Quantcast

[ANN] Sonar Owasp Plugin 1.0

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[ANN] Sonar Owasp Plugin 1.0

Jesús Badenas Martínez

Hi all!

eXcentia team is pleased to announce a new plugin: Sonar Owasp Plugin (1.0).

Sonar OWASP Plugin is a plugin for Sonar that provides information about your project security. Based on the OWASP security standard, shows risk factor and security vulnerabilities on your project. It defines a list of vulnerabilities that can occur in any software project. A lot of this vulnerabilities are detected as violations in Sonar, allowing us to know the security level reached.
Moreover, the OWASP standard includes the OWASP Top 10 project, a documentation project that groups the most important security aspects to take in mind in any application. This plugin uses this information to group detected violations.

Plugin works with Sonar 2.13 or later.

Trial version and documentation are available on the product page.

Enjoy!

eXcentia Team.

--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [ANN] Sonar Owasp Plugin 1.0

Fabrice Bellingard-4
Hi Jesus,

this looks really great, congrats for the work!

I've one question though, and I couldn't answer it when reading your documentation (I read it quite fast I must admit ;-)): which tool are you using behind the scenes to detect the security flaws? 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 10:16 AM, Jesús Badenas Martínez <[hidden email]> wrote:

Hi all!

eXcentia team is pleased to announce a new plugin: Sonar Owasp Plugin (1.0).

Sonar OWASP Plugin is a plugin for Sonar that provides information about your project security. Based on the OWASP security standard, shows risk factor and security vulnerabilities on your project. It defines a list of vulnerabilities that can occur in any software project. A lot of this vulnerabilities are detected as violations in Sonar, allowing us to know the security level reached.
Moreover, the OWASP standard includes the OWASP Top 10 project, a documentation project that groups the most important security aspects to take in mind in any application. This plugin uses this information to group detected violations.

Plugin works with Sonar 2.13 or later.

Trial version and documentation are available on the product page.

Enjoy!

eXcentia Team.

--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [sonar-dev] Re: [sonar-user][ANN] Sonar Owasp Plugin 1.0

Jesús Badenas Martínez
Hi Fabrice,

thanks a lot for your interest in Owasp plugin!

About your question, I'm not using any security "tool" to detect flaws. Owasp has a list of vulnerabilities that I've associated manually to Sonar rules through an XML file. In configuration tab of the documentation page you can see a a sample file that you can download.

It would be great do something similar to SQALE configuration dashboard where you can configure the characteristics, but using Owasp vulnerabilities and then export to an XML file. Is there any way to do a similar dashboard?

Thanks again.

Regards.

2012/10/31 Fabrice Bellingard <[hidden email]>
Hi Jesus,

this looks really great, congrats for the work!

I've one question though, and I couldn't answer it when reading your documentation (I read it quite fast I must admit ;-)): which tool are you using behind the scenes to detect the security flaws? 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 10:16 AM, Jesús Badenas Martínez <[hidden email]> wrote:

Hi all!

eXcentia team is pleased to announce a new plugin: Sonar Owasp Plugin (1.0).

Sonar OWASP Plugin is a plugin for Sonar that provides information about your project security. Based on the OWASP security standard, shows risk factor and security vulnerabilities on your project. It defines a list of vulnerabilities that can occur in any software project. A lot of this vulnerabilities are detected as violations in Sonar, allowing us to know the security level reached.
Moreover, the OWASP standard includes the OWASP Top 10 project, a documentation project that groups the most important security aspects to take in mind in any application. This plugin uses this information to group detected violations.

Plugin works with Sonar 2.13 or later.

Trial version and documentation are available on the product page.

Enjoy!

eXcentia Team.

--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08





--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [sonar-dev] Re: [sonar-user][ANN] Sonar Owasp Plugin 1.0

Fabrice Bellingard-4
OK, got it... In fact, your plugin offers a mapping between Findbugs/PMD/whatever violations to Owasp vulnerabilities. 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 11:33 AM, Jesús Badenas Martínez <[hidden email]> wrote:
Hi Fabrice,

thanks a lot for your interest in Owasp plugin!

About your question, I'm not using any security "tool" to detect flaws. Owasp has a list of vulnerabilities that I've associated manually to Sonar rules through an XML file. In configuration tab of the documentation page you can see a a sample file that you can download.

It would be great do something similar to SQALE configuration dashboard where you can configure the characteristics, but using Owasp vulnerabilities and then export to an XML file. Is there any way to do a similar dashboard?

Thanks again.

Regards.

2012/10/31 Fabrice Bellingard <[hidden email]>
Hi Jesus,

this looks really great, congrats for the work!

I've one question though, and I couldn't answer it when reading your documentation (I read it quite fast I must admit ;-)): which tool are you using behind the scenes to detect the security flaws? 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 10:16 AM, Jesús Badenas Martínez <[hidden email]> wrote:

Hi all!

eXcentia team is pleased to announce a new plugin: Sonar Owasp Plugin (1.0).

Sonar OWASP Plugin is a plugin for Sonar that provides information about your project security. Based on the OWASP security standard, shows risk factor and security vulnerabilities on your project. It defines a list of vulnerabilities that can occur in any software project. A lot of this vulnerabilities are detected as violations in Sonar, allowing us to know the security level reached.
Moreover, the OWASP standard includes the OWASP Top 10 project, a documentation project that groups the most important security aspects to take in mind in any application. This plugin uses this information to group detected violations.

Plugin works with Sonar 2.13 or later.

Trial version and documentation are available on the product page.

Enjoy!

eXcentia Team.

--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08





--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [sonar-dev] Re: [sonar-user][ANN] Sonar Owasp Plugin 1.0

Jesús Badenas Martínez
Right!

In future versions maybe also includes rules from other language tools (not only Java). But remember you can modify the XML file to create your own mapping :D

Regards.

2012/10/31 Fabrice Bellingard <[hidden email]>
OK, got it... In fact, your plugin offers a mapping between Findbugs/PMD/whatever violations to Owasp vulnerabilities. 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 11:33 AM, Jesús Badenas Martínez <[hidden email]> wrote:
Hi Fabrice,

thanks a lot for your interest in Owasp plugin!

About your question, I'm not using any security "tool" to detect flaws. Owasp has a list of vulnerabilities that I've associated manually to Sonar rules through an XML file. In configuration tab of the documentation page you can see a a sample file that you can download.

It would be great do something similar to SQALE configuration dashboard where you can configure the characteristics, but using Owasp vulnerabilities and then export to an XML file. Is there any way to do a similar dashboard?

Thanks again.

Regards.

2012/10/31 Fabrice Bellingard <[hidden email]>
Hi Jesus,

this looks really great, congrats for the work!

I've one question though, and I couldn't answer it when reading your documentation (I read it quite fast I must admit ;-)): which tool are you using behind the scenes to detect the security flaws? 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 10:16 AM, Jesús Badenas Martínez <[hidden email]> wrote:

Hi all!

eXcentia team is pleased to announce a new plugin: Sonar Owasp Plugin (1.0).

Sonar OWASP Plugin is a plugin for Sonar that provides information about your project security. Based on the OWASP security standard, shows risk factor and security vulnerabilities on your project. It defines a list of vulnerabilities that can occur in any software project. A lot of this vulnerabilities are detected as violations in Sonar, allowing us to know the security level reached.
Moreover, the OWASP standard includes the OWASP Top 10 project, a documentation project that groups the most important security aspects to take in mind in any application. This plugin uses this information to group detected violations.

Plugin works with Sonar 2.13 or later.

Trial version and documentation are available on the product page.

Enjoy!

eXcentia Team.

--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08





--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08





--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [sonar-dev] Re: [sonar-user][ANN] Sonar Owasp Plugin 1.0

Freddy Mallet
Hi Jesus, 

My only fear is that most Sonar users will have the same expectation about this new Sonar Owasp Plugin that Fabrice had : which means detecting XSS, CSRF, XSHM, ... vulnerabilities whereas this is not the case. And this feeling will be reinforced by the current Sonar plugin home page "Is your software project vulnerable to security attacks?". My advise would be to slightly update this home page to prevent any misunderstanding.

My 2 cents,
Freddy

-----
Sonar for Continuous Inspection



On Wed, Oct 31, 2012 at 4:27 PM, Jesús Badenas Martínez <[hidden email]> wrote:
Right!

In future versions maybe also includes rules from other language tools (not only Java). But remember you can modify the XML file to create your own mapping :D

Regards.

2012/10/31 Fabrice Bellingard <[hidden email]>
OK, got it... In fact, your plugin offers a mapping between Findbugs/PMD/whatever violations to Owasp vulnerabilities. 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 11:33 AM, Jesús Badenas Martínez <[hidden email]> wrote:
Hi Fabrice,

thanks a lot for your interest in Owasp plugin!

About your question, I'm not using any security "tool" to detect flaws. Owasp has a list of vulnerabilities that I've associated manually to Sonar rules through an XML file. In configuration tab of the documentation page you can see a a sample file that you can download.

It would be great do something similar to SQALE configuration dashboard where you can configure the characteristics, but using Owasp vulnerabilities and then export to an XML file. Is there any way to do a similar dashboard?

Thanks again.

Regards.

2012/10/31 Fabrice Bellingard <[hidden email]>
Hi Jesus,

this looks really great, congrats for the work!

I've one question though, and I couldn't answer it when reading your documentation (I read it quite fast I must admit ;-)): which tool are you using behind the scenes to detect the security flaws? 


Best regards,

Fabrice BELLINGARD | SonarSource
http://sonarsource.com



On Wed, Oct 31, 2012 at 10:16 AM, Jesús Badenas Martínez <[hidden email]> wrote:

Hi all!

eXcentia team is pleased to announce a new plugin: Sonar Owasp Plugin (1.0).

Sonar OWASP Plugin is a plugin for Sonar that provides information about your project security. Based on the OWASP security standard, shows risk factor and security vulnerabilities on your project. It defines a list of vulnerabilities that can occur in any software project. A lot of this vulnerabilities are detected as violations in Sonar, allowing us to know the security level reached.
Moreover, the OWASP standard includes the OWASP Top 10 project, a documentation project that groups the most important security aspects to take in mind in any application. This plugin uses this information to group detected violations.

Plugin works with Sonar 2.13 or later.

Trial version and documentation are available on the product page.

Enjoy!

eXcentia Team.

--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08





--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08





--
Jesús Badenas Martínez (Linkedin)
Arquitectura y Calidad del Software
t: 96 325 48 08


Loading...