After discussing some issues about the current state of webapplication security with a group of people, I made the decision to change webapplication security for the better. I find it saddening that we talk about security of webapplications without really solving the problems we face. I believe in a pragmatical method in solving problems instead of continued talk about the topic. Overall I want to see results in webapplication security not by protection webapplications, but to educate programmers and developers through Synapse.
A basic overview of what Synapse will be like.
1. Synapse will be a platform and online code-vulnerability scanner that pro-actively educates software developers that write software for the Internet by inspecting their software, and notify them of code flaws.
2. Synapse will be able to inspect all software packages released on the Internet that is freely available and under any GNU type-off license on a special dedicated webserver.
3. Synapse will spider the free software portals and retrieves all software for inspection. Synapse will investigate the code and upon finding a flaw it will enter the vulnerability into a database ready for triage by either manually labor through a syndicate feed, or further processing which involve real-time automated software testing.
4. Synapse will be able to notify the software developer automatically with a report generated on the results.
5. Synapse then offers the software developer with different choices. One will be that the developer will get general advise on how to fix the issues, the other will be to get in contact with a skilled programmer or company that can advise the programmer or solve the problems for a fee.
The Synapse.
The Synapse project will be a project that bridges developers and the security industry. Synapse will not be owned by anyone, it's strategic objective will remain transparent and accessible to everyone. There is the certain possibility for companies to get enrolled as either a sponsor, or as a asset that can advise the developers, or to enroll a specialist for a fee. In this case, security companies as well as individual webapplication pentesters can get a lot of potential customers this way. The intention is to make webapplications more secure, and educate developers in progress. The aim is not to gather a database of vulnerabilities, nor will they be disclosed in between the time line of bug fixing. Disclosure by the Synapse project will occur after the software is being fixed and tested and will be made publicly available.
I will start this project this summer. I am certain that the project will become a good aid in spreading knowledge and at the same time securing webapplications. For now I want to know if there are people or companies interested in sponsoring this project as a start-up. Individual donations to this project is welcomed as well. If you are interested in this very special project that might be one of it's kind, and possibly could revolutionize webapplication security, I appreciate it if you would contact me. Naturally I am also looking for support on different fronts. Currently here is the list of assets I wish to gather:
- Stable and secure webhosting (I prefer dedicated).
- Webapplication programmers for Synapse.
- PHP/ASP/PERL/JAVA programmers.
- A webmaster to maintain the Synapse portal.
- Beta testers when Synapse reaches the beta stage.
- Sponsors, donations.
If you consider to be affiliated through sponsoring the project or donating to it, your help will not go unnoticed. Special privileges will be granted to sponsors that include:
- Banner and sponsor listing on the Synapse portal.
- The thought that you helped webapplication security and created a safer Internet.
If you are interested in a small but important revolution, or maybe you know someone who might be interested in this opportunity to actually change the security landscape? Then please get in touch with me. You can find my contact details on the contact page.
If you want to join our group you can request access here:
http://groups.google.com/group/synapse-project
