Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Code Crawler Alessio Marziali Owasp Code Crawler Project Leader Linksfield Technologies Ltd 06 Nov 2008

OWASP 2 Who am I  8+ years experienced Web Developer  Author of the following books:  ASP. NET. “Alla scoperta della tecnologia microsoft per lo sviluppo web”  ASP.NET 3.5. “I nuovi orizzonti della tecnologia Microsoft per lo sviluppo web”  Penetration Tester  Clients: Finance, Internet Service Providers, Government  33+ Advisories in the last year  OWASP Code Crawler Project Leader  Web Developer at Linksfield Technologies Ltd

OWASP 3 Where I’m working  High-tech consultancy and software development house  Headquartered in London  9 years old  20+ staff  Clients in private and public sectors  Microsoft Gold Certified Partner  Custom Development  Data Management  Business Process & Integration  Small Business Server  IBM Business Partner  Specialists in Business Process Automation and Systems Integration  Strong Financial services sector experience

OWASP 4 OWASP Code Crawler  Built using Visual Studio 2008, C# 3.0  Lightweight and ready to use  Standard Runtime is just <6Mb, can run from USB sticks!  Multi Platform  Designed for Windows, runs under MONO too  Open Source  Source Code is freely available  Click and Go  No Installation, No Requirements, Download and Run

OWASP 5 What it does  Automated Security Code Review using  OWASP Code Review  Will “scan” source code for well known vulnerability issues  Users can affect the behaviour of the application adding or removing items into the application by simply editing the relative XML File.  OWASP Orizon Project (spring 2009)  Working close with Paolo Perego, OWASP Orizon Project Leader while trying to integrate Orizon (Java) with Code Crawler (.NET)

OWASP 6 OWASP Code Review Integration

OWASP 7 Performances and functionalities  Fast Scan  1000~ lines of code (~ 3 seconds to review)  Multi Languages Support .NET (C#,VB, don’t say F#!)  Java  Integrated Editor  Visual Studio Like visualisation  C# Code colouring  Even “#region” are supported

OWASP 8 Source Code Preview

OWASP 9 Reporting  Users can perform automated security code review and generated well formatted reports using OWASP or companies template.  HTML  PDF (90%)  Office Word (70%)  Comes with 2 pre-built xslt/xml templates.

OWASP 10 Reporting (XSLT Templates)

OWASP 11 Team Management  Send Security Code Reviews by without leaving the application.  Planning Code Reviews with Code Review Manager

OWASP 12

OWASP 13 Integrated OWASP Brower  Built around OWASP  Guides  Wiki  Tools Are available within the application in just a click.

OWASP 14

OWASP 15 Everything is XML  Everything (from the core to functionalities) relies on XML files as  Data Storage  Configuration settings  Presentation (reports)

OWASP 16 Coding Code Crawler  We try to keep the code organised and easy to maintain. Below some examples on how the core of the application is coded (namespaces).  OWASP.CodeReview.CodeCrawler.Database.DatabaseObject (will load the Code Review Project Engine)  OWASP.CodeReview.CodeCrawler.Functionalities. s ( Functionality)  OWASP.CodeReview.CodeCrawler.Functionalities.VisualStudio (Visual Studio Integration)

OWASP 17 The future of OWASP Code Crawler  OWASP Orizon Project  Never outdated reviews  Code Review Keypointers database will be moved into a web service, at runtime the application will check if the users has the latest version of database, if not it will proceed with the download.  More Templates  More Languages supported

OWASP 18 Live Demonstration

OWASP 19 Q/A