Owasp Code Crawler Presentation

1 like1,347 views

The document introduces OWASP Code Crawler, an open source tool for automated security code reviews of .NET and Java source code. It was built using C# and runs on Windows and Mono. The tool performs fast scans of source code, supports multiple languages, and generates HTML and PDF reports. It includes features like an integrated OWASP browser, email functionality, and team management capabilities. The core of the application and its functionalities are coded in a modular way using XML files for configuration and data storage. Future plans include integrating more closely with the OWASP Orizon project and keeping the code review patterns database up-to-date.

Technology

OWASP Code Crawler Alessio Marziali Owasp Code Crawler Project Leader Linksfield Technologies Ltd [email_address] 06 Nov 2008

Who am I 8 + years experienced Web Developer Author of : ASP. NET. “Alla scoperta della tecnologia microsoft per lo sviluppo web” ASP.NET 3.5. “I nuovi orizzonti della tecnologia Microsoft per lo sviluppo web” Penetration Tester Clients: Finance, Internet Service Providers, Government 33+ Advisories in the last year OWASP Code Crawler Project Leader Web Developer at Linksfield Technologies Ltd

Linksfield Technologies High-tech consultancy and software development house Headquartered in London 9 years old 20+ staff Clients in private and public sectors Microsoft Gold Certified Partner Custom Development Data Management Business Process & Integration Small Business Server IBM Business Partner Specialists in Business Process Automation and Systems Integration Strong Financial services sector experience

OWASP Code Crawler Built using Visual Studio 2008, C# 3.0 Lightweight and ready to use Standard Runtime is just <6Mb, can run from USB sticks! Multi Platform Designed for Windows, runs under MONO too Open Source Source Code is freely available Click and Go No Installation, No Requirements, Download and Run

What it does Automated Security Code Review using OWASP Code Review Will “scan” source code for well known vulnerability issues Users can affect the behaviour of the application adding or removing items into the application by simply editing the relative XML File. OWASP Orizon Project (spring 2009) Working close with Paolo Perego, OWASP Orizon Project Leader while trying to integrate Orizon (Java) with Code Crawler (.NET)

Performances and functionalities Fast Scan 1000~ lines of code (~ 3 seconds to review) Multi Languages Support .NET (C#,VB, don’t say F#!) Java Integrated Editor Visual Studio Like visualisation C# Code colouring Even “#region” are supported

Reporting Users can perform automated security code review and generated well formatted reports using OWASP or companies template. HTML PDF (90%) Office Word (70%) Comes with 2 pre-built xslt/xml templates.

Team Management Send Security Code Reviews by email without leaving the application. Planning Code Reviews with Code Review Manager

Integrated OWASP Brower Built around OWASP Guides Wiki Tools Are available within the application in just a click.

Everything is XML Everything (from the core to functionalities) relies on XML files as Data Storage Configuration settings Presentation (reports)

Coding Code Crawler We try to keep the code organised and easy to maintain. Below some examples on how the core of the application is coded (namespaces). OWASP.CodeReview.CodeCrawler.Database.DatabaseObject (will load the Code Review Project Engine) OWASP.CodeReview.CodeCrawler.Functionalities.Emails (Email Functionality) OWASP.CodeReview.CodeCrawler.Functionalities.VisualStudio (Visual Studio Integration)

The future of OWASP Code Crawler OWASP Orizon Project Never outdated reviews Code Review Keypointers database will be moved into a web service, at runtime the application will check if the users has the latest version of database, if not it will proceed with the download. More Templates More Languages supported

More Related Content

What's hot (20)

PDF

Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense

PDF

ESAPIn|u - The Open Security Community

PDF

Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro

PDF

Java DefectsErika Barron

PPTX

#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance

PDF

Static code analysisPrancer Io

PPTX

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype

PDF

App sec and quality london - may 2016 - v0.5Dinis Cruz

PDF

API TESTINGSijan Bhandari

ODP

OWASP WTE - Now in the Cloud!Matt Tesauro

PPT

GNUCITIZEN Dwk Owasp Day September 2007guest20ab09

PDF

MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz

PDF

Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongWaratek Ltd

PPTX

A year of SonarQube and TFS/VSTSMatteo Emili

PPTX

Application Virtualizationsecurityxploded

PDF

Keyword Driven TestingMaveryx

PPTX

Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu

PDF

How to Write & Run a Test Case in Selenium | Selenium Tutorial | Selenium Tra...Edureka!

PPTX

Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com

PPTX

i18n tech talkHitesh Sharma

Continuous Integration: Live Static Analysis with Puma ScanCypress Data Defense

ESAPIn|u - The Open Security Community

Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro

Java DefectsErika Barron

#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance

Static code analysisPrancer Io

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype

App sec and quality london - may 2016 - v0.5Dinis Cruz

API TESTINGSijan Bhandari

OWASP WTE - Now in the Cloud!Matt Tesauro

GNUCITIZEN Dwk Owasp Day September 2007guest20ab09

MobSecCon 2015 - Dynamic Analysis of Android AppsRon Munitz

Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongWaratek Ltd

A year of SonarQube and TFS/VSTSMatteo Emili

Application Virtualizationsecurityxploded

Keyword Driven TestingMaveryx

Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu

How to Write & Run a Test Case in Selenium | Selenium Tutorial | Selenium Tra...Edureka!

Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyDevOps.com

i18n tech talkHitesh Sharma

Recently uploaded (20)

PDF

Python basic programing language for automationDanialHabibi2

PPTX

"Autonomy of LLM Agents: Current State and Future Prospects", Oles` PetrivFwdays

PDF

HubSpot Main Hub: A Unified Growth PlatformJaswinder Singh

PPTX

UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst ContentDianaGray10

PDF

Empower Inclusion Through Accessible Java ApplicationsAna-Maria Mihalceanu

PDF

Exolore The Essential AI Tools in 2025.pdfSrinivasan M

PDF

CIFDAQ Weekly Market Wrap for 11th July 2025CIFDAQ

PDF

Log-Based Anomaly Detection: Enhancing System Reliability with Machine LearningMohammed BEKKOUCHE

PDF

Building Real-Time Digital Twins with IBM Maximo & ArcGIS IndoorsSafe Software

PPTX

Webinar: Introduction to LF Energy EVerestDanBrown980551

PPTX

Building Search Using OpenSearch: Limitations and WorkaroundsSease

PPTX

Top iOS App Development Company in the USA for Innovative AppsSynapseIndia

PDF

Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...AWS Chicago

PDF

Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025BookNet Canada

PDF

NewMind AI - Journal 100 Insights After The 100th IssueNewMind AI

PDF

The Builder’s Playbook - 2025 State of AI Report.pdfjeroen339954

PDF

"AI Transformation: Directions and Challenges", Pavlo ShaternikFwdays

PDF

Chris Elwell Woburn, MA - Passionate About IT InnovationChris Elwell Woburn, MA

PDF

"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...Fwdays

PPTX

OpenID AuthZEN - Analyst Briefing July 2025David Brossard