SkyLine is the org.owasp.orizon object devoted to assist people in starting up a source code security assessment.
One of the new features of such object is the support for Owasp framework properties. In the same way as regular command line tools do, an user (invoking a tool using Orizon) can enable or disable some framework related features on the fly using “-o” or “—orizon” command line flags.
This means that if a tool is using Orizon won’t be able to use “-o” or “—orizon” command line flags.
In org.owasp.orizon.core.Cons class, there are the constant used as keys in the orizon command line flag format (”-o key=value”). In the 1.0rc1 release, these are the supported features:
Continue reading ‘Please welcome SkyLine’
First of all, Orizon 1.0 will have a brand new input file. Each source file being reviewed will be translated in four different XML files:
- a file containing source code statistics;
- a file containing source control flow information;
- a file containing source call graph information;
- a file containing source data flow information.
Static analysis will be executed over information contained in these files.
The second new object is an assistant object to be instantiated as first Orizon object. This “assistant object” will be responsible of:
- creating a session file;
- collecting source filename to review if a directory is specified as input.
I just bought a brand new Apple MacBook laptop with OS X 10.5 operating system. With some disappointment, I just discovered that SWT libraries aren’t ported to Cocoa but only to Carbon framework but Carbon is not available in JRE 64 bit only JRE 32 bit, but I can’t run JRE 32 bit due to the needs of internal compiler API.
So… to have GUI in OS X you must wait people porting SWT to Cocoa, extimated time somewhere in 2009.
I hope that the widespread usage of Apple’s hardware will bring much more effort to such porting task.
The good news is that the command line version is still working 
I’ve done the 50% SPOC 2008 self assessment evaluation. Now I’m waiting my reviewers to submit their evaluation.
I’m planning also to mass remove most of the orizon mailing list subscribers that doesn’t post anything since months. I’m planning also an advertisement campaign in order to recruit some developers and some people helping me in the second half of Summer of Code 2008.
The slideshow used in Ghent last May was finally uploaded. Please note that some slides were hided so check them out before viewing the presentation.
Time of my weeding is coming… I started updating Orizon with the changes I’m planning and I’m in touch with Alessio Marziali and Mario de Boer to collaborate with them providing code review services with my engine.
I’m really honored to work with them.
I’m working to a small slideshow to describe changes from the current Orizon release and version 1.0, I hope I’ll produce this bunch of slides in few days… setting up my weeding it’s really time consuming but it is filling me with joy and pleasure
It’s all in my little Moleskine. Indeed I feel myself comfortable in writing on good old fashioned piece of paper sometimes…
One of the biggest changes that will occur in next Orizon releases towards 1.0 is about the library. Source code flaws will be organized using the Top 10/Top 7 page of the Code Review Guide and the library won’t be a Zip archive anymore, in fact it will be released as XML files self contained in the Orizon Jar file.
Security flaws will be described using a new XML schema.
The whole demo package will be marked as “deprecated” and a brand new UI will be included in Orizon to provide Milk functionality.
Also Bastion will be discontinued and new documentation will be provided with remediation tasks and proof reading links.
The last big change will be about the XML schema used in the input file. Orizon will use more than one file and translators must create an adequate number of XML files containing:
- control flow
- call graph
- data flow graph
I’ve got a lot of things to do, all of them stuffed in these cute 8 moleskine pages of updates…
As I’m writing I’m in Ghent, Belgium for Owasp AppSec EU ‘08. In this morning speech, I’ll announced the very first major change in Orizon for this year: the plugin support.
As you may see in the presentation now it is possible to specify in a security check the external code that handle that check.
When I’ll have a better internet connection, I’ll commit the code and release version 0.90 of Orizon.
Next week I’ll be in Ghent talking about Orizon and I’m pretty excited about this. It is the first time I’ll talk in an international conference.
I’ll release v0.90 next week, maybe monday before leaving Italy.
Meanwhile I found this article about Owasp Day in Italy… (italian language only, sorry)
Tags: simplelife, appsec
