[Owasp-board] Fwd: Fwd: OWASP SoC

Sebastien Deleersnyder seba at deleersnyder.eu
Sat Mar 8 10:23:34 UTC 2008


Dinis,

 

Of course, but what a 'Single Interface' do you mean, translating to:

Tool API - exposing funtionality through web services with standardized
calls?

Testing descriptions in XML with parameters / scripts ?

Test results in XML ?

 

With links to projects like Honeycomb ...

 

Regards

 

Seba

 

  _____  

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: vrijdag 7 maart 2008 13:32
To: OWASP Foundation Board List
Subject: [Owasp-board] Fwd: Fwd: OWASP SoC

 

Not as ambitions than building it all from scratch :)


If you look at OWASP projects you already have most of the pieces from the
puzzle. My idea is to have a 'central' tool (backed up by standard
communications protocols) which connects these projects. 

For example: Scan results from WebScarab / JBroFuzz are directly feed into
the OWASP Report Generator (which would handle the reporting)

Dinis

 

On Thu, Mar 6, 2008 at 11:51 AM, Sebastien Deleersnyder
<Sebastien.Deleersnyder at telindus.be> wrote:

Dinis,

 

That's rather ambitious :-)

 

What do you mean with 'Single Interface' ?

The GUI ?

The Test types / scripts ?

The reporting ?

.

 

What about the commercial http://xml.coverpages.org/AVDL-CDSupport.html
initiative? I suppose this died ?

 

regards

 

Seba

 

 

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: 06 March 2008 12:40
To: OWASP Foundation Board List
Subject: Re: [Owasp-board] Fwd: OWASP SoC

 

Following the last two emails I sent (one with the ppt and one with a email
thread), and as somebody who has put quite a bit of thought and OWASP energy
into this concept, I would like to make a couple more points:

 - Writing such scanner is not a trivial task and one that would need
considerable resources, focus and energy
 - I'm not saying we shouldn't do it, but I want to propose an alternative
strategy,
 - Instead of trying to build something from the ground up which contains
the (significant) functionality required for wide use, I think we should
solve another problem first. The problem is the lack (or very poor)
inter-interoperability and collaboration between related Open Source
projects. The irony is that if we combine 20ish Open Source projects
(Webscarab, WSfuzzer, Nickto, HTtrack,OWASP report generator, etc...) we
would end up with probably 90% of that desired Open Source Scanner tool. The
problem is that there is no single interface for the use of this tools, and
there is no focus from the tool's authors to work together (and even - shock
horror - to reuse code)

 - So what I propose is that we first use OWASP resources (both financial
and current source-code) to create a 'Single Interface' to ALL Web
Application testing  tools currently listed as an OWASP project (see
http://www.owasp.org/index.php/Category:OWASP_Project)

 - This would be of enormous use for our users/members; would give focus to
a lot of these projects; and would be a great use of OWASP resources and
energy.
 - I would even suggest that in the future a requirement for such tools to
become an OWASP project, would be its integration with this 'OWASP testing &
reporting tool set'
 - Since we already have a wide range of languages (.NET, Java, Phyton,
Perl, etc...) the project focus would NOT be on what technology or languages
these scanning tools need to be developed in (which would be a massive can
of worms), but the focus would be on 'How do we get all these projects
talking together?' and 'How can we instrument them from a central
location?').

THAT (from my point of view), would be the project worth a heavy sponsorship

What do you think?

Dinis

On Thu, Mar 6, 2008 at 3:07 AM, Tom Brennan <tomb at owasp.org> wrote:

Ok so think of this one.... OWASP announces a OPEN-SOURCE WEB APPLICATION
SCANNER supported by the community.  Hmmm don't you think that is going to
raise the visibility?

I have been talking with Andres over the last few months and he has put into
words the next steps.

Agenda item ;)  however this one needs not only a review for approval but
this can catapult a OWASP project to mainstream corporate acceptance.  at
25k per commercial tool ~ this is a free solution for the masses and when
combined and vetted with the rest of the frameworks.. you get the idea.

http://w3af.sourceforge.net <http://w3af.sourceforge.net/>  Web Application
Attack and Audit Framework

-Brennan

---------- Forwarded message ----------
From: Andres Riancho <andres.riancho at gmail.com>
Date: Wed, Mar 5, 2008 at 11:37 AM
Subject: OWASP SoC
To: tomb at owasp.org


Tom,

   Hi man! how are you? I have been thinking about the proposal you
made to me some time ago about w3af being an OWASP project; and I
thought that a good way of getting to know "us" (I mean w3af and
OWASP) is to start with something simple like the SoC. I think that
the participation of w3af in SoC would be a step forward in the
direction of working together.

   On a related subject; I have been talking with Bernardo Damele,
who says that after the last SoC his project is listed as a OWASP
project [0] . What is this all about ?  Will the same happen to w3af
?!

[0] http://www.owasp.org/index.php/Category:OWASP_Project

Cheers,
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework




-- 
Its coming.... are you ready?
https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference 
_______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-board

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080308/338ba767/attachment-0002.html>


More information about the Owasp-board mailing list