The document introduces OWASP Code Crawler, an open source tool for automated security code reviews of .NET and Java source code. It was built using C# and runs on Windows and Mono. The tool performs fast scans of source code, supports multiple languages, and generates HTML and PDF reports. It includes features like an integrated OWASP browser, email functionality, and team management capabilities. The core of the application and its functionalities are coded in a modular way using XML files for configuration and data storage. Future plans include integrating more closely with the OWASP Orizon project and keeping the code review patterns database up-to-date.

1. OWASP Code Crawler Alessio Marziali Owasp Code Crawler Project Leader Linksfield Technologies Ltd [email_address] 06 Nov 2008

2. Who am I 8 + years experienced Web Developer Author of : ASP. NET. “Alla scoperta della tecnologia microsoft per lo sviluppo web” ASP.NET 3.5. “I nuovi orizzonti della tecnologia Microsoft per lo sviluppo web” Penetration Tester Clients: Finance, Internet Service Providers, Government 33+ Advisories in the last year OWASP Code Crawler Project Leader Web Developer at Linksfield Technologies Ltd

3. Linksfield Technologies High-tech consultancy and software development house Headquartered in London 9 years old 20+ staff Clients in private and public sectors Microsoft Gold Certified Partner Custom Development Data Management Business Process & Integration Small Business Server IBM Business Partner Specialists in Business Process Automation and Systems Integration Strong Financial services sector experience

5. OWASP Code Crawler Built using Visual Studio 2008, C# 3.0 Lightweight and ready to use Standard Runtime is just <6Mb, can run from USB sticks! Multi Platform Designed for Windows, runs under MONO too Open Source Source Code is freely available Click and Go No Installation, No Requirements, Download and Run

6. What it does Automated Security Code Review using OWASP Code Review Will “scan” source code for well known vulnerability issues Users can affect the behaviour of the application adding or removing items into the application by simply editing the relative XML File. OWASP Orizon Project (spring 2009) Working close with Paolo Perego, OWASP Orizon Project Leader while trying to integrate Orizon (Java) with Code Crawler (.NET)

7. OWASP Code Review Integration

8. Performances and functionalities Fast Scan 1000~ lines of code (~ 3 seconds to review) Multi Languages Support .NET (C#,VB, don’t say F#!) Java Integrated Editor Visual Studio Like visualisation C# Code colouring Even “#region” are supported

9. Source Code Preview

10. Reporting Users can perform automated security code review and generated well formatted reports using OWASP or companies template. HTML PDF (90%) Office Word (70%) Comes with 2 pre-built xslt/xml templates.

11. Reporting (XSLT Templates)

12. Team Management Send Security Code Reviews by email without leaving the application. Planning Code Reviews with Code Review Manager

14. Integrated OWASP Brower Built around OWASP Guides Wiki Tools Are available within the application in just a click.

16. Everything is XML Everything (from the core to functionalities) relies on XML files as Data Storage Configuration settings Presentation (reports)

17. Coding Code Crawler We try to keep the code organised and easy to maintain. Below some examples on how the core of the application is coded (namespaces). OWASP.CodeReview.CodeCrawler.Database.DatabaseObject (will load the Code Review Project Engine) OWASP.CodeReview.CodeCrawler.Functionalities.Emails (Email Functionality) OWASP.CodeReview.CodeCrawler.Functionalities.VisualStudio (Visual Studio Integration)

18. The future of OWASP Code Crawler OWASP Orizon Project Never outdated reviews Code Review Keypointers database will be moved into a web service, at runtime the application will check if the users has the latest version of database, if not it will proceed with the download. More Templates More Languages supported

19. Live Demonstration

20. Q/A