[Owasp-testing] Testing Guide V4 - Start up

Ryan Dewhurst ryandewhurst at gmail.com
Fri Aug 31 08:07:26 UTC 2012


Hello all,

I'd be happy to volunteer my time to review some sections of the guide.

Regards,
Ryan Dewhurst

On Fri, Aug 31, 2012 at 9:56 AM, psiinon <psiinon at gmail.com> wrote:
> I think its right for us to suggest an open source tool (or tools) for using
> in each section, however I dont think we should view this as a ZAP vs
> WebScarab contest.
> We want to suggest the best possible tool, but I also think that its
> reasonable for us to prefer OWASP ones.
> But we should also favour tools that are more mature and/or more frequently
> updated.
> For OWASP tools I think we can rely on the new classifications: Flagship,
> Labs, Incubator, Archive.
> So I think its really a sliding scale.
> If theres a Flagship OWASP project that is great at finding a specific type
> of vulnerability then we should definitely use that as the example.
> If not then we have to balance how relevant that tool is likely to remain.
> A brand new Incubator project might be great in one specific case, but may
> also not really be in a fit state for most people to use, or the project may
> quickly wither and die.
> And if a well regarded non OWASP open source tool is the best option then we
> should use that.
>
> Going back to ZAP, I obviously hope it will be the ideal tool in many cases
> :)
> And helping to establish if this is the case and explaining exactly how ZAP
> can be used may be the most effective way I can contribute to this guide.
>
> But I also want to use this process to learn where ZAP's weaknesses are.
> And depending on how long it takes to produce the guide we (the ZAP
> developers) may be able to enhance specific areas of ZAP as the work on the
> guide develops.
> So please let me know asap if/when you work on an area of the guide that you
> dont think ZAP is effective in helping with, or if you would like advice and
> guidance on how to use ZAP as effectively as possible.
>
> Cheers,
>
> Simon (ZAP Project Lead)
>
>
> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <matteo.meucci at owasp.org>
> wrote:
>>
>> Perfect!
>> I've updated the wiki, thanks!
>>
>> Mat
>>
>> On 08/30/2012 11:15 PM, Amro wrote:
>> > Thanks Mat,
>> >
>> > Please assign this task to me and I will make sure that our tool sets
>> > are updated.
>> >
>> > Regards,
>> > Amro
>> > Sent from BlackBerry®. Excuse typo's and brevity.
>> >
>> > -----Original Message-----
>> > From: Matteo Meucci <matteo.meucci at owasp.org>
>> > Date: Thu, 30 Aug 2012 23:11:41
>> > To: <amro at owasp.org>
>> > Cc: <owasp-testing-bounces at lists.owasp.org>;
>> > <owasp-testing at lists.owasp.org>
>> > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>> >
>> > Hi Amro,
>> > good question related to the tools. Here we have to update many
>> > references.
>> >
>> > Usually at the end of each article we suggest to use a particular open
>> > source tool to perform the test. I think we can use and suggest both the
>> > tools in many situations.
>> > Also the Appendix A "Testing Tools" should pick all the testing tools
>> > cited in the Testing Guide and give more details.
>> >
>> > Thanks,
>> > Mat
>> >
>> > On 08/30/2012 10:58 PM, Amro wrote:
>> >> Please count me in as well .. Are we gonna use ZAP instead of WebScarab
>> >> in the new version?
>> >>
>> >> Regards,
>> >> Amro
>> >> Sent from BlackBerry®. Excuse typo's and brevity.
>> >>
>> >> -----Original Message-----
>> >> From: Matteo Meucci <matteo.meucci at owasp.org>
>> >> Sender: owasp-testing-bounces at lists.owasp.org
>> >> Date: Thu, 30 Aug 2012 17:40:29
>> >> To: <owasp-testing at lists.owasp.org>
>> >> Subject: [Owasp-testing] Testing Guide V4 - Start up
>> >>
>> >> Hi all Testing Guide contributors.
>> >>
>> >> Testing Guide v4 has been approved as Projects Reboot 2012!
>> >> https://www.owasp.org/index.php/Projects_Reboot_2012
>> >>
>> >> Here is the list of contributors I've collected:
>> >>
>> >> Pavol Luptak
>> >> Marco Morana
>> >> Giorgio Fedon
>> >> Stefano Di Paola
>> >> Gianrico Ingrosso
>> >> Giuseppe Bonfà
>> >> Roberto Suggi Liverani
>> >> Robert Smith
>> >> Andrew Muller
>> >> Robert Winkel
>> >> tripurari rai
>> >> Thomas Ryan
>> >> tim bertels
>> >> Cecil Su
>> >> Aung KhAnt
>> >> Norbert Szetei
>> >> michael.boman
>> >> Wagner Elias
>> >> Kevin Horvat
>> >> Juan Galiana Lara
>> >> Kenan Gursoy
>> >> Jason Flood
>> >> Javier Marcos de Prado
>> >> Sumit Siddharth
>> >> Mike Hryekewicz
>> >> psiinon
>> >> Ray Schippers
>> >> Raul Siles
>> >> Jayanta Karmakar
>> >> Brad Causey
>> >> Vicente Aguilera
>> >> Ismael Gonçalves
>> >>
>> >> Reviewers team:
>> >>
>> >> Paolo Perego
>> >> Daniel Cuthbert
>> >> Matthew Churcher
>> >> Lode Vanstechelman
>> >> Sebastien Gioria
>> >>
>> >>
>> >> Introduction and Project purpose for v4:
>> >> ============================ =============
>> >> The OWASP Testing Guide v3 includes a "best practice" penetration
>> >> testing framework which users can implement in their own organizations
>> >> and a "low level" penetration testing guide that describes techniques
>> >> for testing most common web application and web service security
>> >> issues. Nowadays the Testing Guide has become the standard to perform
>> >> a Web Application Penetration Testing and many Companies all around
>> >> the world have adopted it.
>> >> It is vital for the project mantaining an updated project that
>> >> represents the state of the art for WebAppSec.
>> >>
>> >> Project Roadmap
>> >> =============
>> >>
>> >> - (1) 1st phase: Brainstorming and create a new table of contents
>> >>
>> >> Objective: creating a new table of contents of the OTGv4
>> >> assigning a task for each contributor.
>> >> I created a new OWASP Testing Guide v4 table of Contents here:
>> >>
>> >> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>> >>
>> >> - (2) 2nd phase:  Writing
>> >> 20th September 2012: Start writing the articles
>> >> 1st November 2012: 1st Draft
>> >> 30th November: end of writing phase
>> >>
>> >> - (3) 3rd phase: Reviewing
>> >>
>> >> - 1st December 2012: Starting the review phase,
>> >> - 15th December 2012: Create the RC1,
>> >> - 31st January 2013: Release the version 4.
>> >>
>> >> Timeline November 2012 1st Draft, January 2013 Final Release
>> >>
>> >> So, let's start discussion about phase (1)!
>> >>
>> >> Thanks!
>> >> Mat
>> >>
>> >> --
>> >> Matteo Meucci
>> >> OWASP Testing Guide Lead
>> >> OWASP-Italy President
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-testing mailing list
>> >> Owasp-testing at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>
>> >
>>
>> --
>> --
>> Matteo Meucci
>> OWASP Testing Guide Lead
>> OWASP Italy President
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
> --
> OWASP ZAP: Toolsmith Tool of the Year 2011
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>


More information about the Owasp-testing mailing list