to test for vulnerabilities:
Result Expected:
Gray Box testing and example
How to test for vulnerabilities:
Result Expected:
9I do not have a statistic, but I surely know that the Testing Guide is downloaded from many many users, and bought at lulu.com.

9The OWASP Testing Guide is cited here:
- SANS Top 20 2007: http://www.sans.org/top20/?ref=1697#c1

- NIST “Technical Guide to Information Security Testing (Draft)”

- Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” - http://www.owasp.org/index.php/Podcast_5

- "Congratulations on version 2 of the OWASP Testing Guide! It is an impressive and informative document that will greatly benefit the
software development community".
Joe Jarzombek, the Deputy Director for Software Assurance at Department of Homeland Security

- "You guys did a pretty good job and I will recommend this guide to anyone who is looking for learning about Web Application Security."
Petko D. Petkov (PdP Architect )

4/2/2009 16:59:29Matthew Chalmers <matthew.chalmers@owasp.org>Project ContributorOWASP Certification ProjectDocumentationhttps://www.owasp.org/index.php/Category:OWASP_Certification_Projectowasp-cert@lists.owasp.orgundecidedOWASP Education Project
OWASP Career Development Project
OWASP Certification Criteria Project
bits and pieces of others
PM instructed at OWASP Summit to pause project to consider licensing aspects.n/an/aWiki plus test delivery methods.https://www.owasp.org/index.php/Category:OWASP_Certification_ProjectSpring of Code (2007)NoProbably do not want to appear anything other than completely vendor-neutral.Unrated1Still really in a 'brainstorming' and discussion mode. Nothing has really been set in stone. Still struggling with how to keep things "open" in the spirit of OWASP without jeopardising test integrity.1We have some of our ideas posted on the wiki but it should be understood nothing is set in stone.1The project deliverables (tests) do not exist therefore there is no usage possible yet.8Few if any other similarly specialised certifications available in industry.
4/8/2009 23:05:13Eduardo Neves <eduardo.neves@owasp.org>Project OwnerPositive SecurityDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Positive_Security_Projectowasp-positive-security-project@lists.owasp.org.None yetOWASP Corporate Application Security Rating GuideYes, the project is actively maintained.0NeverOWASP Wiki (documetation)https://www.owasp.org/index.php/Positive_Security_ProjectSummer of Code (2008)YesUnrated1Should be updated on the next months, the plan is to get everything ready until the end of 2009.1Should be updated on the next months, the plan is to get everything ready until the end of 2009.1Should be updated on the next months, the plan is to get everything ready until the end of 2009.5Should be updated on the next months, the plan is to get everything ready until the end of 2009. When ready, the content should be very useful for the community.
4/19/2009 18:04:17Bedirhan UrgunProject OwnerSqliBenchToolshttp://www.owasp.org/index.php/Category:OWASP_Sqlibench_Projectmailto:owasp-sqlibench-project@lists.owasp.orgGNU General Public License v2 (GPLv2)No, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.9/28/2009Google Code (tools)http://code.google.com/p/sqlibench/Summer of Code (2008)NoBeta6I think the quality of the documents produced are sufficient.7-3-6sqli will loose its importance as time passes, however, there are tons of sqli data extractor tools and they need to be benchmarked.
4/19/2009 18:59:56eoin.keary@owasp.orgProject OwnerCode review guideDocumentationhttp://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_ContentsOwasp-codereview@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Code Crawler, OrizonYes, the project is actively maintained.1.13/20/2009OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Code_Review_ProjectIts availabeSummer of Code (2008)YesRelease8Need to aligh with ASVS and add more content.8Useable and good feedback on this.72nd Best seller in 20089Very as SDLC is more and more prominant
4/20/2009 1:59:12Michael Scovetta <michael.scovetta@gmail.com>Project OwnerYascaToolswww.yasca.org (or http://www.owasp.org/index.php/Category:OWASP_Yasca_Project)owasp-yasca-project@lists.owasp.orgBSD LicenseOWASP Orizon Project
OWASP Code Review Project
OWASP Open Review Project
Yes, the project is actively maintained.2.0 (beta 1)4/12/2009SourceForge (tools)http://sourceforge.net/projects/yasca/YesRelease7The project still requires a bit of "brush up" in terms of embedded documentation for plugins (shown to normal users) and testing on more platforms. 7There is a slightly dated user guide and information on the wiki, but a full developer's guide has not yet been produced.7The project is mainly geared towards developers and mature organizations that can implement the tool within their SDLC. It is not "point and click" and requires a bit of context-specific knowledge.9Open source static analysis is on the forefront, and Yasca contributes to this space by addressing the "low hanging fruit"-style vulnerabilities, as well as serving as an aggregator for other tools to produce a common output file.
4/20/2009 2:08:08Jeff WilliamsProject OwnerESAPIToolshttp://www.owasp.org/index.php/ESAPImailto:owasp-esapi@lists.owasp.orgBSD LicenseYes, the project is actively maintained.1.411/2008Google Code (tools)http://code.google.com/p/owasp-esapi-java/YesRelease10PMD, FindBugs, Ounce, Fortify, SwingSet, tested6Book started, SwingSet3Decent publicity, not a lot of real use yet10Standard controls takes much of the software security burden off of developers
4/20/2009 2:26:18Jeff Williams <jeff_williams@aspectsecurity.com>Project OwnerLegalDocumentationhttp://www.owasp.org/index.php/LegalnoneCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.OWASP Wiki (documetation)http://www.owasp.org/index.php/LegalYesRelease10Fully copied by SANS and the State of NY10Has a built-in tailoring guide.3I believe this is the leading appsec contract language anywhere. However, there doesn't seem to be much demand for such a thing...yet.10Everyone seems to think this is something that people need.
4/20/2009 2:32:15Jeff Williams <jeff.williams@aspectsecurity.com>Project OwnerTop TenDocumentationhttp://www.owasp.org/index.php/toptenowasp-topten@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.20074/1/2007OWASP Wiki (documetation)http://www.owasp.org/index.php/toptenNoToo politicalRelease10in wide use10in wide use10in wide use7the usefulness of top ten lists is waning, but still critical for organizations just getting started
4/21/2009 15:55:29ah@securenet.deProject ContributorBest Practices: Use of Web Application FirewallsDocumentationhttps://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewallsowasp-firewalls-project@lists.owasp.orgCC 2.0Yes, the project is actively maintained.1.0.2OWASP Wiki (documetation)https://www.owasp.org/index.php/Best_Practices:_Web_Application_FirewallsNothe project is about comparing products (WAF), hence any sponsorship needs not be related to a vendor (even some have contributed to the paper)Release10it's a white paper10it's a white paper6it's a white paper10it's a white paper
4/26/2009 6:32:29Pravir Chandra <chandra@owasp.org>Project OwnerOWASP CLASP ProjectDocumentationhttp://www.owasp.org/index.php/CLASPowasp-clasp@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0SAMM Project
Yes, the project is actively maintained.22005OWASP Wiki (documetation)http://www.owasp.org/index.php/CLASPNoCLASP isn't under active development anymore since the last releaseBeta10The last release was professionally editted and reviewed by a tech writer. It was released as a free commercial methodology before it was open sourced and donated to OWASP9Its assembled and organized and complete in terms of the content it set out to define.7While not directly being used right out of the box, CLASP is well known in the industry and is well referenced and reviewed.7Its been out for a while so its a bit dated in its approach, yet still very applicable. Projects like SAMM reflect more modern-day thinking on the subject, however.
4/26/2009 6:42:18Pravir Chandra <chandra@owasp.org>Project OwnerSoftware Assurance Maturity Model (SAMM) ProjectDocumentationhttp://www.owasp.org/index.php/SAMMsamm@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0OWASP CLASP ProjectYes, the project is actively maintained.13/20/2009download PDF from opensamm.orghttp://www.opensamm.orgI needed a standalone site to gain such features as project-specific RSS feeds and greater control of content and layout than mediawiki on owasp.org could provide.FortifyYesUnrated10The latest release (1.0) marked the transition from the samm beta release. Its been reviewed by experts and its ready for use.10Special care was given to ensuring the materials flowed well and that content was easily understandable and accessible in the latest release.3SAMM is still very new, and while there's been pockets of buzz about it, it's still a bit far from being in wide use. 10This represents the modern-day thinking on building security into the software development process.
4/27/2009 12:24:01marcin@owasp.orgProject ReviewerAntiSamy .NET ProjectToolshttp://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NEThttps://lists.owasp.org/mailman/listinfo/owasp-antisamyBSD LicenseOWASP AntiSamy Project

AntiSamy.NET was a direct port of the Java version of AntiSamy to .NET (C# language)
Yes, the project is actively maintained.r93 in Google Code3/15/2009Google Code (tools)http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNetSummer of Code (2008)YesRelease10The original, Java version of AntiSamy has a "release" level quality, and my project's .NET version fully implements all of the existing functionality of that release. We have performed unit testing throughout our development which the project has passed every single test. In addition, there is a working implementation hosted on www.antisamy.net, which allows users to perform their own testing.9There is a full, automatically generated documentation guide in CHM format available in the repository that includes all Class and Method docstrings describing their usage, input, and output parameters.8Usage of AntiSamy.NET in production applications is unknown, however we do know some rough estimates for the Java version, and I based my rating from those numbers.10There are many business reasons for accepting HTML input, and the past mantra of "entity output encoding all user input" cannot be applied. Many sites have legitimate reasons for accepting HTML formatted content, and using a library like AntiSamy allows them to do so safely, without reinventing the wheel and experiencing the same mistakes again and again. AntiSamy provides developers and business a solution, with a friendly license (BSD) for immediate adoption in their project. Time to implement is minimal, and from our experience, the policy file takes the longest to create, as it defines what html content it will accept, and which it will reject.
4/27/2009 20:05:30Christian MartorellaProject OwnerWebSlayerToolshttp://www.owasp.org/index.php/Category:OWASP_Webslayer_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-webslayer-projectGNU Lesser General Public License v3 (LGPLv3)Yes, the project is actively maintained.Beta11/1/2008Google Code (tools)http://code.google.com/p/webslayer/www.edge-security.comNoI would like that www.edge-security.com be the sponsor of the tool.Alpha8-GUI
-Full options available
-Fully working
-Win32 executable, osx and linux source code
5-Improve documentation with examples
-Cover all possible use cases
-Document the payload generation
7-The tool is aimed to cover all possible brute forcing scenarios, from directory and file discovery, password cracking to parameter brute forcing.6- The tool is useful in all web application assessments, there is always something that could be brute forced. The tools is nothing cutting edge, but was the first tool in represent the results in the way webslayer does. It's not a tool for one shot, it was developed for professional users, with session and all request/responses saving, filtering, etc.
4/28/2009 0:21:14Andrea Zonzin <andrea.zonzin@rocketmail.com>Project OwnerOWASP Learn About Encoding ProjectToolshttp://www.owasp.org/index.php/Category:OWASP_Learn_About_Encoding_Projectowasp-learn-about-encoding@lists.owasp.orgCreative Commons Attribution ShareAlike 3.0Yes, the project is actively maintained.OWASP Wiki (documetation)http://code.google.com/p/learn-about-encoding/YesUnrated1the project has just begun.
It 'too young.
1the project has just begun.
It 'too young.
1the project has just begun.
It 'too young.
1the project has just begun.
It 'too young.
4/28/2009 4:13:29Arshan Dabirsiaghi <arshan.dabirsiaghi@gmail.com>Project OwnerAntiSamyToolshttp://www.owasp.org/index.php/Category:OWASP_AntiSamy_Projectowasp-antisamy@lists.owasp.orgBSD LicenseOWASP AntiSamy .NET
OWASP Scrubbr
Yes, the project is actively maintained.1.33/19/2009Google Code (tools)http://code.google.com/p/owaspantisamy/downloads/listSpring of Code (2007)YesRelease10For all the reasons it's a release-quality project:
* it has regression testing
* no known xss vulnerabilities
* no known phishing vulnerabilities
* (relatively) performant
* used in production in many organizations
6There is not enough documentation to deserve a high rating. The basic use cases are out there in documentation, and demo code is available, but I wouldn't say there is an overwhelming amount of guidance available.5I have no raw data, but I happen to know through emails and interactions with customers that at least a few dozen production sites are using AntiSamy either alone or through ESAPI.10No other tool out there in .NET/Java that does what AntiSamy does. The HTMLPurifier project is the only competition, but it's in PHP.
4/28/2009 4:30:18Arshan Dabirsiaghi <arshan.dabirsiaghi@gmail.com>Project OwnerScrubbrToolshttp://www.owasp.org/index.php/Category:OWASP_Scrubbrowasp-scrubbr@lists.owasp.orgBSD LicenseOWASP AntiSamyYes, the project is actively maintained.Beta, no version specified (was taking the Google approach)2/7/2009Google Code (tools)http://code.google.com/p/owaspscrubbr/downloads/listYesUnrated7The tool works as intended but should some parts rewritten due to hackiness. Also, maybe a custom AntiSamy policy for Scrubbr should be used in order to avoid false positives.6Produces a lot of false positives along with the true positives.2No raw data on usage - it's been reviewed by many different websites and it pulls a few hits on Google:
10No other tool out there that performs this useful service.
4/28/2009 18:35:01Alex SmolenProject Owner.NET ESAPIToolshttp://www.owasp.org/index.php/ESAPI#tab=.NETowasp-esapi@lists.owasp.orgBSD LicenseESAPI - Java
Yes, the project is actively maintained.Not releasedGoogle Code (tools)http://code.google.com/p/owasp-esapi-dotnet/YesAlpha3I am currently working on a on the next version of this project. It should improve the quality significantly and should be ready next month.5There is a help file that is fairly comprehensive. However, instructions for setting up/using the library in a real world application are minimal.2Not many people are using the project yet, because of the limited usability.9.NET is an extremely common technology, and the ESAPI project is strategically very important for OWASP.
4/29/2009 15:19:32mro@securenet.deProject OwnerOWASP SkavengerToolshttp://www.owasp.org/index.php/Category:OWASP_Skavenger_ProjectOwasp-skavenger@lists.owasp.orgGNU General Public License v2 (GPLv2)OWASP WebScarab Project
OWASP WebGoat Project
OWASP Testing Guide
Yes, the project is actively maintained.0.6.2a10/30/2008SourceForge (tools)https://sourceforge.net/projects/skavenger/Summer of Code (2008)NoBeta8tested over the last months by several testers. Beta quality level was verified.8User guide published for commandline interface only. User guide for GUI in progress. GUI interface is rather usable though.3average download rate6high relevance for pentesters only
4/29/2009 16:46:08Eric Sheridan <eric.sheridan@owasp.org>Project OwnerOWASP CSRFGuardToolshttp://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project https://lists.owasp.org/mailman/listinfo/owasp-csrfguardGNU Lesser General Public License (LGPL v2)CSRFTesterYes, the project is actively maintained.2.2 BETA6/13/2008OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_ProjectYesBeta7Need experience integrating the tool with more real-world enterprise applications. I've received a lot of positive feedback, but not a significant amount of hands-on experience integrating it.8Decent documentation, open source, standard J2EE component.6Need easier install and management capabilities (ex: managing the properties file).9Everyone has CSRF
4/29/2009 16:49:52Eric Sheridan <eric.sheridan@owasp.org>Project OwnerOWASP CSRFTesterToolshttp://www.owasp.org/index.php/Category:OWASP_CSRFTester_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-csrftesterGNU Lesser General Public License (LGPL v2)CSRFGuardYes, the project is actively maintained.1OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_CSRFTester_ProjectYesAlpha5The tool needs better documentation and installer capabilities as well as support for mutual SSL auth proxy.6Relatively intuitive interface but lacks documentation.2Not a lot of feedback regarding its use from community. Its very easy to identify CSRF vulnerabilities - tools not required. Tool only helps build a complicated proof of concept.9Everyone has CSRF
4/30/2009 17:17:07Dmitry Kozlov <ddk@cs.msu.su>Project OwnerTeachable Static Analysis WorkbenchToolshttp://www.owasp.org/index.php/Category:OWASP_Teachable_Static_Analysis_Workbench_Projectowasp-teachable-static-analysis-workbench@lists.owasp.orgGNU General Public License v2 (GPLv2)LAPSE, Orizon, ESAPIYes, the project is actively maintained.1.2.012/24/2008Google Code (tools)http://code.google.com/p/teachablesa/Summer of Code (2008)YesBeta4The project is usable, but there are some points of extension:
* more types of vulnerabilities to check
* ship already teached environment
8There is published user guide. Requires language polishing by native speaker.3People mostly wants not teachable environment, but already teached static analysis tool. So, we need further development.8Very relevant
4/30/2009 17:25:46Dmitry Kozlov <ddk@cs.msu.su>Project ContributorApplication Security Tool Benchmarking Environment and Site GeneratorToolshttp://www.owasp.org/index.php/Category:OWASP_Application_Security_Tool_Benchmarking_Environment_and_Site_Generator_Refresh_Projectowasp-appcec-tool-benchmarking-project@lists.owasp.orgGNU General Public License v2 (GPLv2)Yes, the project is actively maintained.2.0.33/14/2009Google Code (tools)http://code.google.com/p/osg2/Summer of Code (2008)YesAlpha4Not fully finished. It was not reviewed in time during SoC 2008 that is why it was not finished in proposed timeframe.5Published user guide,
missing developer's guide
2I think it should be finished first6This is tricky area of benchmarking security tools. This project has strong commercial competitors: Hacme* series of vulnerable apps from Foundstone
4/30/2009 17:31:48Dmitry Kozlov <ddk@cs.msu.su>Project ContributorPython Static Analysis ProjectToolshttp://www.owasp.org/index.php/Category:OWASP_Python_Static_Analysis_ProjectOwasp-Python-Static-Analysis@lists.owasp.orgGNU General Public License v2 (GPLv2)Pixy (not at OWASP)Yes, the project is actively maintained.0.16/16/2008Google Code (tools)http://code.google.com/p/owasp-python-static-analysis/Summer of Code (2008)YesAlpha1Still in development1Minimal documentation1Not ready to widescale use10It is the only open source python static security analysis tool.
5/1/2009 4:45:56Jason Li <jason.li@owasp.org>Project OwnerJSP Testing ToolToolshttp://www.owasp.org/index.php/Category:OWASP_JSP_Testing_Tool_Projectowasp-jsp-testing-tool-project@lists.owasp.orgBSD LicenseYes, the project is actively maintained.0.56/29/2008Google Code (tools)http://code.google.com/p/owasp-jsp-testing-tool/Summer of Code (2008)NoThe project is not mature enough to be suitable for industry partnershipBeta2The project does not exercise tag library components as thoroughly as I would like.2There is an Ant build file which automates some running of the application. However, the nature of TLDs is not concrete enough to capture all the details necessary to adequately exercise tag libraries. As a result, there's a lot of customization that must be done to test a tag library and there is limited documentation and capability to account for using this tool outside of the original test bed of JSF components.1To my knowledge, this project does not have any active users.5The project concept is intriguing and has generated interest as people love the idea of a tool that they can just point and click and determine security. However, my continuing concern is the feasibility of such tools.
5/4/2009 16:55:24Alberto Pastor Nieto <apastorn@grupogesfor.com>Project ContributorWapitiToolshttp://www.owasp.org/index.php/Category:OWASP_Wapiti_Projecthttps://lists.owasp.org/mailman/listinfo/owasp-wapiti-projectGNU General Public License v2 (GPLv2)ICT-Romulus (http://www.ict-romulus.eu)Yes, the project is actively maintained.2.1.04/5/2009SourceForge (tools)http://sourceforge.net/projects/wapiti/We have the code and the releases there since the first version.NoWe need to discuss this issue. Alpha7Mature development.
Now, some new functionalities are been implemented in order to create a more complete tool.
6It's a console tool, with their related inconveniences.7The number of downloads from sourceforge are growing (more than 20,700)6We think is relevant because combines a web crawler with a black-box testing, so It is an almost-complete automatic tool. Run, wait and obtain the results!
5/8/2009 21:51:12puhley@adobe.comProject OwnerOWASP AIR Security ProjectDocumentationhttp://www.owasp.org/index.php/Category:OWASP_AIR_Security_ProjectN/ACreative Commons Attribution ShareAlike 3.0OWASP Flash Security ProjectYes, the project is actively maintained.OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_AIR_Security_ProjectNoThe project is not at a state where it can effictively apply the resources from another partner. When additional partnership is required, I can most likely obtain additional resources from Adobe. This can free up OWASP to apply its industry resources to other critical projects.Alpha7The information on the page is accurate and kept up to date providing links to videos, presentations, papers and official documentation. From that perspective, it is useable today. The project could be improved by providing more OWASP original resources in addition to providing links to external resources. It is also planned to better integrate the information into existing OWASP resources.7The website provides clear and accurate links to additional information and resources. The usability could be improved by providing more original OWASP content to better guide the user to appropriate documentation as well as integrating into existing OWASP references.7The project and Adobe AIR are still relatively young so I doubt the usage is extremely high. I do not have access to statistics for the web page. In a Google search for "Adobe AIR Security", it comes up as the 21st result out of hundreds of results.8AIR is a technology that is being adopted by several large corporations such as Amazon, eBay and others. AIR is a strong contender in the RIA space. It is continuing to grow in both functionality, supported platforms and adoption.
5/8/2009 23:41:34puhley@adobe.comProject OwnerOWASP Flash Security ProjectDocumentationhttp://www.owasp.org/index.php/Category:OWASP_Flash_Security_ProjectN/ACreative Commons Attribution ShareAlike 3.0OWASP AIR Security ProjectYes, the project is actively maintained.OWASP Wiki (documetation)http://www.owasp.org/index.php/Category:OWASP_Flash_Security_ProjectNoThe project is not at a level where it can effectively apply industry resources. If resources become necessary, I may be able to get them from Adobe. This will allow OWASP to apply industry resources to other critical projects. Beta8This project provides tools, videos, presentations and references on Flash security. It cross-links with existing OWASP projects. The project can be further enhanced with more original OWASP content and an update of SWFIntruder.8The site is a web page with straightforward links to resources. It could be improved by better organizing the page and providing more original OWASP content.8I do not have usage statistics for the web page. However, security research in general has been increasing in the RIA space and specifically with regards to SWF content so I see this resource growing in the future. 9Flash is one of the most widely deployed technologies on the web and is critical to many leading websites. There is an increasing amount of research surrounding the platform. Having a centralized resource for tools and information is critical for many website owners.
5/19/2009 18:12:29Lawrence Angrave<Lawrence_Angrave@yahoo.co.uk>Project OwnerinsecurewebappToolshttp://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Projecthttps://lists.owasp.org/pipermail/webappsec/Apache License 2.0WebGoatNo, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.14/27/2005SourceForge (tools)http://insecurewebapp.sourceforge.net/main/index.htmlNoThis project is complete and small. It would not benefit from additional development!Release7The insecurewebapp is a small, mature, reliable project. There is no current requirement or interest in adding additional features.It provides a platform to allow Java developers to review small codebase and look for common vulnerabilities and attempt to exploit them.8This is tricky to answer - the project is a realistic, typical but small and complete database-driven web application. There are deliberately few additional commentaries. Additional documentation would reduce the realism of the web-app.8This is tricky to answer - the project is a realistic, typical but small and complete database-driven web application. There are deliberately few additional commentaries. Additional documentation would reduce the realism of the web-app.8The project uses very simple JSP pages in a naive manner. These are hardly representative of real enterpriseapplications but is necessary because - we want this project to be small and independent of a particular Java webapp platform (Spring/Face/Struts etc), and chose a technology that all java web developers would understand.

This project serves a similar need to WebGoat. The difference is that WebGoat is a complete training environment. Insecurewebapp is just that - an insecure web application which can be complete reviewed from the front-end _and_ source code backend too.
Raw Results
Main menu