GSoC 2024 Ideas

Bug Logging Tool (BLT) • Juice Shop • DevSecOps Maturity Model • OWASP OWTF • OWASP secureCodeBox • OWASP Nettacker • OWASP Threat Dragon

Tips to get you started in no particular order:

• Read the Student Guidelines.
• Check our GitHub organization.
• Contact one of the project mentors below.

List of Project Ideas

Bug Logging Tool (BLT)

OWASP BLT is a bug-hunting & logging tool which allows users and companies to hunt for bugs, claim bug bounties and also to start bug-hunting sprees/contests respectively. It is preferred if the potential GSoC contributors get at least 5 PRs merged for the project. Preference will be given to students who get the most work done, and this is usually by submitting the most PRs.

2024 GSOC Ideas / Projects

We have over 40 projects available in 5 repositories to work on! Check the difficulty and project size in Github.

View all BLT project ideas on Github

Expected Results

• We would expect that any projects you choose to include in your proposal are fully completed.

Reach out to us on Slack to discuss further on the scope, changes required, or if you have any other proposal.

• Please submit your proposal on the BLT GitHub discussion board in markdown language before you convert it to a PDF. Because it will be easier for the team to review and give feedback there.
• Team meetings are every Saturday at 12pm EST on Slack - Join here

Knowledge Prerequisites

• Python / Django for Backend
• Flutter for Mobile app
• Blockchain development
• Some knowledge of UI designing for design related ideas.

Mentors

• Donnie (@DonnieBLT on Slack) – lead mentor
• Swapnil Shinde (@AtmegaBuzz on Slack) – Django and blockchain mentor
• Arkadii Yakovets (@arkid15r on Slack) – Python/Django mentor
• Harshit Seksaria (@letsintegreat on Slack) – Flutter mentor

OWASP Juice Shop

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

To receive early feedback please:

• put your proposal on Google Docs and submit it to the OWASP Organization on Google’s GSoC page in “Draft Shared” mode.
• Please pick “juice shop” as Proposal Tag to make them easier to find for us. Thank you!

Explanation of Ideas

Test Suite Harmonization

Juice Shop had a full replacement of its end-to-end test suite - from Protractor to Cypress - in its GSoC 2022 project. Now it is time to take on the remainin test suites, especially the Integration/API tests currently running on Frisby.js. That library as not seen updates in 2+ years and it became more and more flaky over the years, causing occasional CI/CD failures and time-consuming retry-mechanisms to keep those in check. A new foundation for these tests is needed. In scope is also to look at the frontend and backend unit test suites, and find a way to reduce the number of test frameworks being used in order to achieve higher consistency and less complexity for maintenance of the project.

Juice Shop CTF Tool Rennovation

The Juice Shop CTF Tool is currently implemented in vanilla JavaScript. It should be migrated to TypeScript for consistency of maintenance with the main project. Furthermore, the code linting should be adapted to the main Juice Shop ESLint standards. Test coverage and relevance should be reviewed and strengthened where necessary.

Your own idea

You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!

Expected Results

• A new feature or improvement of an existing one that makes OWASP Juice Shop even better
• Your code follows our existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.
• Code that you write comes with automated tests that fit into our available test suites.

Getting started

• Make sure your JavaScript/TypeScript is sufficient to work on the Juice Shop codebase. Check our Codebase 101 here. Students with some experience with (or willingness to learn) Angular and NodeJS/Express are usually prefered.
• Read our Contribution Guidelines very carefully. Best make some small contributions before GSoC, so we can see how you work and help you dive into the code even better.
• Get in touch with Bjoern Kimminich to discuss any of the listed or your own idea for GSoC!

Mentors

• Bjoern Kimminich - OWASP Juice Shop Project Leader
• Shubham Palriwala - OWASP Juice Shop Core Team
• Jannik Hollenbach - OWASP Juice Shop Core Team

OWASP DevSecOps Maturity Model

Join us in enhancing the DSOMM, a pivotal tool designed to improve the security and operational efficiency of software development processes. We are looking for passionate students to contribute to two major areas: our main application development in JavaScript and our metric analyzer and collector in Java. Whether you are looking to tackle medium-sized challenges or are ready to embark on a larger project, we have exciting opportunities for you.

To receive early feedback please:

• put your proposal on Google Docs and submit it to the OWASP Organization on Google’s GSoC page in “Draft Shared” mode.
• Please pick “dsomm” as Proposal Tag to make them easier to find for us. Thank you!

Medium Feature Pack for the DSOMM Main Application (JS)

This pack includes tasks that are crucial for enhancing the user experience and functionality of the DSOMM main application. Contributors will address existing issues and add new features:

• Implement a State or Tag for “Not yet assessed”, addressing Issue #241
• Enhance the Excel download feature in “Mapping” by adding assessment information, as discussed in Issue #244
• Refine the handling of subcategories to streamline the organization and presentation of maturity model elements, making the tool more intuitive. See Issue #194
• Introduce the Adding of Diagrams feature to enhance the visualization of DevSecOps processes and maturity levels, as outlined in Issue #183
• Your Idea: Proposals that innovate or enhance the metric collection and analysis process are highly encouraged.

Large Feature Pack for the metric Analyzer and Collector (Java)

This pack challenges students to develop the entire workflow from data collection to visualization for DSOMM metrics, including the implementation of a Kafka queue. Projects include:

• Design and implement a collector for OWASP DefectDojo, fetching Mean Time to Resolve (MTTR) and Mean Time to Patch (MTTP) via the defectdjo-client which fetches MTTR/MTTP)
• Develop a collector for Confluence, to retrieve essential documents such as threat modeling and pentest reports, with a focus on document management and identification.
• Engineer a collector for GitHub, to calculate MTTP by tracking pull request opening and merge dates. In addition, check that branch protection is enabled and a .gitignore exists in the root file system.
• Your Idea: Proposals that innovate or enhance the metric collection and analysis process are highly encouraged.

Large Feature Pack for the metric Analyzer and Collector (Java)

This pack challenges students to develop the entire workflow from data collection to visualization for DSOMM metrics, including the implementation of a Kafka queue. Projects include:

• Design and implement a collector for OWASP DefectDojo, fetching Mean Time to Resolve (MTTR) and Mean Time to Patch (MTTP) via the defectdjo-client which fetches MTTR/MTTP)
• Develop a collector for Backstage, Jira and Confluence, to retrieve essential documents such as threat modeling and pentest reports, with a focus on document management and identification.
• Create a collector for Jenkins, aimed at measuring deployment frequency by team, a key metric in DevOps performance.
• Engineer a collector for GitHub, to calculate MTTP by tracking pull request opening and merge dates. In addition, check that branch protection is enabled and a .gitignore exists in the root file system.
• Engineer a collector for Dependency Track, fetching Mean Time to Resolve (MTTR) and Mean Time to Patch (MTTP)
• Your Idea: Proposals that innovate or enhance the metric collection and analysis process are highly encouraged.

Please take a look at the architecture digram of DSOMM metricCA. The whole way from the collector to grafana needs to be implemented. Please note that a queue Kafka and Prometheus is currently not implemented and needs to be implemented in the collector and in the metricAnalyzer.

For Backstage, Jira and Confluence a defined format and tags might be used to identify the corresponding team and type of document (e.g. threat modeling/pentest).

Prerequisites

• Proficiency in the corresponding programming language (JavaScript for the main application, Java for the metric analyzer and collector)
• Previous contributions to open-source projects are highly desirable, demonstrating your commitment and collaborative skills

Mentors

Reach out to us on Slack to discuss these and other ideas!

• Timo Pagel
• Aryan Prasad

OWASP OWTF

Explanation of Ideas

• Refactor and complete the web interface
• Update plugins to new recon, discovery and attack tools
• Design & implement deployment architecture

Getting Started

Repositories:

• OWTF
• OWTF Docker
• OWTF Python client

Please use the repositories’ issue tracker, GitHub discussions, and don’t forget to read the contributing guide. Join the community at #owtf on OWASP Slack and share your questions, project ideas.

Knowledge Prerequisites

• Terraform for infra as code
• Python for application
• React/React ecosystem for application frontend
• Kubernetes/helm for infrastructure deployment
• Basic knowledge of application security, tools used in bug bounty style hunting

Mentors

• Viyat Bhalodia
• Abraham Aranguran

OWASP secureCodeBox

secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. The secureCodeBox comes with many different scanners officially integrated (from Amass to Zap) and integration with vulnerability management backends like DefectDojo.

To receive early feedback please:

• put your proposal on Google Docs and submit it to the OWASP Organization on Google’s GSoC page in “Draft Shared” mode.
• Please pick “securecodebox” as Proposal Tag to make them easier to find for us. Thank you!

Explanation of Ideas

Add a secureCodeBox CLI (scbctl)

The primary interface to interact with the secureCodeBox is through it’s Custom Resources (CRs) in the Kubernetes API. Writing the resource (e.g. Scans) is generally not hard but can be cumbersome as the require the creation of a new file / multi line string in the command line.

To make these interactions easier to use and more fun, a custom (but optional) secureCodeBox CLI should help by automatically connecting to the Kubernetes API.

• create a new command line client which connects to the Kubernetes API and interacts with the CRs of the secureCodeBox
• write tests & including integration / e2e test and the CI pipeline (GitHub Actions)

More context & information are listed in the GitHub Issue

Your own idea

You have an awesome idea to improve the OWASP secureCodeBox? We’d love to hear it, please reach out via email / owasp slack / github to ensure that the idea fits into the project. :)

Getting started

• Make yourself familiar with the project by going through our HowTo guides which will guide you through different parts of the secureCodeBox.
• Make sure that you have a solid golang knowledge to be able to complete the proposed project.
• Get in touch with Jannik Hollenbach to discuss any of the listed or your own idea for GSoC!

Mentors

• Jannik Hollenbach - OWASP secureCodeBox Core Team
• Robert Felber - OWASP secureCodeBox Project Lead

OWASP Nettacker

OWASP Nettacker is a Modular Automated Penetration Testing/ Information gathering Framework and Vulnerability Scanner fully written in Python. Nettacker can run a variety of scans discovering subdomains, open ports, services, vulnerabilities, misconfigurations, default credentials.

Explanation of Ideas

• create comparison functionality for comparing the current scan with another scan using scanID
• fix scan engine multi-threading/queuing issues
• improve WebUI / add dashboard
• implement SSL/TLS modules to restore the functionality we had in Nettacker v0.0.2
• add DefectDojo integration / output report format
• add SARIF output report format
• implement testing framework, get 70% code coverage level

Getting Started

Repositories:

• OWASP Nettacker on OWASP GitHub
• Join OWASP Slack and contact us on channel #project-nettacker

Knowldege Requirements

• Python
• Flask
• HTML/CSS/JavaScript
• previous vulnerability scanning/bug bounty hunting experience

Mentors

• Sam Stepanyan
• Ali Razmjoo
• Arkadii Yakovets

OWASP Threat Dragon

OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle.

Explanation of Ideas

The threat engine has two features that have not yet been carried over from version 1.x to the current version 2.x. These need to be implemented and expanded from what is available in version 1.x; both ideas are independent GSoC projects:

• add threats by element for STRIDE/LINDDUN/PLOT4ai issue #792
• add threats using OWASP Automated Threats (OATs) patterns issue #501

Getting Started

• Browse the documentation to see if Threat Dragon is for you
• Join OWASP Slack and contact the Threat Dragon community on channel #project-threat-dragon
• Refer to the Threat Dragon contributing guidelines

Repositories:

• OWASP Threat Dragon on OWASP GitHub

Knowldege Requirements

• Javascript
• Node.js
• git

Mentors

• Jon Gadsden