[Owasp-board] Fwd: OWASP SoC

dinis cruz dinis.cruz at owasp.org
Thu Mar 6 11:40:12 UTC 2008


Following the last two emails I sent (one with the ppt and one with a email
thread), and as somebody who has put quite a bit of thought and OWASP energy
into this concept, I would like to make a couple more points:

 - Writing such scanner is not a trivial task and one that would need
considerable resources, focus and energy
 - I'm not saying we shouldn't do it, but I want to propose an alternative
strategy,
 - Instead of trying to build something from the ground up which contains
the (significant) functionality required for wide use, I think we should
solve another problem first. The problem is the lack (or very poor)
inter-interoperability and collaboration between related Open Source
projects. The irony is that if we combine 20ish Open Source projects
(Webscarab, WSfuzzer, Nickto, HTtrack,OWASP report generator, etc...) we
would end up with probably 90% of that desired Open Source Scanner tool. The
problem is that there is no single interface for the use of this tools, and
there is no focus from the tool's authors to work together (and even - shock
horror - to reuse code)

 - So what I propose is that we first *use OWASP resources (both financial
and current source-code) to create a 'Single Interface' to ALL Web
Application testing  tools currently listed as an OWASP project *(see
http://www.owasp.org/index.php/Category:OWASP_Project)

 - This would be of enormous use for our users/members; would give focus to
a lot of these projects; and would be a great use of OWASP resources and
energy.
 - I would even suggest that in the future a requirement for such tools to
become an OWASP project, would be its integration with this 'OWASP testing &
reporting tool set'
 - Since we already have a wide range of languages (.NET, Java, Phyton,
Perl, etc...) the project focus would NOT be on what technology or languages
these scanning tools need to be developed in (which would be a massive can
of worms), but the focus would be on '*How do we get all these projects
talking together?'* and '*How can we instrument them from a central
location?'*).

THAT (from my point of view), would be the project worth a heavy sponsorship

What do you think?

Dinis

On Thu, Mar 6, 2008 at 3:07 AM, Tom Brennan <tomb at owasp.org> wrote:

> Ok so think of this one.... OWASP announces a OPEN-SOURCE WEB APPLICATION
> SCANNER supported by the community.  Hmmm don't you think that is going to
> raise the visibility?
>
> I have been talking with Andres over the last few months and he has put
> into words the next steps.
>
> Agenda item ;)  however this one needs not only a review for approval but
> this can catapult a OWASP project to mainstream corporate acceptance.  at
> 25k per commercial tool ~ this is a free solution for the masses and when
> combined and vetted with the rest of the frameworks.. you get the idea.
>
> http://w3af.sourceforge.net Web Application Attack and Audit Framework
>
> -Brennan
>
> ---------- Forwarded message ----------
> From: Andres Riancho <andres.riancho at gmail.com>
> Date: Wed, Mar 5, 2008 at 11:37 AM
> Subject: OWASP SoC
> To: tomb at owasp.org
>
>
> Tom,
>
>    Hi man! how are you? I have been thinking about the proposal you
> made to me some time ago about w3af being an OWASP project; and I
> thought that a good way of getting to know "us" (I mean w3af and
> OWASP) is to start with something simple like the SoC. I think that
> the participation of w3af in SoC would be a step forward in the
> direction of working together.
>
>    On a related subject; I have been talking with Bernardo Damele,
> who says that after the last SoC his project is listed as a OWASP
> project [0] . What is this all about ?  Will the same happen to w3af
> ?!
>
> [0] http://www.owasp.org/index.php/Category:OWASP_Project
>
> Cheers,
> --
> Andres Riancho
> http://w3af.sourceforge.net/
> Web Application Attack and Audit Framework
>
>
>
> --
> Its coming.... are you ready?
> https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080306/9a65de09/attachment-0002.html>


More information about the Owasp-board mailing list