OWASP ASIDE Project

Main
This project is led by [Jun Zhu] and Bill Chu. Other major contributors include [Jing Xie], Heather Richter Lipford, John Melton & Will Stranathan. We have presented our talk Using Interactive Static Analysis for Early Detection of Software Vulnerabilities at AppSec USA 2012. You can view and download our presentation here. We have presented our talk Secure Programming Support in IDE at AppSec USA 2011 in Minneapolis. You can view and download our presentation here.

Take a Look
ASIDE currently has two prototype implementations: ASIDE CodeRefactoring and ASIDE CodeAnnotate.

CodeRefactoring is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation.

CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code.

An older version of ASIDE DEMO shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.

Download
The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from here. You also need to download the complementary logging facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.

The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from here. ASIDE CodeAnnotate is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here.

New! We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon Eclipse PDT framework, you can download the plugin here. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded here, and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here. A good PHP open source project you can try the plugin against is Moodle;

Source Code
A recent version of the ASIDE CodeRefactoring code is located at https://github.com/JunZhuSecurity/ASIDE-Education. An older version could be found at https://github.com/Jing-Xie/owasp-aside.

Research Activities
1. Jun Zhu, Jing Xie, Heather Richter Lipford, and Bill Chu, Supporting Secure Programming in Web Applications through Interactive Static Analysis, In Journal of Advanced Research, Elsevier, December, 2013.

2. Jun Zhu, Heather Richter Lipford, and Bill Chu, Interactive Support for Secure Programming Education, In Proceedings of ACM Technical Symposium on Computer Science Education (SIGCSE), March 6-9, 2013, Denver, Colorado, USA

3. Jing Xie, Heather Richter Lipford, and Bill Chu, Evaluating Interactive Support for Secure Programming, In Proceedings of ACM Conference on Human Factors in Computing Systems (CHI), May 2012, Austin, Texas, USA

4. Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton, ASIDE:IDE Support for Web Application Security, In Proceedings of 27th Annual Computer Security Applications Conference (ACSAC), December 5–9, 2011, Orlando, FL, USA

5. Jing Xie, Heather Richter Lipford, and Bill Chu, Why do programmers make security errors?, In Proceedings of IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC), September 18–22, 2011, Pittsburgh, PA, USA

6. Jing Xie, Bill Chu, and Heather Richter Lipford Interactive Support for Secure Software Development, In Proceedings of Engineering Secure Software and Systems Third International Symposium (ESSoS), February 2011, Madrid, Spain