As you may know, OWASP OWTF took part in the GSoC 2013. It was somewhat surprising (also to me) that OWTF got 4 slots, the same as ZAP (an OWASP flagship project I have a lot of respect for) and OWASP as an organisation in 2012.
Instead of writing a blog post about my personal opinion, I am going to share stats and student feedback so that hopefully the blog post is not as biased :).
But first of all a huge thank you + congratulations to the selected OWTF students and proposals:
- Bharadwaj Machiraju - OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES
- Ankush Jindal - OWASP OWTF - Multiprocessing
- Alessandro Fanio González - OWASP OWTF - Unit Test Framework
- Assem Chelli - OWASP OWTF - Reporting
It was their serious amount of work spent on the proposals as well as their demonstrated skill that got them selected.
Some OWASP GSoC Numbers
- OWASP received 84 proposals in total for only 11 available slots: 73 students (87%) could not be selected.
- 14 students showed interested on the GSoC for OWTF
- 11 students submitted an OWTF proposal (79% of students that showed interest in OWTF)
- 14 OWTF proposals were submitted (16% of all OWASP proposals)
- 14 ZAP proposals were submitted (16% of all OWASP proposals)
- 5 OWTF proposals ended in the top 11, covering 6 of the 7 ideas proposed. (36% of OWTF proposals)
- 5 OWTF proposals could have been selected but 1 student was lost in the de-duplication process, the remaining OWTF students were not ranked high enough to be picked up to replace this student.
- 4 OWTF proposals were finally selected (29% of OWTF proposals)
- OWTF took 4 out of 11 OWASP slots (36%)
- ZAP took 4 out of 11 OWASP slots (36%)
- Hackademic took 1 out of 11 OWASP slots (9%)
- ModSecurity took 1 out of 11 OWASP slots (9%)
- OWASP PHP Security project took 1 out of 11 OWASP slots (9%)
Instead of speculating about what made some students submit to OWTF, I tried to be a bit more scientific and conducted a poll among the students that submitted.
The poll was based on a single question: What made you submit a proposal for OWASP OWTF? (i.e. as opposed to other OWASP projects and/or organisations)
NOTE: I have only redacted what could identify the student and/or project.
Student 1 - "Why I submit to OWASP? I chose many organizations by the criteria python, security but I got too late to submit to all of them except Tor and OWASP. I abandoned the proposal to tor in order to focus on only one good proposal. Why I chose OWTF? because it's python, and then because I liked the idea of -redacted-." Student 2 - "As a person who is amazed by the number of tools present in penetration testing distributions, OWTF is my best call to learn about all those tools and moreover I get to code in my favourite language (python)" Student 3 - "Well, firstly, I was looking for a security organization/project, because I thought I would be a start point in the computer security world. I had already heard about OWASP (Top 10, WebGoat), so I looked into the GSoC ideas page. Then, I found a couple of ideas that I thought I could accomplish and were adapted to my skills, and I found the OWTF project. I investigated watching some videos and I liked the project purpose. So I decided to send a proposal for one of the ideas. Definitely, one of the incentives that made me improve my proposal and not to look for another project was the quick feedback, the advices and the encouragement that I received from the mentor." Student 4 - "I started looking for organisations and projects in GSoC list. I searched for systems and security. Then after seeing the projects two organisations caught my eye 1. -redacted- ( which had very good systems related projects) 2. OWASP (which had very good security related projects). I mailed to a mentor of -redacted- for a project but there was no reply. In security, I wanted to go for a automated testing of applications because from my course on security, I realized that there should be some tool to do that. So there comes the OWTF and submitted two proposals that had to do with systems also (meant perfect combination of my interests security and systems, may be not much of systems work)." Student 5 - "I am interested with computer security and OWASP is an organization which i like. So i decided to send a proposal to OWASP. Then i looked for the available projects and show OWTF. I had mail you and you have send me some presentation about OWASP OWTF to learn more about it and how it works. Before GSOC(2013) i had no idea about this tool. The idea of scanning a website without touching is awesome!!! So i decided to make a proposal on this tool! Recently i played around with it! I think that i have found a bug, i will contact you via skype soon." Student 6 - "OWTF project on -redacted- interested me. It was something new which I never did before. And more importantly, it was your constant motivation that made me choose OWTF and write a proposal. It was really a nice learning experience for me while working with you."