1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Code Crawler Alessio Marziali Owasp Code Crawler Project Leader Linksfield Technologies Ltd Alessio.marziali@cyphersec.com 06 Nov 2008

2. OWASP 2 Who am I  8+ years experienced Web Developer  Author of the following books:  ASP. NET. “Alla scoperta della tecnologia microsoft per lo sviluppo web”  ASP.NET 3.5. “I nuovi orizzonti della tecnologia Microsoft per lo sviluppo web”  Penetration Tester  Clients: Finance, Internet Service Providers, Government  33+ Advisories in the last year  OWASP Code Crawler Project Leader  Web Developer at Linksfield Technologies Ltd

3. OWASP 3 Where I’m working  High-tech consultancy and software development house  Headquartered in London  9 years old  20+ staff  Clients in private and public sectors  Microsoft Gold Certified Partner  Custom Development  Data Management  Business Process & Integration  Small Business Server  IBM Business Partner  Specialists in Business Process Automation and Systems Integration  Strong Financial services sector experience

4. OWASP 4 OWASP Code Crawler  Built using Visual Studio 2008, C# 3.0  Lightweight and ready to use  Standard Runtime is just <6Mb, can run from USB sticks!  Multi Platform  Designed for Windows, runs under MONO too  Open Source  Source Code is freely available  Click and Go  No Installation, No Requirements, Download and Run

5. OWASP 5 What it does  Automated Security Code Review using  OWASP Code Review  Will “scan” source code for well known vulnerability issues  Users can affect the behaviour of the application adding or removing items into the application by simply editing the relative XML File.  OWASP Orizon Project (spring 2009)  Working close with Paolo Perego, OWASP Orizon Project Leader while trying to integrate Orizon (Java) with Code Crawler (.NET)

6. OWASP 6 OWASP Code Review Integration

7. OWASP 7 Performances and functionalities  Fast Scan  1000~ lines of code (~ 3 seconds to review)  Multi Languages Support .NET (C#,VB, don’t say F#!)  Java  Integrated Editor  Visual Studio Like visualisation  C# Code colouring  Even “#region” are supported

8. OWASP 8 Source Code Preview

9. OWASP 9 Reporting  Users can perform automated security code review and generated well formatted reports using OWASP or companies template.  HTML  PDF (90%)  Office Word (70%)  Comes with 2 pre-built xslt/xml templates.

10. OWASP 10 Reporting (XSLT Templates)

11. OWASP 11 Team Management  Send Security Code Reviews by email without leaving the application.  Planning Code Reviews with Code Review Manager

12. OWASP 12

13. OWASP 13 Integrated OWASP Brower  Built around OWASP  Guides  Wiki  Tools Are available within the application in just a click.

14. OWASP 14

15. OWASP 15 Everything is XML  Everything (from the core to functionalities) relies on XML files as  Data Storage  Configuration settings  Presentation (reports)

16. OWASP 16 Coding Code Crawler  We try to keep the code organised and easy to maintain. Below some examples on how the core of the application is coded (namespaces).  OWASP.CodeReview.CodeCrawler.Database.DatabaseObject (will load the Code Review Project Engine)  OWASP.CodeReview.CodeCrawler.Functionalities.Emails (Email Functionality)  OWASP.CodeReview.CodeCrawler.Functionalities.VisualStudio (Visual Studio Integration)

17. OWASP 17 The future of OWASP Code Crawler  OWASP Orizon Project  Never outdated reviews  Code Review Keypointers database will be moved into a web service, at runtime the application will check if the users has the latest version of database, if not it will proceed with the download.  More Templates  More Languages supported

18. OWASP 18 Live Demonstration

19. OWASP 19 Q/A