The Owasp Orizon Project

1. The Owasp Orizon Project • Paolo Perego, thesp0nge@owasp.org • Project Leader

2. Overview • Project started in 2006 • Another opensource alternative in source code static analysis • Not only a tool but a static analysis framework • Completely rewritten in the last 9 months • Web exposure boosted after Owasp AppSec NYC’08 last september

3. Objectives • Provide a set of APIs that anyone can use in a source code static analysis tool • Provide a set of security checks to be applied to source code • Knowledge is open here, so only opensourced security checks will be included • Best of breed best practices • Owasp Code Review Guide • Cigital Java Security Rulepack (http://www.cigital.com/securitypack/view/index.html) • Custom written security checks • Language independent • Use XML as meta-language to describe source code • Apply security checks to the XML interpreted language

4. Status and Future Steps • Project reached version 1.0 • Now the real fun is going to start • Usable • To perform basic code reviews • To build security tools • Fancy • Very basic GUI • Mac OS X standalone application • Near future (end 2008): version 1.2 • Security library to be consolidated with more checks • GUI improvement • Mid term future (2Q 2009): version 1.4 • Integration with: • Code Crawler (Alessio Marziali) • O2 (Dinis Cruz) • Java Bytecode security code review

5. Closing • 2009, the turning away year • Library will be almost complete • Standalone application will be released for Win32 and Unix too • A network of great security related tools • O2 • Code Crawler • Marketing • Blog (http://orizon.sf.net/blog) • Twitter usage (check OWASPOrizon user) • AppSecs (Poland ‘09, …) • Recruiting developers • Thanks • For the criticisms • For the support • For believing http://orizon.sourceforge.net thesp0nge@owasp.org