[Owasp-board] Fwd: Fwd: OWASP SoC

Sebastien Deleersnyder seba at deleersnyder.eu
Sat Mar 8 10:23:34 UTC 2008



Of course, but what a 'Single Interface' do you mean, translating to:

Tool API - exposing funtionality through web services with standardized

Testing descriptions in XML with parameters / scripts ?

Test results in XML ?


With links to projects like Honeycomb ...







From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: vrijdag 7 maart 2008 13:32
To: OWASP Foundation Board List
Subject: [Owasp-board] Fwd: Fwd: OWASP SoC


Not as ambitions than building it all from scratch :)

If you look at OWASP projects you already have most of the pieces from the
puzzle. My idea is to have a 'central' tool (backed up by standard
communications protocols) which connects these projects. 

For example: Scan results from WebScarab / JBroFuzz are directly feed into
the OWASP Report Generator (which would handle the reporting)



On Thu, Mar 6, 2008 at 11:51 AM, Sebastien Deleersnyder
<Sebastien.Deleersnyder at telindus.be> wrote:



That's rather ambitious :-)


What do you mean with 'Single Interface' ?

The GUI ?

The Test types / scripts ?

The reporting ?



What about the commercial http://xml.coverpages.org/AVDL-CDSupport.html
initiative? I suppose this died ?







From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: 06 March 2008 12:40
To: OWASP Foundation Board List
Subject: Re: [Owasp-board] Fwd: OWASP SoC


Following the last two emails I sent (one with the ppt and one with a email
thread), and as somebody who has put quite a bit of thought and OWASP energy
into this concept, I would like to make a couple more points:

 - Writing such scanner is not a trivial task and one that would need
considerable resources, focus and energy
 - I'm not saying we shouldn't do it, but I want to propose an alternative
 - Instead of trying to build something from the ground up which contains
the (significant) functionality required for wide use, I think we should
solve another problem first. The problem is the lack (or very poor)
inter-interoperability and collaboration between related Open Source
projects. The irony is that if we combine 20ish Open Source projects
(Webscarab, WSfuzzer, Nickto, HTtrack,OWASP report generator, etc...) we
would end up with probably 90% of that desired Open Source Scanner tool. The
problem is that there is no single interface for the use of this tools, and
there is no focus from the tool's authors to work together (and even - shock
horror - to reuse code)

 - So what I propose is that we first use OWASP resources (both financial
and current source-code) to create a 'Single Interface' to ALL Web
Application testing  tools currently listed as an OWASP project (see

 - This would be of enormous use for our users/members; would give focus to
a lot of these projects; and would be a great use of OWASP resources and
 - I would even suggest that in the future a requirement for such tools to
become an OWASP project, would be its integration with this 'OWASP testing &
reporting tool set'
 - Since we already have a wide range of languages (.NET, Java, Phyton,
Perl, etc...) the project focus would NOT be on what technology or languages
these scanning tools need to be developed in (which would be a massive can
of worms), but the focus would be on 'How do we get all these projects
talking together?' and 'How can we instrument them from a central

THAT (from my point of view), would be the project worth a heavy sponsorship

What do you think?


On Thu, Mar 6, 2008 at 3:07 AM, Tom Brennan <tomb at owasp.org> wrote:

Ok so think of this one.... OWASP announces a OPEN-SOURCE WEB APPLICATION
SCANNER supported by the community.  Hmmm don't you think that is going to
raise the visibility?

I have been talking with Andres over the last few months and he has put into
words the next steps.

Agenda item ;)  however this one needs not only a review for approval but
this can catapult a OWASP project to mainstream corporate acceptance.  at
25k per commercial tool ~ this is a free solution for the masses and when
combined and vetted with the rest of the frameworks.. you get the idea.

http://w3af.sourceforge.net <http://w3af.sourceforge.net/>  Web Application
Attack and Audit Framework


---------- Forwarded message ----------
From: Andres Riancho <andres.riancho at gmail.com>
Date: Wed, Mar 5, 2008 at 11:37 AM
Subject: OWASP SoC
To: tomb at owasp.org


   Hi man! how are you? I have been thinking about the proposal you
made to me some time ago about w3af being an OWASP project; and I
thought that a good way of getting to know "us" (I mean w3af and
OWASP) is to start with something simple like the SoC. I think that
the participation of w3af in SoC would be a step forward in the
direction of working together.

   On a related subject; I have been talking with Bernardo Damele,
who says that after the last SoC his project is listed as a OWASP
project [0] . What is this all about ?  Will the same happen to w3af

[0] http://www.owasp.org/index.php/Category:OWASP_Project

Andres Riancho
Web Application Attack and Audit Framework

Its coming.... are you ready?
Owasp-board mailing list
Owasp-board at lists.owasp.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080308/338ba767/attachment-0002.html>

More information about the Owasp-board mailing list