[Owasp-board] Fwd: OWASP SoC

Sebastien Deleersnyder Sebastien.Deleersnyder at telindus.be
Thu Mar 6 11:51:35 UTC 2008


Dinis,

 

That's rather ambitious :-)

 

What do you mean with 'Single Interface' ?

The GUI ?

The Test types / scripts ?

The reporting ?

...

 

What about the commercial http://xml.coverpages.org/AVDL-CDSupport.html
initiative? I suppose this died ?

 

regards

 

Seba

 

 

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: 06 March 2008 12:40
To: OWASP Foundation Board List
Subject: Re: [Owasp-board] Fwd: OWASP SoC

 

Following the last two emails I sent (one with the ppt and one with a
email thread), and as somebody who has put quite a bit of thought and
OWASP energy into this concept, I would like to make a couple more
points:

 - Writing such scanner is not a trivial task and one that would need
considerable resources, focus and energy
 - I'm not saying we shouldn't do it, but I want to propose an
alternative strategy,
 - Instead of trying to build something from the ground up which
contains the (significant) functionality required for wide use, I think
we should solve another problem first. The problem is the lack (or very
poor) inter-interoperability and collaboration between related Open
Source projects. The irony is that if we combine 20ish Open Source
projects (Webscarab, WSfuzzer, Nickto, HTtrack,OWASP report generator,
etc...) we would end up with probably 90% of that desired Open Source
Scanner tool. The problem is that there is no single interface for the
use of this tools, and there is no focus from the tool's authors to work
together (and even - shock horror - to reuse code)

 - So what I propose is that we first use OWASP resources (both
financial and current source-code) to create a 'Single Interface' to ALL
Web Application testing  tools currently listed as an OWASP project (see
http://www.owasp.org/index.php/Category:OWASP_Project)

 - This would be of enormous use for our users/members; would give focus
to a lot of these projects; and would be a great use of OWASP resources
and energy.
 - I would even suggest that in the future a requirement for such tools
to become an OWASP project, would be its integration with this 'OWASP
testing & reporting tool set'
 - Since we already have a wide range of languages (.NET, Java, Phyton,
Perl, etc...) the project focus would NOT be on what technology or
languages these scanning tools need to be developed in (which would be a
massive can of worms), but the focus would be on 'How do we get all
these projects talking together?' and 'How can we instrument them from a
central location?').

THAT (from my point of view), would be the project worth a heavy
sponsorship

What do you think?

Dinis

On Thu, Mar 6, 2008 at 3:07 AM, Tom Brennan <tomb at owasp.org> wrote:

Ok so think of this one.... OWASP announces a OPEN-SOURCE WEB
APPLICATION SCANNER supported by the community.  Hmmm don't you think
that is going to raise the visibility?

I have been talking with Andres over the last few months and he has put
into words the next steps.

Agenda item ;)  however this one needs not only a review for approval
but this can catapult a OWASP project to mainstream corporate
acceptance.  at 25k per commercial tool ~ this is a free solution for
the masses and when combined and vetted with the rest of the
frameworks.. you get the idea.

http://w3af.sourceforge.net <http://w3af.sourceforge.net/>  Web
Application Attack and Audit Framework

-Brennan

---------- Forwarded message ----------
From: Andres Riancho <andres.riancho at gmail.com>
Date: Wed, Mar 5, 2008 at 11:37 AM
Subject: OWASP SoC
To: tomb at owasp.org


Tom,

   Hi man! how are you? I have been thinking about the proposal you
made to me some time ago about w3af being an OWASP project; and I
thought that a good way of getting to know "us" (I mean w3af and
OWASP) is to start with something simple like the SoC. I think that
the participation of w3af in SoC would be a step forward in the
direction of working together.

   On a related subject; I have been talking with Bernardo Damele,
who says that after the last SoC his project is listed as a OWASP
project [0] . What is this all about ?  Will the same happen to w3af
?!

[0] http://www.owasp.org/index.php/Category:OWASP_Project

Cheers,
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework




-- 
Its coming.... are you ready?
https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference 
_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080306/e4d8c92d/attachment-0002.html>


More information about the Owasp-board mailing list