[Owasp-testing] Testing Guide V4 - Start up
matteo.meucci at owasp.org
Fri Aug 31 10:28:18 UTC 2012
yep I agree.
Maybe we can distinguish as follow for each paragraph:
- OWASP Tools:
(Flagship, Labs, Incubator, Archive)
- Other Open Source tools:
I think that a contributor should be dedicated to verifies which tests
are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
On 08/31/2012 09:56 AM, psiinon wrote:
> I think its right for us to suggest an open source tool (or tools) for
> using in each section, however I dont think we should view this as a ZAP
> vs WebScarab contest.
> We want to suggest the best possible tool, but I also think that its
> reasonable for us to /prefer /OWASP ones.
> But we should also favour tools that are more mature and/or more
> frequently updated.
> For OWASP tools I think we can rely on the new classifications:
> Flagship, Labs, Incubator, Archive.
> So I think its really a sliding scale.
> If theres a Flagship OWASP project that is great at finding a specific
> type of vulnerability then we should definitely use that as the example.
> If not then we have to balance how relevant that tool is likely to remain.
> A brand new Incubator project might be great in one specific case, but
> may also not really be in a fit state for most people to use, or the
> project may quickly wither and die.
> And if a well regarded non OWASP open source tool is the best option
> then we should use that.
> Going back to ZAP, I obviously hope it will be the ideal tool in many
> cases :)
> And helping to establish if this is the case and explaining exactly how
> ZAP can be used may be the most effective way I can contribute to this
> But I also want to use this process to learn where ZAP's weaknesses are.
> And depending on how long it takes to produce the guide we (the ZAP
> developers) may be able to enhance specific areas of ZAP as the work on
> the guide develops.
> So please let me know asap if/when you work on an area of the guide that
> you dont think ZAP is effective in helping with, or if you would like
> advice and guidance on how to use ZAP as effectively as possible.
> Simon (ZAP Project Lead)
> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <matteo.meucci at owasp.org
> <mailto:matteo.meucci at owasp.org>> wrote:
> I've updated the wiki, thanks!
> On 08/30/2012 11:15 PM, Amro wrote:
> > Thanks Mat,
> > Please assign this task to me and I will make sure that our tool
> sets are updated.
> > Regards,
> > Amro
> > Sent from BlackBerry®. Excuse typo's and brevity.
> > -----Original Message-----
> > From: Matteo Meucci <matteo.meucci at owasp.org
> <mailto:matteo.meucci at owasp.org>>
> > Date: Thu, 30 Aug 2012 23:11:41
> > To: <amro at owasp.org <mailto:amro at owasp.org>>
> > Cc: <owasp-testing-bounces at lists.owasp.org
> <mailto:owasp-testing-bounces at lists.owasp.org>>;
> <owasp-testing at lists.owasp.org <mailto:owasp-testing at lists.owasp.org>>
> > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
> > Hi Amro,
> > good question related to the tools. Here we have to update many
> > Usually at the end of each article we suggest to use a particular open
> > source tool to perform the test. I think we can use and suggest
> both the
> > tools in many situations.
> > Also the Appendix A "Testing Tools" should pick all the testing tools
> > cited in the Testing Guide and give more details.
> > Thanks,
> > Mat
> > On 08/30/2012 10:58 PM, Amro wrote:
> >> Please count me in as well .. Are we gonna use ZAP instead of
> WebScarab in the new version?
> >> Regards,
> >> Amro
> >> Sent from BlackBerry®. Excuse typo's and brevity.
> >> -----Original Message-----
> >> From: Matteo Meucci <matteo.meucci at owasp.org
> <mailto:matteo.meucci at owasp.org>>
> >> Sender: owasp-testing-bounces at lists.owasp.org
> <mailto:owasp-testing-bounces at lists.owasp.org>
> >> Date: Thu, 30 Aug 2012 17:40:29
> >> To: <owasp-testing at lists.owasp.org
> <mailto:owasp-testing at lists.owasp.org>>
> >> Subject: [Owasp-testing] Testing Guide V4 - Start up
> >> Hi all Testing Guide contributors.
> >> Testing Guide v4 has been approved as Projects Reboot 2012!
> >> https://www.owasp.org/index.php/Projects_Reboot_2012
> >> Here is the list of contributors I've collected:
> >> Pavol Luptak
> >> Marco Morana
> >> Giorgio Fedon
> >> Stefano Di Paola
> >> Gianrico Ingrosso
> >> Giuseppe Bonfà
> >> Roberto Suggi Liverani
> >> Robert Smith
> >> Andrew Muller
> >> Robert Winkel
> >> tripurari rai
> >> Thomas Ryan
> >> tim bertels
> >> Cecil Su
> >> Aung KhAnt
> >> Norbert Szetei
> >> michael.boman
> >> Wagner Elias
> >> Kevin Horvat
> >> Juan Galiana Lara
> >> Kenan Gursoy
> >> Jason Flood
> >> Javier Marcos de Prado
> >> Sumit Siddharth
> >> Mike Hryekewicz
> >> psiinon
> >> Ray Schippers
> >> Raul Siles
> >> Jayanta Karmakar
> >> Brad Causey
> >> Vicente Aguilera
> >> Ismael Gonçalves
> >> Reviewers team:
> >> Paolo Perego
> >> Daniel Cuthbert
> >> Matthew Churcher
> >> Lode Vanstechelman
> >> Sebastien Gioria
> >> Introduction and Project purpose for v4:
> >> ============================ =============
> >> The OWASP Testing Guide v3 includes a "best practice" penetration
> >> testing framework which users can implement in their own
> >> and a "low level" penetration testing guide that describes techniques
> >> for testing most common web application and web service security
> >> issues. Nowadays the Testing Guide has become the standard to perform
> >> a Web Application Penetration Testing and many Companies all around
> >> the world have adopted it.
> >> It is vital for the project mantaining an updated project that
> >> represents the state of the art for WebAppSec.
> >> Project Roadmap
> >> =============
> >> - (1) 1st phase: Brainstorming and create a new table of contents
> >> Objective: creating a new table of contents of the OTGv4
> >> assigning a task for each contributor.
> >> I created a new OWASP Testing Guide v4 table of Contents here:
> >> - (2) 2nd phase: Writing
> >> 20th September 2012: Start writing the articles
> >> 1st November 2012: 1st Draft
> >> 30th November: end of writing phase
> >> - (3) 3rd phase: Reviewing
> >> - 1st December 2012: Starting the review phase,
> >> - 15th December 2012: Create the RC1,
> >> - 31st January 2013: Release the version 4.
> >> Timeline November 2012 1st Draft, January 2013 Final Release
> >> So, let's start discussion about phase (1)!
> >> Thanks!
> >> Mat
> >> --
> >> Matteo Meucci
> >> OWASP Testing Guide Lead
> >> OWASP-Italy President
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP Italy President
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
> OWASP ZAP: Toolsmith Tool of the Year 2011
OWASP Testing Guide Lead
OWASP Italy President
More information about the Owasp-testing