|Timestamp||What is your name and email address?||Who are you?||What is the name of your project?||Project Type||Project Home Page||Mailing List||License||Related Projects||Is the project actively maintained?||What is the latest version of your project?||When was this latest version released (if applicable)?||Availability||Availability Link||Availability Explanation||Project Sponsors||Would you be interested in the OWASP Global Projects Committee considering your project for an industry sponsorship?||If not, what is the reason that you do not wish to be considered for industry partnership?||What is the current quality level of the project?||Quality Rating||Quality Explanation||Usability Rating||Usability Explanation||Usage Rating||Usage Explanation||Relevance Rating||Relevance Explanation|
|3/19/2009 5:45:firstname.lastname@example.org||Project Owner||Google Hacking||Tools||http://www.owasp.org/index.php/Category:OWASP_Google_Hacking_Project||https://lists.owasp.org/mailman/listinfo/owasp-google-hacking||Apache License 2.0||Can you please clarify if you are seeking relationships to other OWASP Project or other projects within the webappsec community?||Google is revoking the SOAP Search API late August 2009 i.e. http://googleajaxsearchapi.blogspot.com/2009/03/google-code-labs-and-soap-search-api.html||PoC v0.1||Closed Release to Reviewer - Public Release at OWASP EU, 5th CONFidence and BlackHat USA/DefCon||Google Code (tools)||http://code.google.com/p/dic/||No||Prior to OWASP USA Conference 2008, Google approached Tom Brennan to explain the intent of this project and he deliberately kept me at arms length by refusing to provide their contact information so I was unable to leverage their initial contact to discuss sponsorship.|
I doubt Google would sponsor this now due deprecating their SOAP Search API.
|Beta||4||The quality at the moment is down due to the inclusion of new features but it is increasing due to the following in the SDL:|
1. Refactoring the perl code.
2. Incorporating perltidy and Perl::Critic CPAN Module.
3. Incorporating POD.
|3||It is used from the command line.|
The Google SOAP Search API is limited to Search Result 1 to 1000.
|1||Use is limited to Closed Alpha and Beta Tester. I expect this to increase after OWASP European Conference and 5th CONFidence.||10||"Download Indexed Cache" is an implementation of the Search Engine Discovery/Recon section of the OWASP Testing Guide v3, which is a superior methodology to the GHDB maintained by Johnny Long.|
|3/19/2009 7:52:35||Achim email@example.com||Project Owner||EnDe||Tools||https://www.owasp.org/index.php/Category:OWASP_EnDe||mailto:firstname.lastname@example.org||GNU General Public License v2 (GPLv2)||http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project|
|Yes, the project is actively maintained.||0.1.59||2/16/2009||currently on its own domain||http://ende.my-stp.net/||No||The main usage area -as far as I know- is pentesting web applications. Sometimes it helps me configuering WAFs. However, it's usefull for educational purpose to demonstrate devolpers how and why things go wrong.|
In that area I don't see a "industrial usage". But I'm open to change my mind here:)
As the tool also offers an API to all its internal functions, I can imagine to use it in real web applications. I can imagine to build something like an
If anyone (industry partner) is interested to drive in that direction, you're welcome.
|Alpha||7||+ ready to use, just click|
+ full online documentation
+ huge support of codings
+ browser tool, runs anywhere (remote from server, local from file system)
+ API available
- API not yet fully tested (lack of contributors)
- API design needs to be improved (nned some ideas from real world usage)
Note according "Alpha quality":
I've choosen alpha 'cause not all OWASP Project Assessment criterias are fullfilled. IMHO the code is release quality, at least beta.
|8||+ ready to use, just click|
- non-w3c compliant and/or non ECMA-compliant browsers are not well supported
|2||Most people, in particular those not yet ensnared in webappsec, don't understand the purpose and hence the usage of the tool 'cause they often don't understand what coding/hashing/crypting is used for and which problems to solve.||5||Should have rated low, 'cause it's not widely used.|
Should have rated high 'cause it's very usefull for pentesters and people analyzing "obfuscated" traffic and data (WAF, forensic, etc.).
If people understand how coding works in the webappsec area, and what are the dragons there, and where coding (input and/or output) should --better: has to-- take place, then I'd tend to 10 (at least 'til someone has a functional comparable tool).
|3/19/2009 9:55:04||Andrew Petukhov <email@example.com>||Project Owner||Access Control Rules Tester||Tools||http://www.owasp.org/index.php/Category:OWASP_Access_Control_Rules_Tester_Projectfirstname.lastname@example.org||GNU General Public License v2 (GPLv2)||OWASP WebScarab. AcCoRuTe depends on WebScarab as a library||I do not know what is "actively". A am going to move it from Beta to Release.||Beta, 1.0.0.||9/16/2008||Google Code (tools)||http://code.google.com/p/accorute/||Summer of Code (2008)||Yes||Beta||3||As for now, much training is needed to start using this tool. Besides, the process of building sitemaps is cumbersome. |
1. Implement GUI.
2. Automate navigation by incorporatin web spider into the tool. As for now, a third-party spider is used
3. Implement supoport anti-automation (CAPTCHA processing with operator's assistance) and multi-step logins (i.e. one time passwords and so on)
In fact I insist that the real value of Beta Quality AcCORuTe is added scientific value. I 'd split the overal value of the deliviries into 60% value of the method, and 40% - its implementation.
What's really new, is a method for a complete web application traversal. Previous works viewed web application as a graph, but this project views web application as a state transiotion system.
|2||See above. User requires much time and effort to collect initial data for the tool to run upon.||1||There are no lexternal links to this project and I haven't received any feedback.||7||There are no open source products that test access control flaws. Scientific papers did not address this problem either.|
Besides, I think that the developed method to test for access control inconsistencies should be integrated into Testing Guide.
|3/19/2009 10:22:28||Paolo Perego <email@example.com>||Project Owner||Orizon Project||Tools||http://www.owasp.org/index.php/Category:OWASP_Orizon_Projectfirstname.lastname@example.org||GNU General Public License v3 (GPLv3)||Owasp Code review Guide|
Owasp Source Code Flaws Top 10
|Yes, the project is actively maintained.||v1.0||2009-03-18 v1.15.f||SourceForge (tools)||http://orizon.sourceforge.net||Spring of Code (2007), Summer of Code (2008)||Yes||Beta||4||To raise the quality I have to work hard in analysis features and over documentation. These two are my top priority goals for this season of cleaning.|
I plan to release a stable version (v1.20) for next AppSec EU (with some functionalities available) and a more mature stable version (v1.40) later this year with further improvement.
I started recording some short screencast, I'm considering the opportunity to start a podcast series of using orizon.
|5||Poor documentation help you in issuing the commands. In the future it would be more documented how to use the engine, how to embed it in a web app.||4||Just by now Orizon can be used (without being embedded in a web app) standalone as shell. |
A command interpreter is spawned and you can interact with the engine.
To improve usability a fancy GUI have to be created but this is a 2010 goal by the moment.
|10||Well, Orizon aims to be a static (and in future hybrid) analysis tool that is:|
* embeddable in other applications
* able to analyze source written in various languages (php, java, cobol, c and other)
* able to scan sources without the need of compile them!
For a lot of reasons (the most important to me is the last one), Orizon can be a cutting edge tool for a security specialist in the next future (like O2 e.g.).
The work that must be done is huge, but I think that Orizon is a tool the community will love... or at least, I hope so :-)
|3/19/2009 12:02:41||Leo Cavallari <email@example.com>||Project Owner||ASDR||Documentation||www.owasp.org/index.php/Category:OWASP_ASDR_Projectfirstname.lastname@example.org||Creative Commons Attribution ShareAlike 3.0||OWASP Honeycomb Projects (that should be replaced by ASDR)||Yes, the project is actively maintained.||0.9||4/1/2008||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_ASDR_Project||The alpha version of ASDR book is available at OWASP in wikimedia format and at Lulu.com in PDF format.||Spring of Code (2007), Summer of Code (2008)||Yes||Alpha||5||ASDR contains 324 articles, some of them very mature but others only a draft or even just the title. The project's structure is well defined and we need are some focused volunteers to review what is done and produce contents for remaining articles in order to raise project to beta or release quality.||10||As it is to be unique reference for Webapp security at OWASP, we need to keep integrating with other guides (Testing, Devel, Review) and reference their articles at every OWASP project, instead of reinventing the wheel every time.||7||I believe it's is highly used, since it can be used by every OWASP project that deal with security concepts and for security and IT professionals.||7||Even though it can be seen as a App Security Encyclopedia, it's much more than that once it is "a basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics".|
|3/19/2009 13:15:email@example.com||Project Owner||OWASP Developer Guide||Documentation||http://www.owasp.org/index.php/Category:OWASP_Guide_Project||http://lists.owasp.org/mailman/listinfo/owasp-guide||Creative Commons Attribution ShareAlike 3.0||OWASP Testing Guide|
OWASP Code Review Guide
OWASP Top 10 2007
OWASP Application Security Verification Standard
|Yes, the project is actively maintained.||http://www.owasp.org/index.php/Guide_Table_of_Contents||7/29/2005||Wiki, Lulu, PDF, Word||http://www.owasp.org/index.php/Guide_Table_of_Contents||The survey is not able to choose multiple options. All are hosted by OWASP except for the Lulu books. Please add Lulu and the other options and make the survey a multi-selection.||Yes||Release||7||The project is undergoing change from one state to another state. Those chapters are in flux and need help to finish them up to 3.0 Release Standards. |
What could help? Industry funding or OWASP Grants to allow me to finish the project - it's just too huge to do as a part time thing.
More volunteers are also welcome, but I have only had two offers in the last two times at asking for help in the last twelve months. The quality of the submissions from these folks was also quite low, requiring extensive re-writes.
|10||Available by many means|
Good structure and helpful to target audience.
|10||I don't have access to the web site stats, but if you search for links to the Guide's home page from outside OWASP, it's one of the highest (I think second after the Top 10). |
There's also over 500 internal links from inside owasp.org itself to the Guide, making it most likely one of the most hyperlinked documents.
|7||The Developer Guide covers 95% of the things we look for day to day in reviews and in developing secure applications. There are heaps of things in it that most applications still do not do today. |
The advice it gives could be improved, and there are controls that are missing, which is to be expected for a four year old document - things like click jacking and so on.
|3/19/2009 13:48:34||Arturo 'Buanzo' Busleiman <firstname.lastname@example.org>||Project Owner||Enigform||Tools||https://www.owasp.org/index.php/Category:OWASP_OpenPGP_Extensions_for_HTTP_-_Enigform_and_mod_openpgp||Owasp-Enigform-and-mod-OpenPGP@lists.owasp.org||multiple licenses, multiple tools within project, all free||gnu privacy guard|
|Yes, the project is actively maintained.||0.5.0, 0.8.3.1 and 1.2.1||3/15/2009||owasp, wiki.buanzo.org, mozdev.org, wordpress.org||http://wiki.buanzo.org/index.php?n=Main.Wp-enigform-authentication||The Firefox extension is hosted in the mozilla development site mozdev.org.|
The wordpress extension is hosted in Wordpress' facilities.
The apache module is hosted in my own resources. I pay a dedicated server every month. It makes no sense to waste resources from others (sf.net, google) when I have them myself.
|Spring of Code (2007), Summer of Code (2008)||Yes||Beta||7||It works great, but there are still lots of features in my head. Also, being the first beta release, the amount of community feedback will drive the project. In my country, a rating of 7 means "just ok!" :)||8||One guide is missing: web developers guide. Also, the protocol rfc is on it's way.||7||It's an experimental research technology... no one ever implemented any pgp features on http... today, it's FULLY usable (see the wordpress enigform authentication plugin as a poof of concept), and it's quite easy.||10||PGP + HTTP, do I need to say more? Never ever implemented or researched before.|
|3/19/2009 14:09:09||Ryan Barnett <email@example.com>||Project Owner||ModSecurity Core Rules||Documentation||http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Projectfirstname.lastname@example.org||GNU General Public License v3 (GPLv3)||ModSecurity - Open Source WAF - www.modsecurity.org|
OWASP - Securing WebGoat using ModSecurity (SoC Project)
|Yes, the project is actively maintained.||None - this is a new project||None - this is a new project||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project||Breach Security Labs||No||We are already sponsored by Breach Security Labs (www.breach.com).||Alpha||1||I need to populate the project site with the Core Rules data. This will be happening soon as we were waiting for the release of Core Rule Set (CRS) v1.6.2.||1||Same as above. This is a brand new project.||1||Same as above. This is a brand new project.||9||Using a WAF as an initial shield from reconnaissance, automated and known attacks is critical. It is also relevant for HTTP level auditing and virtual patching for identified issues. Industry regulations such as PCI also recommend WAF usage.|
|3/19/2009 15:10:email@example.com||Project Owner||Java Project||Documentation||http://www.owasp.org/index.php/Category:OWASP_Java_Projectfirstname.lastname@example.org||GNU General Public License v3 (GPLv3)||ESAPI||No, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Java_Project||Corsaire||Yes||Unrated||6||The project is a wiki based collectin of articles, rather than one complete document. The quality of each article varies considerably, some articles are release quality having gone through peer review, other are incomplete as they stand.||9||Wiki based documentation project.||4||Unkown, since it is a documentation based project.||9||The information is very relevant to Java programmers|
|3/20/2009 0:27:email@example.com||Project Owner||ASVS||Documentation||http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project||Owasp-Application-Security-Verification-Standard@lists.owasp.org||Creative Commons Attribution ShareAlike 3.0||OWASP Top Ten|
OWASP Legal Project
|Yes, the project is actively maintained.||Beta||12/5/2008||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Web_Application_Edition||Summer of Code (2008)||No||It is already co-sponsored by Aspect and Booz Allen.||Beta||10||The ASVS team hardened ASVS as it is OWASP's first standard, to proceed cautiously.||10||Comments resulting from test-driving the standard on pilot security assessments, and comments collected from the community while working on the release draft, are not identifying any major changes either in approach or in detailed requirements.||7||There are a large number of organizations that are in the process of reviewing ASVS requirements in detail, working to figure out how to integrate ASVS security assessments into their SDLC. These insights are based on first-hand knowledge of civil US Government agencies, and indirect insight into other organizations.||10||It is the first and only standard in this space.|
|3/20/2009 3:01:55||Michael Coates <firstname.lastname@example.org>||Project Owner||AppSensor||Documentation||http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project||OWASP-AppSensor-Projec@lists.owasp.org||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||1.1||2/4/2009||OWASP Wiki (documetation)||https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf||Summer of Code (2008)||Yes||Beta||8||The documentation project is a very solid release with its current information. I will be updating it again shortly and releasing version 1.2. This new version will include specific architecture notes and examples. I expect Version 1.2 to be a quality rating of 10.|
In addition, in about 3 months I will be releasing an alpha version of the AppSensor tool. I have a tool working, but a little more work is needed.
|8||It is a documentation guide intended to provide information for the reader. I think it is very usable and easy to read.||9||The AppSensor project is designed to be utilized by any size application. The concepts described be AppSensor are a necessary addition for any application concerned with security.||10||The concepts prescribed in AppSensor are not currently in widespread use. However, the threats facing applications are continuing to grow and the attackers are becoming more belligerent. It is time for applications to begin adopting a more defensive position.|
Applications currently do not take any action to detect malicious users. The concept of AppSensor would add significant security enhancements to any application. By strategically recording attack events AppSensor can detect a malicious user that is probing for vulnerabilities. At this point AppSensor can take action against the user (such as locking the user's account) in order to protect the application from compromise.
|3/20/2009 12:33:email@example.com||Project Owner||WebGoat||Tools||http://www.owasp.org/index.php/Category:OWASP_WebGoat_Projectfirstname.lastname@example.org||GNU General Public License v2 (GPLv2)||Yes, the project is actively maintained.||5.2||google and sourceforge||http://code.google.com/p/webgoat/||Aspect, Ounce, SANS, OWASP||No||Too much posturing and entitlement beliefs||Release||7||Some known bugs, help is out of date, solutions are out of date, needs to incorporate defensive best practice in lesson plans||7||OWASP wiki is out of date, User guide is based on 4.0||7||over 600,000 downloads of webapp. I think google's number counter is skewed||7||Attacks could be improved|
|3/20/2009 15:42:55||Matthew Chalmers <email@example.com>||Project Owner||Application Security Requirements||Documentation||https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Projectfirstname.lastname@example.org||Creative Commons Attribution ShareAlike 3.0||OWASP_Secure_Software_Contract_Annex||Active attempts to garner participation from mail-list subscribers has yielded no input/results. As 'interim' PM I have tried to contact the former PM to no avail. I have not yet had time to familiarise myself enough with the project templates & requirements to be able to update our pages. The OWASP project page templates/requirements, IMHO, are overly complicated and too general purpose. I have more available time now and am committed to giving the project a shot in the arm, including updating its wiki pages--that's why I'm doing this survey.||n/a||n/a||OWASP Wiki (documetation)||https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project||n/a||No||I do not believe this project would benefit from funding. It will benefit most from active contributions from a large group of volunteers from a variety of organisations involved with projects having security requirements.||Unrated||1||Extremely few messages were exchanged on the mail-list before I took over--as if all the work was done by the PM only. The former PM created one single document (a file attached to the wiki page) that may have some salvageable content going forward but is no real basis for the project. I believe, but have no real support for it, that the people "involved" with the project are more looking to get answers than looking to provide them and, further, may not really understand project lifecycles or requirements to begin with. This project would benefit from an in-person discussion at a large OWASP event, unfortunately, I do not seem to be in the loop for advance notice of events. This is a major source of contention for me personally, not just as a PM but as being generally involved with OWASP: events are not announced well enough in advance in order to get involved as a contributor rather than a consumer.||1||See Quality Explanation: There is the project page and one file attachment. It needs to be cleaned up and I am working on it.||1||It would be nice, in the first place, for PMs to have some easily gotten idea of the number of times their project pages have been accessed. I have to assume this project's usage is extremely low based on the content available and the very low number of mail-list subscriptions since I assumed ownership and the virtually nil traffic in the mail-list.||7||There has been much (relatively speaking) talk recently about different project lifecycles such as Agile but I haven't seen anything specifically mentioned about Requirements. I believe this project's intended product would benefit such "cutting edge" SDLCs the most as they tend to make the most assumptions and being work the quickest. That being said, I firmly believe that most organisations are still following a more traditional waterfall methodology and Requirements is a major part of that.|
|3/20/2009 15:56:33||Dan Cornell email@example.com||Project Owner||Sprajax||Tools||http://www.owasp.org/index.php/Category:OWASP_Sprajax_Projectfirstname.lastname@example.org||GNU Lesser General Public License (LGPL v2)||No, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.||10/5/2006||Google Code (tools)||http://code.google.com/p/sprajax/||Yes||Alpha||2||This was an early version of an AJAX testing application that was surpassed by commercial tools. It only supports testing Microsoft Atlas applications at the current time.||2||This was an early version of an AJAX testing application that was surpassed by commercial tools. It only supports testing Microsoft Atlas applications at the current time.||2||Because of the limited supported platforms (MS Atlas), there is not a tremendous amount of usage.||4||Because of the limited supported platforms (MS Atlas), there is not a tremendous amount of usage. However, some of the code for Sprajax could be extended to act as a general web application fuzzer.|
|3/20/2009 16:07:20||Dan Cornell email@example.com||Project Owner||Open Review Project||Tools||http://www.owasp.org/index.php/Category:OWASP_Open_Review_Projectfirstname.lastname@example.org||No license - SaaS||Yes, the project is actively maintained.||Not applicable||https://owasp.fortify.com/||https://owasp.fortify.com/||Fortify provides access to their SCA technology via a SaaS platform. So the tool isn't downloadable - it involves submitting an open source project to be scanned.||Yes||Beta||8||The software is in use but we have occasional issues with availability and some bugs in the implementation.||7||The web application is reasonably usable but some sections can be a little hard to figure out.||5||We have worked with a couple of 3rd open source projects such as Moodle. We have also worked with OWASP projects such as AntiSAMY.NET. Kuai has been working with higher education institutions to start running open source software commonly used in education through the service.||8||The project provides commercial-grade static analysis to open source projects.|
|3/20/2009 19:30:48||Chris Loomis email@example.com||Project Owner||CAL9000||Tools||http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project||http://lists.owasp.org/mailman/listinfo/owasp-cal9000||GNU General Public License v2 (GPLv2)||LiveCD||No, the project is not maintained but I/we are willing to cede ownership of the project to another OWASP member.||2||11/15/2006||Google Code (tools)||http://owasp-code-central.googlecode.com/svn/trunk/labs/cal9000/||zip file located at:|
A copy of this zip file should be hosted at OWASP, as the digilantesecurity domain is about to expire and I will not be renewing it.
|Autumn of Code (2006)||Yes||Alpha||7||Needs to be updated for use in current browsers.||7||Needs to be updated for use in current browsers.||7||At least 50,000 downloads to date, also included on the LiveCD.||7||Still handy for those who want to be able to test without having to install anything, though much of the functionality is redundant when compared to other OWASP tools.|
|3/21/2009 9:18:58||James Fisher firstname.lastname@example.org||Project Owner||DirBuster||Tools||http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project||https://lists.owasp.org/mailman/listinfo/owasp-dirbuster||GNU Lesser General Public License (LGPL v2)||Yes, the project is actively maintained.||0.12||1.0-RC1||SourceForge (tools)||http://sourceforge.net/projects/dirbuster/||Can't remember why I put it on sourceforge. Moving will require work, for which I see the end result not providing any extra benefit.||No Sponsor||Yes||Beta||9||Dirbuster is stable, well packaged, full featured. The only think it is lacking are help pages and documentation. Which I have started but never have the drive to finish!||8||DirBuster's interface is simple and im my option intuitive to use (but I would say that as I wrote it). Error messages inform the user of issues, which text bow tips give examples of valid input for the fields.|
I only issue involves people sometimes don't know how to set some of the more advanced features. This situation could be improved if I publish some help files and faq's etc etc.
|8||This is a hard one to measure, but I guesed based on downloads, taking into account what the tool actually does, and the fact there are not many other tools that do the same thing. Thoes that do (or did in the case of Jbrofuzz), often use the lists provided by dirbuster.|
Mar 2009 * 752 11.6 GB
Feb 2009 733 12.2 GB
Jan 2009 806 15.2 GB
Dec 2008 892 17.0 GB
Nov 2008 981 18.6 GB
Oct 2008 1,108 21.3 GB
Sep 2008 934 17.6 GB
Aug 2008 1,126 21.4 GB
hits on the update page (only ever once per day) - which gives some indication of how often it is used is about 1200 per month
|6||DirBuster performs a simple task very well (ie it produces very very false positives). I do not consider it to cutting Edge, but I think there will always be the requirement to for dir and file brute forcing to try to find files and dir that are not linked.|
|3/22/2009 9:10:13||Stephen Craig Evans <email@example.com>||Project Owner||Securing WebGoat using ModSecurity||Documentation||https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Projectfirstname.lastname@example.org||Creative Commons Attribution ShareAlike 3.0||WebGoat(https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)|
new OWASP ModSecurity Ruleset project (don't have link for it)
|Yes, the project is actively maintained.||11/29/2008||OWASP Wiki (documetation)||http://www.owasp.org/index.php/OWASP_Securing_WebGoat_using_ModSecurity_Project||Summer of Code (2008)||Yes||Beta||8|
Please see the Project News section of the home page for references and discussion of this project: https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project
I probably spent 2/3 to 3/4 of my time from May until the end of November on this project.
I strongly believe it can go through another generation of development and perhaps Breach would be an industry sponsor. If so, I would love to do it.
Version 2.0 could improve on the work that I originally did on mitigating business logic flaws. I could develop pre-packaged modules (Lua scripts with instructions) that a network/sysadmin security type of person could more easily understand.
1. Password retry max / account lockout (14. Sublesson 4.2: Forgot Password )
2. "Static" parameter tampering: modifying read-only HTML values such as from check boxes and drop-down lists; similar to what part of the Secure Parameter Filter for IIS project does (http://www.gdssecurity.com/l/spf/) - (15. Parameter Tampering -> 15.1 Exploit Hidden Fields)
3. Role-based access control, including using SQL database calls (Sublesson 2.3: LAB: Role Based Access Control)
4. Concurrency flaws (Sublesson 7.2: Shopping Cart Concurrency Flaw)
- The wiki is a little disorganized (learning on the fly) and could use re-organization.
- Once OWASP documentation guidelines and standards are set, the Doc file and Lula book should be modified to conform to them so that it will have the same look and feel as other OWASP documents
The project is starting to get noticed; check the references in the Project News section of the home page for references and discussion (Ryan Barnett, Ken van Wyk, Arshan D., etc) of this project: https://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project
- The project is ahead of its time; it's the first time a WAF has been programmed to mitigate business logic flaws
- Probably 99% of ModSecurity users only use the core rulesets out of the box. Using a WAF for virtual patching hasn't taken off yet.
- Network/sysadmins that are in charge of a WAF are scared of programming and not smart enough :-) to figure out that they just have to go out and hire a developer to do a small amount of work.
|10||It's the first time a WAF has been programmed to mitigate business logic flaws.|
Perhaps using a WAF to do Virtual Patching will get a boost from this (per Ryan Barnett's BlackHat prezo).
|3/23/2009 14:57:50||Matt Tesauro <email@example.com>||Project Owner||OWASP Live CD||Tools||http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project||https://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-project||CC Attribution ShareAlike for docs, GPL v3 for code||OWASP Education Project||Yes, the project is actively maintained.||AustinTerrier-Feb2009||2/14/2009||Modules are on Google Code, ISO/VMs on seperate site||http://code.google.com/p/owasp-livecd-2008/||The reason for splitting the repository into two places is that Google code has a max file upload limit of 100 MB which won't work for a ISO image. Therefore, I put the individual modules up on Google Code and host the ISO and VM images on a host that I personally own.||Summer of Code (2008)||Yes||Release||10||I've had several releases since the original Summer of Code 2008 release and have continually improved the release. The only work to be done is some fine tuning of the tools and more polished integration. Also, the Live CD has been used for several training classes at several conferences which would seem to suggest its fully baked.||9||Ever effort has been made to make the tool very usable from startup on. The only reason I didn't give it a 10 is I do not have a formal published user guide.||10||As of March 7th 2009, some form of the OWASP Live CD has been downloaded 75,219 times. Just for the first seven days of March, 6,257 downloads of some form have occurred. By some form, I mean one of the ISO releases (Beta1, Beta2, SoC, Portugal or AustinTerrier) or one of the VM images (VMware or Virtual box). Also, I've had approx. 888 GB of download bandwidth since the project started.||10||As of the AustinTerrier release (the current) all the tools were updated to the latest versions and several were either compiled from the latest available source or pulled from SVN.|
|3/24/2009 10:40:11||Rogan Dawes <firstname.lastname@example.org>||Project Owner||WebScarab||Tools||http://www.owasp.org/index.php/Category:OWASP_WebScarab_Projectemail@example.com||GNU General Public License v2 (GPLv2)||OWASP-Proxy||A current version is always available||A current version is always available||GIT on my personal site||http://dawes.za.net/gitweb.cgi?p=rogan/webscarab/webscarab.git;a=summary||I prefer to use git as a VCS due to its offline capability, speed and flexibility.|
Now that SF is providing GIT hosting, I would be happy to push a copy of the repo there whenever I make any updates. This requires that the OWASP admins enable GIT hosting for the OWASP project
|Autumn of Code (2006)||Yes||Release||9||I think technically, it does what is required without any problems.||7||It could do with a thorough going over, particularly the User Interface. There are a number of things which as not intuitively obvious.||8||One of the oldest and most popular OWASP projects||8||I think it is still very relevant, even though there are now more and more competing tools.|
|3/24/2009 10:52:11||Rogan Dawes <firstname.lastname@example.org>||Project Owner||OWASP-Proxy||Tools||http://www.owasp.org/index.php/Category:OWASP_Proxyemail@example.com||GNU General Public License v2 (GPLv2)||OWASP-WebScarab|
|Yes, the project is actively maintained.||A current version is always available||A current version is always available||GIT on my personal site||http://dawes.za.net/gitweb.cgi?p=rogan/owasp-proxy/owasp-proxy.git;a=summary||I prefer to use git as a VCS due to its offline capability, speed and flexibility.|
Now that SF is providing GIT hosting, I would be happy to push a copy of the repo there whenever I make any updates. This requires that the OWASP admins enable GIT hosting for the OWASP project
|Yes||Unrated||1||The project is still very new, and is untested in the field||4||The project is still very new, and is untested in the field||1||The project is still very new, and is untested in the field||8||I think it is relevant as a component of new and innovative tools built on top of it.|
|3/25/2009 14:29:27||Carlo Pelliccioni <firstname.lastname@example.org>||Project Owner||Backend Security||Documentation||http://www.owasp.org/index.php/Category:OWASP_Backend_Security_Projectemail@example.com||Creative Commons Attribution ShareAlike 3.0||Testing Guide||Yes, the project is actively maintained.||1.0 beta||11/3/2008||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Backend_Security_Project||Summer of Code (2008)||Yes||Beta||7||The Backend Security is a beta project but several sections are very close to the release version. However there are 2/3 sections not adequate to the high OWASP standards.||9||The guide is composed by 183 pages. The project is focused on security development, security hardening and security testing explaining step-by-step how to resolve security issues so it is very useful to different kind of IT professional figures.||9||The project is focused on security development, security hardening and security testing explaining step-by-step how to resolve security issues so it is very useful to different kind of IT professional figures.||9||The main focus on the web application security is oriented on the backend field; in the current version of Backend Security Project are collected information about the DBMS security but in the next version it will be added also several section about the LDAP componentes. So I think it will be a good point of reference for developers, testers and system integrators.|
|3/26/2009 14:19:32||alessio marziali <firstname.lastname@example.org>||Project Owner||OWASP Code Crawler||Tools||http://www.owasp.org/index.php/Category:OWASP_Code_Crawler||owasp-code-crawler(at)lists.owasp.org||Creative Commons Attribution ShareAlike 3.0||OWASP Code Review Project||Yes, the project is actively maintained.||2.1||3/1/2009||my website||http://www.cyphersec.com/software_archive/OWASP_Code_Crawler.zip||Summer of Code (2008)||Yes||Beta||8||Has passed the BETA quality. Eoin Keary and Paulo coimbra could confirm.||9||There is a two weeks task to be completed.||7||It can scan .NET and JAVA, currently implementing PHP.||7||Sister project of Code Review.|
|3/26/2009 23:15:49||Federico Casani <email@example.com>||Project Owner||OWASP Learn About Encoding Project||Tools||https://www.owasp.org/index.php/Category:OWASP_Learn_About_Encoding_Project||https://lists.owasp.org/mailman/listinfo/owasp-learn-about-encoding||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||the project is very very young and it is still "incubation"||Google Code (tools)||http://code.google.com/p/learn-about-encoding/||This is the future repo of code: it 's empty now.||Yes||Alpha||2||This is a very very young project, now we cannot rate the quality of it.||2||This is a very very young project, now we cannot rate the usability of it.||2||This is a very very young project, now we cannot rate the usage of it.||2||This is a very very young project, now we cannot rate the relevance of it.|
|3/30/2009 9:11:43||Heiko Webers <firstname.lastname@example.org>||Project Owner||Ruby on Rails Security Guide||Documentation||http://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2||OWASP-Ruby-on-Rails-V2@lists.owasp.org||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||OWASP Wiki, book, official Ruby on Rails site||http://www.rorsecurity.info/the-book/||The official Rails site wants its own corporate design||Spring of Code (2007), Summer of Code (2008)||Yes||Release||7||There are still quite some topics I should cover so it would be a fully-fledged guide. However the content provided is good, helpful and more than just the basics.||6||We should get the standard vulnerability explnations in. It's hard to say which expert level do you need for the understanding. The guide is problem-based though, which makes it highly usable in every-day programming life.||7||It is widely used by nearly every Rails programmer. It's the only security guide for Ruby on Rails.||8||The project is highly active and very wide-spread. Everyone who takes security serious read the book. It should be really kept up-to-date.|
|3/31/2009 8:52:06||Paolo Perego <email@example.com>||Project Owner||Owasp Source code flaws Top 10||Documentation||http://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Projectfirstname.lastname@example.org||Creative Commons Attribution ShareAlike 3.0||Owasp Code review guide|
Owasp Code crawler
|Yes, the project is actively maintained.||none yet||none yet||OWASP Wiki (documetation)||http://www.owasp.org/index.php/OWASP_Source_Code_Flaws_Top_10_Project_Index||Yes||Unrated||1||I started this "little top 10" project in latest December and I'm working over it in the very few time Orizon leave me... so we're quite at the beginning||2||The Top 10 index has been released but it can be improved with detailed description and source code that falls in the flaw's category||10||Potentially this Top 10 can be used by any Code review guide related project to describe how organize code review findings.||8||I think that using classic Top 10 to organize findings is not enough and something specific to source code must be used instead.|
Since code review is cutting edge in IT security field nowadays, I think that also those categories can be considered cutting edge as well.
|3/31/2009 16:51:00||Juan C Calderon <email@example.com>||Project Owner||OWASP Internationalization Project and OWASP Spanish Project||Documentation||http://www.owasp.org/index.php/OWASP_Internationalization, http://www.owasp.org/index.php/OWASP_Spanish||owasp-spanish(at)lists.owasp.org, mailto:OWASP-Internationalization-Guidelines(at)lists.owasp.org||Creative Commons Attribution ShareAlike 3.0||OWASP Internationalization Project and OWASP Spanish Project respectively||Yes, the project is actively maintained.||no version in general as documentation translated has its own version||9/15/2008||OWASP Wiki (documetation)||http://www.owasp.org/index.php/OWASP_Internationalization, http://www.owasp.org/index.php/OWASP_Spanish||Summer of Code (2008)||Yes||Beta||7||Most of the documentation is usable and working for current translation, we have faced no major issues during translations but still the internationalization documentation do not considers all the mayor language families.||10||There are complete guidelines on how to make translations and for spanish project there is a full document of considerations for the translation including organization of a translation effort for this language||2||Although there is interes from people from brazil and France to start translations to OWASP web site and documentation there is no formal communities that use it and maintain it except for the Spanish one.||7||For OWASP "spredding the word about application security" is its mission, having documentation and tools in native languages will definitelly boost the adoption of them. Although many people on the internet knows/speaks English and I think that producing new documentation and tools is more important than translating them|
|3/31/2009 17:01:34||Juan C Calderon <firstname.lastname@example.org>||Project Owner||OWASP Classic ASP Security Project||Tools||http://www.owasp.org/index.php/Classic_ASP_Security_Project||OWASP-Classic-ASP-Security-Project(at)lists.owasp.org||BSD License||OWASP Stinger Project|
OWASP Enterprise Security API (ESAPI) Project
OWASP Code Review Project
OWASP Validation Documentation Project
|Yes, the project is actively maintained.||Alpha version no release number||3/16/2009||OWASP Wiki (Tools)||http://www.owasp.org/index.php/Classic_ASP_Security_Project||Google code reporsitory has not yest being created so we are hosting on WikiPages as zip files||Summer of Code (2008)||Yes||Alpha||5||Stinger version is actually beta level (not release just for lack of spread but documentation is reato to release level). ESAPI implementation on the other hand is just Alpha level, ESAPI .NET could be used as alternative documentation giveng that the Classic ASP is based on it, though. Other changes to code review tool and code review guide are implemented on those toducments/tools and correspond to its quality level.||7||Everything if fully functional and documented except for Classic ASP ESAPI, there is no installer for Classic ASP yet and we are lacking some specific documentation.||2||Given the novelty and mature level is not very used so far, but I expect a boom once it is at least in beta version and we start promoting in on forums||9||There is nothing like this for Classic ASP so far not even from the vendor (MS), all the tools existent are very specific like Sql Injection Scanners, but there is no protection mechanism for such an old and widely used technology.|
|3/31/2009 23:58:email@example.com||Project Owner||OWASP .NET||Documentation||http://www.owasp.org/index.php/Category:OWASP_.NET_Project||https://lists.owasp.org/mailman/listinfo/owasp-dotnet||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_.NET_Project||Summer of Code (2008)||No||One of the tenets of the project is to provide objective information regarding the technology. Specifically, projects with research elements that are related to .NET will need to remain objective. Sponsorship may open up the project for conflict of interest.||Release||8||The project has many articles and substantive, useful content. There are still placeholders for ongoing research and documentation. I consider this an expectation of the project as new technologies and areas of concern emerge.||8||OWASP .NET contains relevant documentation for all levels of web application and service security needs.||5||I do not have statistics or methodology and have not measured usage. This would be a great task for the project going forward.||8||OWASP .NET attempts to cover the gamut of the .NET web application and service space with best practice documentation to cutting edge research on emerging technologies.|
|4/1/2009 10:35:firstname.lastname@example.org||Project Owner||netbouncer||Tools||http://www.owasp.org/index.php/Category:OWASP_NetBouncer_Projectemail@example.com||BSD License||It's still in Beta stage, not actively maintained btu planned to be completed within 6-12 months.||Google Code (tools)||http://code.google.com/p/netbouncer/||Yes||Alpha||3||Some new *must* features need to be added|
All features should be tested
|4||Usage should be more developer friendly and hassle-free|
Documentation should be updated according the latest code changes
It should be *almost* bug-free otherwise developers won't use it
It should be integrate itself to Intellisense (VS.NET and maybe for SharpDevelop)
|1||It's still in Alpha therefore hasn't been pitched in any where yet.||9||It's new and secure way to approach input validation by taking the advanced features of .NET Framework.|
|4/1/2009 22:38:firstname.lastname@example.org||Project Owner||Owasp Anti Malware||Tools||http://www.owasp.org/index.php/Category:OWASP_Anti-Malware_Projectemail@example.com||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||Will be released in May||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Project#Alpha_Status_Projects||Minded Security||Yes||Alpha||3||Still Working on the project alpha version is going to be released at the end of the month.||2||This scorecard will be updated as soon as the main documents will be released||2||This scorecard will be updated as soon as the main documents will be released||8||Malware is very widespread; the aim of the project is to give to the industry guidelines to improve Web defense strategy angainst banking malware.|
|4/1/2009 22:38:firstname.lastname@example.org||Project Owner||Owasp Anti Malware||Tools||http://www.owasp.org/index.php/Category:OWASP_Anti-Malware_Projectemail@example.com||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||Will be released in May||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Project#Alpha_Status_Projects||Minded Security||Yes||Alpha||3||Still Working on the project alpha version is going to be released at the end of the month.||2||This scorecard will be updated as soon as the main documents will be released||2||This scorecard will be updated as soon as the main documents will be released||8||Malware is very widespread; the aim of the project is to give to the industry guidelines to improve Web defense strategy angainst banking malware.|
|4/2/2009 0:00:firstname.lastname@example.org||Project Owner||OWASP Testing Guide||Documentation||http://www.owasp.org/index.php/Category:OWASP_Testing_Project||https://lists.owasp.org/mailman/listinfo/owasp-testing||Creative Commons Attribution ShareAlike 3.0||OWASP Development Guide Project|
OWASP Code Review Project
OWASP ASDR Project
|Yes, the project is actively maintained.||v3||January 2009||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Testing_Project||Autumn of Code (2006), Spring of Code (2007), Summer of Code (2008)||No||We already have a sponsor||Release||9||First version of the Testing Guide came out in 2004.|
Version 2 in 2006 (50 authors and 20 reviewers). Now we have the Testing Guide v3 that is the OWASP consolidated methodology for the Web Application Penetration Testing. Many organizations adopt this guide as standard to verify the security of their applications.
|9||We do a great brainsorming with the OWASP leaders and community to create a reference guide. Every control to test is fully described, and for each one we have the following standard template:|
Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive)
Description of the Issue
Short Description of the Issue: Topic and Explanation
Black Box testing and example
How to test for vulnerabilities:
Gray Box testing and example
How to test for vulnerabilities:
|9||I do not have a statistic, but I surely know that the Testing Guide is downloaded from many many users, and bought at lulu.com.||9||The OWASP Testing Guide is cited here:|
- SANS Top 20 2007: http://www.sans.org/top20/?ref=1697#c1
- NIST “Technical Guide to Information Security Testing (Draft)”
- Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” - http://www.owasp.org/index.php/Podcast_5
- "Congratulations on version 2 of the OWASP Testing Guide! It is an impressive and informative document that will greatly benefit the
software development community".
Joe Jarzombek, the Deputy Director for Software Assurance at Department of Homeland Security
- "You guys did a pretty good job and I will recommend this guide to anyone who is looking for learning about Web Application Security."
Petko D. Petkov (PdP Architect )
|4/2/2009 16:59:29||Matthew Chalmers <email@example.com>||Project Contributor||OWASP Certification Project||Documentation||https://www.owasp.org/index.php/Category:OWASP_Certification_Projectfirstname.lastname@example.org||undecided||OWASP Education Project|
OWASP Career Development Project
OWASP SASAP Project
OWASP Certification Criteria Project
bits and pieces of others
|PM instructed at OWASP Summit to pause project to consider licensing aspects.||n/a||n/a||Wiki plus test delivery methods.||https://www.owasp.org/index.php/Category:OWASP_Certification_Project||Spring of Code (2007)||No||Probably do not want to appear anything other than completely vendor-neutral.||Unrated||1||Still really in a 'brainstorming' and discussion mode. Nothing has really been set in stone. Still struggling with how to keep things "open" in the spirit of OWASP without jeopardising test integrity.||1||We have some of our ideas posted on the wiki but it should be understood nothing is set in stone.||1||The project deliverables (tests) do not exist therefore there is no usage possible yet.||8||Few if any other similarly specialised certifications available in industry.|
|4/8/2009 23:05:13||Eduardo Neves <email@example.com>||Project Owner||Positive Security||Documentation||http://www.owasp.org/index.php/Category:OWASP_Positive_Security_Projectfirstname.lastname@example.org.||None yet||OWASP Corporate Application Security Rating Guide||Yes, the project is actively maintained.||0||Never||OWASP Wiki (documetation)||https://www.owasp.org/index.php/Positive_Security_Project||Summer of Code (2008)||Yes||Unrated||1||Should be updated on the next months, the plan is to get everything ready until the end of 2009.||1||Should be updated on the next months, the plan is to get everything ready until the end of 2009.||1||Should be updated on the next months, the plan is to get everything ready until the end of 2009.||5||Should be updated on the next months, the plan is to get everything ready until the end of 2009. When ready, the content should be very useful for the community.|
|4/19/2009 18:04:17||Bedirhan Urgun||Project Owner||SqliBench||Tools||http://www.owasp.org/index.php/Category:OWASP_Sqlibench_Project||mailto:email@example.com||GNU General Public License v2 (GPLv2)||9/28/2009||Google Code (tools)||http://code.google.com/p/sqlibench/||Summer of Code (2008)||No||Beta||6||I think the quality of the documents produced are sufficient.||7||-||3||-||6||sqli will loose its importance as time passes, however, there are tons of sqli data extractor tools and they need to be benchmarked.|
|4/19/2009 18:59:firstname.lastname@example.org||Project Owner||Code review guide||Documentation||http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents||Owaspemail@example.com||Creative Commons Attribution ShareAlike 3.0||Code Crawler, Orizon||Yes, the project is actively maintained.||1.1||3/20/2009||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project||Its availabe||Summer of Code (2008)||Yes||Release||8||Need to aligh with ASVS and add more content.||8||Useable and good feedback on this.||7||2nd Best seller in 2008||9||Very as SDLC is more and more prominant|
|4/20/2009 1:59:12||Michael Scovetta <firstname.lastname@example.org>||Project Owner||Yasca||Tools||www.yasca.org (or http://www.owasp.org/index.php/Category:OWASP_Yasca_Project)||email@example.com||BSD License||OWASP Orizon Project|
OWASP Code Review Project
OWASP Open Review Project
|Yes, the project is actively maintained.||2.0 (beta 1)||4/12/2009||SourceForge (tools)||http://sourceforge.net/projects/yasca/||Yes||Release||7||The project still requires a bit of "brush up" in terms of embedded documentation for plugins (shown to normal users) and testing on more platforms.||7||There is a slightly dated user guide and information on the wiki, but a full developer's guide has not yet been produced.||7||The project is mainly geared towards developers and mature organizations that can implement the tool within their SDLC. It is not "point and click" and requires a bit of context-specific knowledge.||9||Open source static analysis is on the forefront, and Yasca contributes to this space by addressing the "low hanging fruit"-style vulnerabilities, as well as serving as an aggregator for other tools to produce a common output file.|
|4/20/2009 2:08:08||Jeff Williams||Project Owner||ESAPI||Tools||http://www.owasp.org/index.php/ESAPI||mailto:firstname.lastname@example.org||BSD License||Yes, the project is actively maintained.||1.4||11/2008||Google Code (tools)||http://code.google.com/p/owasp-esapi-java/||Yes||Release||10||PMD, FindBugs, Ounce, Fortify, SwingSet, tested||6||Book started, SwingSet||3||Decent publicity, not a lot of real use yet||10||Standard controls takes much of the software security burden off of developers|
|4/20/2009 2:26:18||Jeff Williams <email@example.com>||Project Owner||Legal||Documentation||http://www.owasp.org/index.php/Legal||none||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Legal||Yes||Release||10||Fully copied by SANS and the State of NY||10||Has a built-in tailoring guide.||3||I believe this is the leading appsec contract language anywhere. However, there doesn't seem to be much demand for such a thing...yet.||10||Everyone seems to think this is something that people need.|
|4/20/2009 2:32:15||Jeff Williams <firstname.lastname@example.org>||Project Owner||Top Ten||Documentation||http://email@example.com||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||2007||4/1/2007||OWASP Wiki (documetation)||http://www.owasp.org/index.php/topten||No||Too political||Release||10||in wide use||10||in wide use||10||in wide use||7||the usefulness of top ten lists is waning, but still critical for organizations just getting started|
|4/21/2009 15:55:firstname.lastname@example.org||Project Contributor||Best Practices: Use of Web Application Firewalls||Documentation||https://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewallsemail@example.com||CC 2.0||Yes, the project is actively maintained.||1.0.2||OWASP Wiki (documetation)||https://www.owasp.org/index.php/Best_Practices:_Web_Application_Firewalls||No||the project is about comparing products (WAF), hence any sponsorship needs not be related to a vendor (even some have contributed to the paper)||Release||10||it's a white paper||10||it's a white paper||6||it's a white paper||10||it's a white paper|
|4/26/2009 6:32:29||Pravir Chandra <firstname.lastname@example.org>||Project Owner||OWASP CLASP Project||Documentation||http://www.owasp.org/index.php/CLASPemail@example.com||Creative Commons Attribution ShareAlike 3.0||SAMM Project||Yes, the project is actively maintained.||2||2005||OWASP Wiki (documetation)||http://www.owasp.org/index.php/CLASP||No||CLASP isn't under active development anymore since the last release||Beta||10||The last release was professionally editted and reviewed by a tech writer. It was released as a free commercial methodology before it was open sourced and donated to OWASP||9||Its assembled and organized and complete in terms of the content it set out to define.||7||While not directly being used right out of the box, CLASP is well known in the industry and is well referenced and reviewed.||7||Its been out for a while so its a bit dated in its approach, yet still very applicable. Projects like SAMM reflect more modern-day thinking on the subject, however.|
|4/26/2009 6:42:18||Pravir Chandra <firstname.lastname@example.org>||Project Owner||Software Assurance Maturity Model (SAMM) Project||Documentation||http://www.owasp.org/index.php/SAMMemail@example.com||Creative Commons Attribution ShareAlike 3.0||OWASP CLASP Project||Yes, the project is actively maintained.||1||3/20/2009||download PDF from opensamm.org||http://www.opensamm.org||I needed a standalone site to gain such features as project-specific RSS feeds and greater control of content and layout than mediawiki on owasp.org could provide.||Fortify||Yes||Unrated||10||The latest release (1.0) marked the transition from the samm beta release. Its been reviewed by experts and its ready for use.||10||Special care was given to ensuring the materials flowed well and that content was easily understandable and accessible in the latest release.||3||SAMM is still very new, and while there's been pockets of buzz about it, it's still a bit far from being in wide use.||10||This represents the modern-day thinking on building security into the software development process.|
|4/27/2009 12:24:firstname.lastname@example.org||Project Reviewer||AntiSamy .NET Project||Tools||http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET||https://lists.owasp.org/mailman/listinfo/owasp-antisamy||BSD License||OWASP AntiSamy Project|
AntiSamy.NET was a direct port of the Java version of AntiSamy to .NET (C# language)
|Yes, the project is actively maintained.||r93 in Google Code||3/15/2009||Google Code (tools)||http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet||Summer of Code (2008)||Yes||Release||10||The original, Java version of AntiSamy has a "release" level quality, and my project's .NET version fully implements all of the existing functionality of that release. We have performed unit testing throughout our development which the project has passed every single test. In addition, there is a working implementation hosted on www.antisamy.net, which allows users to perform their own testing.||9||There is a full, automatically generated documentation guide in CHM format available in the repository that includes all Class and Method docstrings describing their usage, input, and output parameters.||8||Usage of AntiSamy.NET in production applications is unknown, however we do know some rough estimates for the Java version, and I based my rating from those numbers.||10||There are many business reasons for accepting HTML input, and the past mantra of "entity output encoding all user input" cannot be applied. Many sites have legitimate reasons for accepting HTML formatted content, and using a library like AntiSamy allows them to do so safely, without reinventing the wheel and experiencing the same mistakes again and again. AntiSamy provides developers and business a solution, with a friendly license (BSD) for immediate adoption in their project. Time to implement is minimal, and from our experience, the policy file takes the longest to create, as it defines what html content it will accept, and which it will reject.|
|4/27/2009 20:05:30||Christian Martorella||Project Owner||WebSlayer||Tools||http://www.owasp.org/index.php/Category:OWASP_Webslayer_Project||https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project||GNU Lesser General Public License v3 (LGPLv3)||Yes, the project is actively maintained.||Beta||11/1/2008||Google Code (tools)||http://code.google.com/p/webslayer/||www.edge-security.com||No||I would like that www.edge-security.com be the sponsor of the tool.||Alpha||8||-GUI|
-Full options available
-Win32 executable, osx and linux source code
|5||-Improve documentation with examples|
-Cover all possible use cases
-Document the payload generation
|7||-The tool is aimed to cover all possible brute forcing scenarios, from directory and file discovery, password cracking to parameter brute forcing.||6||- The tool is useful in all web application assessments, there is always something that could be brute forced. The tools is nothing cutting edge, but was the first tool in represent the results in the way webslayer does. It's not a tool for one shot, it was developed for professional users, with session and all request/responses saving, filtering, etc.|
|4/28/2009 0:21:14||Andrea Zonzin <email@example.com>||Project Owner||OWASP Learn About Encoding Project||Tools||http://www.owasp.org/index.php/Category:OWASP_Learn_About_Encoding_Projectfirstname.lastname@example.org||Creative Commons Attribution ShareAlike 3.0||Yes, the project is actively maintained.||OWASP Wiki (documetation)||http://code.google.com/p/learn-about-encoding/||Yes||Unrated||1||the project has just begun.|
It 'too young.
|1||the project has just begun.|
It 'too young.
|1||the project has just begun.|
It 'too young.
|1||the project has just begun.|
It 'too young.
|4/28/2009 4:13:29||Arshan Dabirsiaghi <email@example.com>||Project Owner||AntiSamy||Tools||http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Projectfirstname.lastname@example.org||BSD License||OWASP AntiSamy .NET|
|Yes, the project is actively maintained.||1.3||3/19/2009||Google Code (tools)||http://code.google.com/p/owaspantisamy/downloads/list||Spring of Code (2007)||Yes||Release||10||For all the reasons it's a release-quality project:|
* it has regression testing
* no known xss vulnerabilities
* no known phishing vulnerabilities
* (relatively) performant
* used in production in many organizations
|6||There is not enough documentation to deserve a high rating. The basic use cases are out there in documentation, and demo code is available, but I wouldn't say there is an overwhelming amount of guidance available.||5||I have no raw data, but I happen to know through emails and interactions with customers that at least a few dozen production sites are using AntiSamy either alone or through ESAPI.||10||No other tool out there in .NET/Java that does what AntiSamy does. The HTMLPurifier project is the only competition, but it's in PHP.|
|4/28/2009 4:30:18||Arshan Dabirsiaghi <email@example.com>||Project Owner||Scrubbr||Tools||http://www.owasp.org/index.php/Category:OWASP_Scrubbrfirstname.lastname@example.org||BSD License||OWASP AntiSamy||Yes, the project is actively maintained.||Beta, no version specified (was taking the Google approach)||2/7/2009||Google Code (tools)||http://code.google.com/p/owaspscrubbr/downloads/list||Yes||Unrated||7||The tool works as intended but should some parts rewritten due to hackiness. Also, maybe a custom AntiSamy policy for Scrubbr should be used in order to avoid false positives.||6||Produces a lot of false positives along with the true positives.||2||No raw data on usage - it's been reviewed by many different websites and it pulls a few hits on Google:|
|10||No other tool out there that performs this useful service.|
|4/28/2009 18:35:01||Alex Smolen||Project Owner||.NET ESAPI||Tools||http://www.owasp.org/index.php/ESAPI#tab=.NETemail@example.com||BSD License||ESAPI - Java|
ESAPI - PHP
|Yes, the project is actively maintained.||Not released||Google Code (tools)||http://code.google.com/p/owasp-esapi-dotnet/||Yes||Alpha||3||I am currently working on a on the next version of this project. It should improve the quality significantly and should be ready next month.||5||There is a help file that is fairly comprehensive. However, instructions for setting up/using the library in a real world application are minimal.||2||Not many people are using the project yet, because of the limited usability.||9||.NET is an extremely common technology, and the ESAPI project is strategically very important for OWASP.|
|4/29/2009 15:19:firstname.lastname@example.org||Project Owner||OWASP Skavenger||Tools||http://www.owasp.org/index.php/Category:OWASP_Skavenger_Project||Owaspemail@example.com||GNU General Public License v2 (GPLv2)||OWASP WebScarab Project|
OWASP WebGoat Project
OWASP Testing Guide
|Yes, the project is actively maintained.||0.6.2a||10/30/2008||SourceForge (tools)||https://sourceforge.net/projects/skavenger/||Summer of Code (2008)||No||Beta||8||tested over the last months by several testers. Beta quality level was verified.||8||User guide published for commandline interface only. User guide for GUI in progress. GUI interface is rather usable though.||3||average download rate||6||high relevance for pentesters only|
|4/29/2009 16:46:08||Eric Sheridan <firstname.lastname@example.org>||Project Owner||OWASP CSRFGuard||Tools||http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project||https://lists.owasp.org/mailman/listinfo/owasp-csrfguard||GNU Lesser General Public License (LGPL v2)||CSRFTester||Yes, the project is actively maintained.||2.2 BETA||6/13/2008||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project||Yes||Beta||7||Need experience integrating the tool with more real-world enterprise applications. I've received a lot of positive feedback, but not a significant amount of hands-on experience integrating it.||8||Decent documentation, open source, standard J2EE component.||6||Need easier install and management capabilities (ex: managing the properties file).||9||Everyone has CSRF|
|4/29/2009 16:49:52||Eric Sheridan <email@example.com>||Project Owner||OWASP CSRFTester||Tools||http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project||https://lists.owasp.org/mailman/listinfo/owasp-csrftester||GNU Lesser General Public License (LGPL v2)||CSRFGuard||Yes, the project is actively maintained.||1||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project||Yes||Alpha||5||The tool needs better documentation and installer capabilities as well as support for mutual SSL auth proxy.||6||Relatively intuitive interface but lacks documentation.||2||Not a lot of feedback regarding its use from community. Its very easy to identify CSRF vulnerabilities - tools not required. Tool only helps build a complicated proof of concept.||9||Everyone has CSRF|
|4/30/2009 17:17:07||Dmitry Kozlov <firstname.lastname@example.org>||Project Owner||Teachable Static Analysis Workbench||Tools||http://www.owasp.org/index.php/Category:OWASP_Teachable_Static_Analysis_Workbench_Projectemail@example.com||GNU General Public License v2 (GPLv2)||LAPSE, Orizon, ESAPI||Yes, the project is actively maintained.||1.2.0||12/24/2008||Google Code (tools)||http://code.google.com/p/teachablesa/||Summer of Code (2008)||Yes||Beta||4||The project is usable, but there are some points of extension:|
* more types of vulnerabilities to check
* ship already teached environment
|8||There is published user guide. Requires language polishing by native speaker.||3||People mostly wants not teachable environment, but already teached static analysis tool. So, we need further development.||8||Very relevant|
|4/30/2009 17:25:46||Dmitry Kozlov <firstname.lastname@example.org>||Project Contributor||Application Security Tool Benchmarking Environment and Site Generator||Tools||http://www.owasp.org/index.php/Category:OWASP_Application_Security_Tool_Benchmarking_Environment_and_Site_Generator_Refresh_Projectemail@example.com||GNU General Public License v2 (GPLv2)||Yes, the project is actively maintained.||2.0.3||3/14/2009||Google Code (tools)||http://code.google.com/p/osg2/||Summer of Code (2008)||Yes||Alpha||4||Not fully finished. It was not reviewed in time during SoC 2008 that is why it was not finished in proposed timeframe.||5||Published user guide,|
missing developer's guide
|2||I think it should be finished first||6||This is tricky area of benchmarking security tools. This project has strong commercial competitors: Hacme* series of vulnerable apps from Foundstone|
|4/30/2009 17:31:48||Dmitry Kozlov <firstname.lastname@example.org>||Project Contributor||Python Static Analysis Project||Tools||http://www.owasp.org/index.php/Category:OWASP_Python_Static_Analysis_Project||Owasp-Python-Static-Analysis@lists.owasp.org||GNU General Public License v2 (GPLv2)||Pixy (not at OWASP)||Yes, the project is actively maintained.||0.1||6/16/2008||Google Code (tools)||http://code.google.com/p/owasp-python-static-analysis/||Summer of Code (2008)||Yes||Alpha||1||Still in development||1||Minimal documentation||1||Not ready to widescale use||10||It is the only open source python static security analysis tool.|
|5/1/2009 4:45:56||Jason Li <email@example.com>||Project Owner||JSP Testing Tool||Tools||http://www.owasp.org/index.php/Category:OWASP_JSP_Testing_Tool_Projectfirstname.lastname@example.org||BSD License||Yes, the project is actively maintained.||0.5||6/29/2008||Google Code (tools)||http://code.google.com/p/owasp-jsp-testing-tool/||Summer of Code (2008)||No||The project is not mature enough to be suitable for industry partnership||Beta||2||The project does not exercise tag library components as thoroughly as I would like.||2||There is an Ant build file which automates some running of the application. However, the nature of TLDs is not concrete enough to capture all the details necessary to adequately exercise tag libraries. As a result, there's a lot of customization that must be done to test a tag library and there is limited documentation and capability to account for using this tool outside of the original test bed of JSF components.||1||To my knowledge, this project does not have any active users.||5||The project concept is intriguing and has generated interest as people love the idea of a tool that they can just point and click and determine security. However, my continuing concern is the feasibility of such tools.|
|5/4/2009 16:55:24||Alberto Pastor Nieto <email@example.com>||Project Contributor||Wapiti||Tools||http://www.owasp.org/index.php/Category:OWASP_Wapiti_Project||https://lists.owasp.org/mailman/listinfo/owasp-wapiti-project||GNU General Public License v2 (GPLv2)||ICT-Romulus (http://www.ict-romulus.eu)||Yes, the project is actively maintained.||2.1.0||4/5/2009||SourceForge (tools)||http://sourceforge.net/projects/wapiti/||We have the code and the releases there since the first version.||No||We need to discuss this issue.||Alpha||7||Mature development.|
Now, some new functionalities are been implemented in order to create a more complete tool.
|6||It's a console tool, with their related inconveniences.||7||The number of downloads from sourceforge are growing (more than 20,700)||6||We think is relevant because combines a web crawler with a black-box testing, so It is an almost-complete automatic tool. Run, wait and obtain the results!|
|5/8/2009 21:51:firstname.lastname@example.org||Project Owner||OWASP AIR Security Project||Documentation||http://www.owasp.org/index.php/Category:OWASP_AIR_Security_Project||N/A||Creative Commons Attribution ShareAlike 3.0||OWASP Flash Security Project||Yes, the project is actively maintained.||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_AIR_Security_Project||No||The project is not at a state where it can effictively apply the resources from another partner. When additional partnership is required, I can most likely obtain additional resources from Adobe. This can free up OWASP to apply its industry resources to other critical projects.||Alpha||7||The information on the page is accurate and kept up to date providing links to videos, presentations, papers and official documentation. From that perspective, it is useable today. The project could be improved by providing more OWASP original resources in addition to providing links to external resources. It is also planned to better integrate the information into existing OWASP resources.||7||The website provides clear and accurate links to additional information and resources. The usability could be improved by providing more original OWASP content to better guide the user to appropriate documentation as well as integrating into existing OWASP references.||7||The project and Adobe AIR are still relatively young so I doubt the usage is extremely high. I do not have access to statistics for the web page. In a Google search for "Adobe AIR Security", it comes up as the 21st result out of hundreds of results.||8||AIR is a technology that is being adopted by several large corporations such as Amazon, eBay and others. AIR is a strong contender in the RIA space. It is continuing to grow in both functionality, supported platforms and adoption.|
|5/8/2009 23:41:email@example.com||Project Owner||OWASP Flash Security Project||Documentation||http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project||N/A||Creative Commons Attribution ShareAlike 3.0||OWASP AIR Security Project||Yes, the project is actively maintained.||OWASP Wiki (documetation)||http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project||No||The project is not at a level where it can effectively apply industry resources. If resources become necessary, I may be able to get them from Adobe. This will allow OWASP to apply industry resources to other critical projects.||Beta||8||This project provides tools, videos, presentations and references on Flash security. It cross-links with existing OWASP projects. The project can be further enhanced with more original OWASP content and an update of SWFIntruder.||8||The site is a web page with straightforward links to resources. It could be improved by better organizing the page and providing more original OWASP content.||8||I do not have usage statistics for the web page. However, security research in general has been increasing in the RIA space and specifically with regards to SWF content so I see this resource growing in the future.||9||Flash is one of the most widely deployed technologies on the web and is critical to many leading websites. There is an increasing amount of research surrounding the platform. Having a centralized resource for tools and information is critical for many website owners.|
|5/19/2009 18:12:29||Lawrence Angrave<Lawrence_Angrave@yahoo.co.uk>||Project Owner||insecurewebapp||Tools||http://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project||https://lists.owasp.org/pipermail/webappsec/||Apache License 2.0||WebGoat||1||4/27/2005||SourceForge (tools)||http://insecurewebapp.sourceforge.net/main/index.html||No||This project is complete and small. It would not benefit from additional development!||Release||7||The insecurewebapp is a small, mature, reliable project. There is no current requirement or interest in adding additional features.It provides a platform to allow Java developers to review small codebase and look for common vulnerabilities and attempt to exploit them.||8||This is tricky to answer - the project is a realistic, typical but small and complete database-driven web application. There are deliberately few additional commentaries. Additional documentation would reduce the realism of the web-app.||8||This is tricky to answer - the project is a realistic, typical but small and complete database-driven web application. There are deliberately few additional commentaries. Additional documentation would reduce the realism of the web-app.||8||The project uses very simple JSP pages in a naive manner. These are hardly representative of real enterpriseapplications but is necessary because - we want this project to be small and independent of a particular Java webapp platform (Spring/Face/Struts etc), and chose a technology that all java web developers would understand.|
This project serves a similar need to WebGoat. The difference is that WebGoat is a complete training environment. Insecurewebapp is just that - an insecure web application which can be complete reviewed from the front-end _and_ source code backend too.