[Owasp-board] Fwd: Fwd: OWASP SoC

dinis cruz dinis.cruz at owasp.org
Mon Mar 10 12:58:38 UTC 2008


Yes to all of those :)

This tool could be used as proxy between two tools (since it might be easier
to implement it centrally than make dramatic changes in the tools), but
ideally we would want the separate tools to be able to talk to each other
(with the results in XML format)

Dinis

On Sat, Mar 8, 2008 at 10:23 AM, Sebastien Deleersnyder <
seba at deleersnyder.eu> wrote:

>  Dinis,
>
>
>
> Of course, but what a 'Single Interface' do you mean, translating to:
>
> Tool API – exposing funtionality through web services with standardized
> calls?
>
> Testing descriptions in XML with parameters / scripts ?
>
> Test results in XML ?
>
>
>
> With links to projects like Honeycomb ...
>
>
>
> Regards
>
>
>
> Seba
>
>
>  ------------------------------
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *dinis cruz
> *Sent:* vrijdag 7 maart 2008 13:32
> *To:* OWASP Foundation Board List
> *Subject:* [Owasp-board] Fwd: Fwd: OWASP SoC
>
>
>
> Not as ambitions than building it all from scratch :)
>
>
> If you look at OWASP projects you already have most of the pieces from the
> puzzle. My idea is to have a 'central' tool (backed up by standard
> communications protocols) which connects these projects.
>
> For example: Scan results from WebScarab / JBroFuzz are directly feed into
> the OWASP Report Generator (which would handle the reporting)
>
> Dinis
>
>
>
> On Thu, Mar 6, 2008 at 11:51 AM, Sebastien Deleersnyder <
> Sebastien.Deleersnyder at telindus.be> wrote:
>
> Dinis,
>
>
>
> That's rather ambitious :-)
>
>
>
> What do you mean with 'Single Interface' ?
>
> The GUI ?
>
> The Test types / scripts ?
>
> The reporting ?
>
>>
>
>
> What about the commercial http://xml.coverpages.org/AVDL-CDSupport.htmlinitiative? I suppose this died ?
>
>
>
> regards
>
>
>
> Seba
>
>
>
>
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *dinis cruz
> *Sent:* 06 March 2008 12:40
> *To:* OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] Fwd: OWASP SoC
>
>
>
> Following the last two emails I sent (one with the ppt and one with a
> email thread), and as somebody who has put quite a bit of thought and OWASP
> energy into this concept, I would like to make a couple more points:
>
>  - Writing such scanner is not a trivial task and one that would need
> considerable resources, focus and energy
>  - I'm not saying we shouldn't do it, but I want to propose an alternative
> strategy,
>  - Instead of trying to build something from the ground up which contains
> the (significant) functionality required for wide use, I think we should
> solve another problem first. The problem is the lack (or very poor)
> inter-interoperability and collaboration between related Open Source
> projects. The irony is that if we combine 20ish Open Source projects
> (Webscarab, WSfuzzer, Nickto, HTtrack,OWASP report generator, etc...) we
> would end up with probably 90% of that desired Open Source Scanner tool. The
> problem is that there is no single interface for the use of this tools, and
> there is no focus from the tool's authors to work together (and even - shock
> horror - to reuse code)
>
>  - So what I propose is that we first *use OWASP resources (both financial
> and current source-code) to create a 'Single Interface' to ALL Web
> Application testing  tools currently listed as an OWASP project *(see
> http://www.owasp.org/index.php/Category:OWASP_Project)
>
>  - This would be of enormous use for our users/members; would give focus
> to a lot of these projects; and would be a great use of OWASP resources and
> energy.
>  - I would even suggest that in the future a requirement for such tools to
> become an OWASP project, would be its integration with this 'OWASP testing &
> reporting tool set'
>  - Since we already have a wide range of languages (.NET, Java, Phyton,
> Perl, etc...) the project focus would NOT be on what technology or languages
> these scanning tools need to be developed in (which would be a massive can
> of worms), but the focus would be on '*How do we get all these projects
> talking together?'* and '*How can we instrument them from a central
> location?'*).
>
> THAT (from my point of view), would be the project worth a heavy
> sponsorship
>
> What do you think?
>
> Dinis
>
> On Thu, Mar 6, 2008 at 3:07 AM, Tom Brennan <tomb at owasp.org> wrote:
>
> Ok so think of this one.... OWASP announces a OPEN-SOURCE WEB APPLICATION
> SCANNER supported by the community.  Hmmm don't you think that is going to
> raise the visibility?
>
> I have been talking with Andres over the last few months and he has put
> into words the next steps.
>
> Agenda item ;)  however this one needs not only a review for approval but
> this can catapult a OWASP project to mainstream corporate acceptance.  at
> 25k per commercial tool ~ this is a free solution for the masses and when
> combined and vetted with the rest of the frameworks.. you get the idea.
>
> http://w3af.sourceforge.net Web Application Attack and Audit Framework
>
> -Brennan
>
> ---------- Forwarded message ----------
> From: *Andres Riancho* <andres.riancho at gmail.com>
> Date: Wed, Mar 5, 2008 at 11:37 AM
> Subject: OWASP SoC
> To: tomb at owasp.org
>
>
> Tom,
>
>    Hi man! how are you? I have been thinking about the proposal you
> made to me some time ago about w3af being an OWASP project; and I
> thought that a good way of getting to know "us" (I mean w3af and
> OWASP) is to start with something simple like the SoC. I think that
> the participation of w3af in SoC would be a step forward in the
> direction of working together.
>
>    On a related subject; I have been talking with Bernardo Damele,
> who says that after the last SoC his project is listed as a OWASP
> project [0] . What is this all about ?  Will the same happen to w3af
> ?!
>
> [0] http://www.owasp.org/index.php/Category:OWASP_Project
>
> Cheers,
> --
> Andres Riancho
> http://w3af.sourceforge.net/
> Web Application Attack and Audit Framework
>
>
>
>
> --
> Its coming.... are you ready?
> https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080310/a070279e/attachment-0002.html>


More information about the Owasp-board mailing list