[Owasp-board] Fwd: Fwd: OWASP SoC

dinis cruz dinis.cruz at owasp.org
Fri Mar 7 12:31:38 UTC 2008


Not as ambitions than building it all from scratch :)

If you look at OWASP projects you already have most of the pieces from the
puzzle. My idea is to have a 'central' tool (backed up by standard
communications protocols) which connects these projects.

For example: Scan results from WebScarab / JBroFuzz are directly feed into
the OWASP Report Generator (which would handle the reporting)

Dinis


On Thu, Mar 6, 2008 at 11:51 AM, Sebastien Deleersnyder <
Sebastien.Deleersnyder at telindus.be> wrote:

>  Dinis,
>
>
>
> That's rather ambitious :-)
>
>
>
> What do you mean with 'Single Interface' ?
>
> The GUI ?
>
> The Test types / scripts ?
>
> The reporting ?
>
>>
>
>
> What about the commercial http://xml.coverpages.org/AVDL-CDSupport.htmlinitiative? I suppose this died ?
>
>
>
> regards
>
>
>
> Seba
>
>
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *dinis cruz
> *Sent:* 06 March 2008 12:40
> *To:* OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] Fwd: OWASP SoC
>
>
>
> Following the last two emails I sent (one with the ppt and one with a
> email thread), and as somebody who has put quite a bit of thought and OWASP
> energy into this concept, I would like to make a couple more points:
>
>  - Writing such scanner is not a trivial task and one that would need
> considerable resources, focus and energy
>  - I'm not saying we shouldn't do it, but I want to propose an alternative
> strategy,
>  - Instead of trying to build something from the ground up which contains
> the (significant) functionality required for wide use, I think we should
> solve another problem first. The problem is the lack (or very poor)
> inter-interoperability and collaboration between related Open Source
> projects. The irony is that if we combine 20ish Open Source projects
> (Webscarab, WSfuzzer, Nickto, HTtrack,OWASP report generator, etc...) we
> would end up with probably 90% of that desired Open Source Scanner tool. The
> problem is that there is no single interface for the use of this tools, and
> there is no focus from the tool's authors to work together (and even - shock
> horror - to reuse code)
>
>  - So what I propose is that we first *use OWASP resources (both financial
> and current source-code) to create a 'Single Interface' to ALL Web
> Application testing  tools currently listed as an OWASP project *(see
> http://www.owasp.org/index.php/Category:OWASP_Project)
>
>  - This would be of enormous use for our users/members; would give focus
> to a lot of these projects; and would be a great use of OWASP resources and
> energy.
>  - I would even suggest that in the future a requirement for such tools to
> become an OWASP project, would be its integration with this 'OWASP testing &
> reporting tool set'
>  - Since we already have a wide range of languages (.NET, Java, Phyton,
> Perl, etc...) the project focus would NOT be on what technology or languages
> these scanning tools need to be developed in (which would be a massive can
> of worms), but the focus would be on '*How do we get all these projects
> talking together?'* and '*How can we instrument them from a central
> location?'*).
>
> THAT (from my point of view), would be the project worth a heavy
> sponsorship
>
> What do you think?
>
> Dinis
>
> On Thu, Mar 6, 2008 at 3:07 AM, Tom Brennan <tomb at owasp.org> wrote:
>
> Ok so think of this one.... OWASP announces a OPEN-SOURCE WEB APPLICATION
> SCANNER supported by the community.  Hmmm don't you think that is going to
> raise the visibility?
>
> I have been talking with Andres over the last few months and he has put
> into words the next steps.
>
> Agenda item ;)  however this one needs not only a review for approval but
> this can catapult a OWASP project to mainstream corporate acceptance.  at
> 25k per commercial tool ~ this is a free solution for the masses and when
> combined and vetted with the rest of the frameworks.. you get the idea.
>
> http://w3af.sourceforge.net Web Application Attack and Audit Framework
>
> -Brennan
>
> ---------- Forwarded message ----------
> From: *Andres Riancho* <andres.riancho at gmail.com>
> Date: Wed, Mar 5, 2008 at 11:37 AM
> Subject: OWASP SoC
> To: tomb at owasp.org
>
>
> Tom,
>
>    Hi man! how are you? I have been thinking about the proposal you
> made to me some time ago about w3af being an OWASP project; and I
> thought that a good way of getting to know "us" (I mean w3af and
> OWASP) is to start with something simple like the SoC. I think that
> the participation of w3af in SoC would be a step forward in the
> direction of working together.
>
>    On a related subject; I have been talking with Bernardo Damele,
> who says that after the last SoC his project is listed as a OWASP
> project [0] . What is this all about ?  Will the same happen to w3af
> ?!
>
> [0] http://www.owasp.org/index.php/Category:OWASP_Project
>
> Cheers,
> --
> Andres Riancho
> http://w3af.sourceforge.net/
> Web Application Attack and Audit Framework
>
>
>
>
> --
> Its coming.... are you ready?
> https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080307/e5c801ac/attachment-0002.html>


More information about the Owasp-board mailing list