[Owasp-board] Watcher idea

Eoin eoin.keary at owasp.org
Fri Jul 9 13:39:44 UTC 2010


May of our projects do not have this signed right?

So why should anyone do it if it is not necessary apart from the idea of
donating intellectual property to the Foundation.

-ek



On 9 July 2010 14:25, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:

>  Hello Chris,
>
>
>
> I thank your answer. Relatively to the exception of signing the Assignment
> of Copyright Agreement that you are proposing, we need to hear from both
> OWASP Board and its Projects Committee. I am sure they will respond us as
> soon as possible.
>
>
>
> http://www.owasp.org/index.php/Assignment_of_Copyright_Agreement
>
>
>
> Many thanks, best regards,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Chris Weber [mailto:chris at casabasecurity.com]
> *Sent:* sexta-feira, 9 de Julho de 2010 05:15
> *To:* 'Paulo Coimbra'
> *Cc:* 'Global Projects Committee'
> *Subject:* RE: Watcher idea
>
>
>
> Hi Paulo, with the exception of signing the Assignment of Copyright
> Agreement I’d be happy to move Watcher and x5s to OWASP projects.  Let me
> know if that’s acceptable to you.
>
>
>
> Best regards,
>
>
>
> Chris Weber, CSSLP
>
> Casaba Security, LLC
>
> Sofware Security Products and Services
>
> Mobile: (949) 637-4155
>
> Email: chris at casabasecurity.com
>
> www.casabasecurity.com
>
>
>
>
>
>
>
> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> *Sent:* Wednesday, June 30, 2010 9:08 AM
> *To:* 'Chris Weber'
> *Cc:* 'Global Projects Committee'
> *Subject:* RE: Watcher idea
>
>
>
> Hello Chris,
>
>
>
> Thank you for getting back to us. Although I am copying carbon our Global
> Projects Committee to give its members to correct my answers, please see
> below my responses to your questions.
>
>
>
> Best regards,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Chris Weber [mailto:chris at casabasecurity.com]
> *Sent:* quarta-feira, 23 de Junho de 2010 23:40
> *To:* 'Paulo Coimbra'
> *Subject:* RE: Watcher idea
>
>
>
> Hi Paulo, and thanks for the information.  I have a few questions.  One
> project is release material, the other is beta.  We have a custom license
> that is very BSD-like.  I’d be happy to provide a roadmap and such for the
> GPC’s review.
>
> * *
>
> *[pc] As a methodology to sustain the transition process, I propose we
> begin by rating both releases as alpha ones until we have the opportunity to
> assess them in accordance with the OWASP Assessment Criteria.*
>
> * *
>
> *Please see:*
>
> * *
>
> *http://www.owasp.org/index.php/Assessing_Project_Releases and
> http://www.owasp.org/index.php/Tool_Assessment_Criteria*
>
> * *
>
> Currently our projects are hosted on Codeplex, is it okay to keep them
> there?  Would I need to duplicate the wiki and release binaries on the OWASP
> source?
>
>
>
> *[pc] The source code and any documentation should be available in an
> online project repository. We preferably use Google Code or Sourceforge. *
> **
>
>
>
> By setting up our tools as OWASP projects, do we maintain copyright on the
> work or does OWASP seek that?
>
> * *
>
> *[pc] OWASP proposes you sign up this
> http://www.owasp.org/index.php/Assignment_of_Copyright_Agreement Assignment
> of Copyright Agreement. Please see also
> http://www.owasp.org/index.php/OWASP_Licenses. *
>
> * *
>
> How do we benefit by making our tools OWASP projects?  Is it more community
> outreach and possible inclusion in the OWASP press materials like Top Ten
> and tools to assist in finding them?
>
>
>
> *[pc] In a nutshell, I’d say OWASP could potentially bring more eyeballs
> as well as potential contributors & money to your effort.*
>
> * *
>
> http://www.owasp.org/images/3/3f/2009AnnualReport.pdf
>
>
>
> http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008
>
>
>
>
> http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Sponsorship
>
>
>
>
>
> Many thanks, best regards,
>
>
>
> Thank you,
>
> Chris
>
>
>
> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> *Sent:* Tuesday, June 22, 2010 8:09 AM
> *To:* chris at casabasecurity.com
> *Cc:* 'Dave Wichers'; 'Kate Hartmann'; 'Global Projects Committee'
> *Subject:* RE: **VL-JUNK** RE: Watcher idea
>
>
>
> Hello Chris,
>
>
>
> First of all, thank you for volunteering to lead two OWASP Projects.  It is
> with volunteers like yourself that OWASP continues to succeed in making
> application security visible.
>
> Second, regarding your new leadership of these two projects, I'd like to
> request that you send a project roadmap (one for each project) - basically
> the high level details of where you'd like to take the projects.  The OWASP
> Global Projects Committee (GPC) will look at the roadmap and provide
> feedback on your projects:  suggesting projects which are closely related,
> resources and contacts which may assist your efforts and any other
> suggestions to increase your project's success.
>
>
>
> To get your projects started, here are a couple of references for your
> review:
>
>  - The Guidelines for OWASP Projects provide a quick overview of items key
> to a projects success -
> http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects,
>
>
>  - OWASP's Assessment Criteria is the metric by which projects are
> evaluated.  There are three categories for projects: Alpha, Beta, and
> Release.  The Assessment Criteria allows project leaders to know what
> aspects of projects OWASP values -
> http://www.owasp.org/index.php/Category:OWASP_Project_Assessment,
>
>
>
>  - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,
>
>
> Your projects will have an OWASP wiki page to inform and promote your
> project to the OWASP community.  To setup your projects’ page, please
> provide the details below so that the GPC can establish your initial
> projects pages.  The details provided will be used to complete OWASP's
> projects template.  Feel free to add any additional information to wiki
> pages or request assistance about how to add to your projects wiki page.
>
> Details to create your projects page:
> (0) Projects Names,
>
> (1) Projects purposes / overview,
> (2) Projects Roadmaps (as mentioned above),
> (3) Projects links (if any) to external sites,
> (4) Projects License (
> http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Licensing
> ),
> (5) Projects Leader name,
>
> (6) Projects Leader email address,
> (7) Projects Leader wiki account - the username (you'll need this to edit
> the wiki),
>
> (8) Project Contributor(s) (if any) - name email and wiki account (if any),
>
> As your projects reach a point that you'd like OWASP to assist in its
> promotion, the GPC will need the following to help spread the word about
> your projects:
>
>  * Conference style presentation describing the projects in at least 3
> slides -
> http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide-presentation-thing/
>
>
>  * Project Flyer/Pamphlet (PDF file) -
> http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project-flyerpamphlet-thing/
>
>
> As work on your projects progresses and you are ready to create a release,
> please let the GPC know of the change in status.  The GPC can work with you
> to get your projects assessed and moved up the OWASP quality ladder from
> Alpha to Beta to Stable.  Every release does not require an assessment -
> feel free to email the GPC if you are unsure about your projects’
> requirements.  For examples of projects at various quality levels, please
> see the OWASP Project page -
> http://www.owasp.org/index.php/Category:OWASP_Project
>
> That is all for now - I wish you and your projects great success.  Thank
> you for supporting OWASP's mission.
>
> Should you have any questions or require any further information, please do
> not hesitate to contact me.
>
> Many thanks, best regards,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
>
>
> *From:* Dave Wichers [mailto:dave.wichers at aspectsecurity.com]
> *Sent:* segunda-feira, 21 de Junho de 2010 22:19
> *To:* Kate Hartmann; Paulo Coimbra
> *Subject:* FW: **VL-JUNK** RE: Watcher idea
>
>
>
> Can the two of you facility the transition of these projects to OWASP?
> Watcher is a cool tool. I'm not familiar with x5s, but the more OWASP tools
> the merrier in my opinion.
>
>
>
> -Dave
>
>
>
> -----Original Message-----
>
> From: Chris Weber [mailto:chris at casabasecurity.com]
>
> Sent: Monday, June 21, 2010 2:16 PM
>
> To: Dave Wichers
>
> Subject: RE: **VL-JUNK** RE: Watcher idea
>
>
>
> Hey Dave, how's this for a late follow up?  ;)  What will it take to get
> Watcher and x5s moved to an OWASP project?  We're getting a lot of good
> response from then, and could probably benefit from the added community.
>
>
>
> -----Original Message-----
>
> From: Dave Wichers [mailto:dave.wichers at aspectsecurity.com]
>
> Sent: Friday, November 20, 2009 3:53 PM
>
> To: Chris Weber; 'Dave Wichers'
>
> Cc: 'Samuel Bucholtz'
>
> Subject: **VL-JUNK** RE: Watcher idea
>
>
>
> Bummer that we missed each other!!
>
>
>
> Reagarding w3af, I have not used it, so I am not favoring one over the
> other. I just wanted to let you know about the availability of these two
> rulesets that you might be able to incorporate.
>
>
>
> On another note, what would you think about bringing Watcher to OWASP?
>
>
>
> Dave
>
>
>
> -----Original Message-----
>
> From: Chris Weber <chris at casabasecurity.com>
>
> Sent: Friday, November 20, 2009 6:17 PM
>
> To: 'Dave Wichers' <dave.wichers at aspectsecurity.com>
>
> Cc: 'Samuel Bucholtz' <samuel at casabasec.com>
>
> Subject: RE: Watcher idea
>
>
>
> Dave thanks for bringing this up.  I didn’t realize until late in the week
> that we were both at the OWASP DC conference last week, otherwise we
> could’ve met!  It looks like w3af is including passive vulnerability
> assessment like Watcher does, I haven’t used this before have you?  It looks
> neat.
>
>
>
>
>
>
>
> I assume we could do this as part of Watcher, maybe even as a separate
> check library.  In some cases we do some of these already.  FYI we’re
> looking into adding an active testing component to Watcher, which would
> automate sending inputs for XSS and some of these things.
>
>
>
>
>
>
>
> We’ll need to go through the w3af documentation and code to figure out what
> it’s doing that we could include in Watcher.  Are you suggesting this
> because you personally prefer to use something like Watcher over w3af?
> After glancing over the docs, usability does look much more involved than
> Watcher.
>
>
>
>
>
>
>
> Thanks for the message!
>
>
>
> Chris
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Dave Wichers [mailto:dave.wichers at aspectsecurity.com]
>
> Sent: Friday, November 20, 2009 2:55 PM
>
> To: Chris Weber
>
> Subject: Watcher idea
>
>
>
>
>
>
>
> Chris,
>
>
>
>
>
>
>
> I had an idea with regard to Watcher based on the following thread on the
> OWASP leaders list. If ModSecurity and W3AF have a set of Regexs to help
> detect successful attacks, couldn’t Watcher ‘watch’ for this same set of
> outputs? And then warn the analyst if it sees any of these? Maybe a separate
> doc could even suggest to the tester the kinds of input/tests they could
> perform that might help trigger the types of responses that these rules can
> detect.
>
>
>
>
>
>
>
> -Dave
>
>
>
>
>
>
>
> On Friday 20 November 2009 11:15:09 am Andrew Petukhov wrote:
>
>
>
> > Leaders,
>
>
>
> > does any one know, if there is a database of regular expression for
>
>
>
> > testing HTTP responses while doing a pentest?
>
>
>
> >
>
>
>
> > Let me outline the problem (in a simplistic way):
>
>
>
> > - a black-box scanner can detect successful XSS by noticing the code
>
>
>
> > it had injected in subsequent pages;
>
>
>
> > - a black-box scanner can detect SQLI blindly;
>
>
>
> > - other possible manifestations of an exploited vulnerability are 5xx
>
>
>
> > codes and error mesages.
>
>
>
> >
>
>
>
> > I know only about ModSecurity Core Rule Set. It can be used to detect
>
>
>
> > error messages.
>
>
>
> >
>
>
>
> > Does anyone know other sources?
>
>
>
> >
>
>
>
> > Thanks in advance!
>
>
>
> >
>
>
>
> > Andrew Petukhov,
>
>
>
> > Moscow State University
>
>
>
>
>
>
>
> Check out the GREP section of W3AF - http://w3af.sourceforge.net/plugin-
>
>
>
> descriptions.php#grep
>
>
>
>
>
>
>
> You can use these same regexs to check the http response for apps you are
> testing.
>
>
>
>
>
>
>
> --
>
>
>
> Ryan C. Barnett
>
>
>
> WASC Distributed Open Proxy Honeypot Project Leader OWASP ModSecurity Core
> Rule Set Project Leader Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com
>
>
>
> _______________________________________________
>
>
>
> OWASP-Leaders mailing list
>
>
>
> OWASP-Leaders at lists.owasp.org
>
>
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100709/99fae99a/attachment-0002.html>


More information about the Owasp-board mailing list