Hi there, OWASP has just concluded the Autumn of Code 2006, which was very successful in getting some great security projects matured or completed, including the Testing Guide, which is a great resource for penetration testers.
http://www.owasp.org/index.php/Owasp_Autumn_Of_Code_2006 It was so successful, we are about to launch OWASP's Spring of Code 2007. We will be funding approximately 10-15 projects with approximately $80-100k USD between them. We are trying to increase both the number and dollars by gaining corporate sponsorships (see last paragraph if you can help with that), but we will spend at least $80k USD this time around. As PHP applications make a large percentage of CVE entries (for whatever reason), I'd like to invite those active in PHP security to consider working on ways to improve the PHP security story for all PHP apps, regardless of the skill / knowledge of the devs pumping out PHP apps. Some ideas - please take these as a starting point, not an end point: * Hack on, mature and hopefully ship open source projects already someway along the security path, (such as Zend Framework or CodeIgnitor or your project here) which plug known webappsec gaps, like input and output validation, prevent SQL injection by default, and provide robust logging and authC/authZ services etc. * Research root causes of "typical" PHP application security issues, and develop materials, new / improved API's, recommend deprecation or attack surface reduction for certain interfaces or features and so on to *actually* eliminate these issues once and for all * ... Your idea here ... We are looking at funding ideas / projects with concrete deliverables over a three-four month time frame starting around the beginning of the northern hemisphere spring. We look favorably upon submissions which completely remediate webappsec issues for a wide swathe of PHP apps, but we will also be looking at assisting those who wish to pursue basic research to make PHP safer in the medium to long term. The only restriction is that the work has to be released under an acknowledged open source license, which goes for documentation, too. We cannot fund closed source or proprietary projects. We can provide incubator space if you have nowhere else to work (CVS or SVN, mail lists, web space, blogs, forum, etc). We will be providing access to security mentors so you can bounce ideas or collaborate as you see fit. Why a webappsec specialist? We simply want to provide you with enough information and a way to bounce your ideas to avoid things like safe mode or similar which aren't actually that secure. The SoC effort has not kicked off yet as we have not finalized many details - including some really interesting ones. We will be accepting submissions starting sometime in February for at least a month. Please discuss amongst yourselves as appropriate, and if at all possible, consider submitting a proposal or three when the OWASP SoC opens up. If you are in a position to help fund any submission (outright or dollar for dollar, etc) or just wish to help the OWASP Spring of Code program, please contact [EMAIL PROTECTED] for more details. The typical commitment to a particular project is $2.5 to $10k USD, depending on how many folks are being funded / complexity of effort. This is your chance to get your favorite PHP security project matured / finished! Andrew van der Stock Executive Director, OWASP -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php