[Owasp-testing] Testing Guide V4 - Start up

Matteo Meucci matteo.meucci at owasp.org
Fri Aug 31 10:28:18 UTC 2012


Hi Simon,
yep I agree.

Maybe we can distinguish as follow for each paragraph:
- OWASP Tools:
 (Flagship, Labs, Incubator, Archive)
- Other Open Source tools:

I think that a contributor should be dedicated to verifies which tests
are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
Tools")?

Thanks,
Mat



On 08/31/2012 09:56 AM, psiinon wrote:
> I think its right for us to suggest an open source tool (or tools) for
> using in each section, however I dont think we should view this as a ZAP
> vs WebScarab contest.
> We want to suggest the best possible tool, but I also think that its
> reasonable for us to /prefer /OWASP ones.
> But we should also favour tools that are more mature and/or more
> frequently updated.
> For OWASP tools I think we can rely on the new classifications:
> Flagship, Labs, Incubator, Archive.
> So I think its really a sliding scale.
> If theres a Flagship OWASP project that is great at finding a specific
> type of vulnerability then we should definitely use that as the example.
> If not then we have to balance how relevant that tool is likely to remain.
> A brand new Incubator project might be great in one specific case, but
> may also not really be in a fit state for most people to use, or the
> project may quickly wither and die.
> And if a well regarded non OWASP open source tool is the best option
> then we should use that.
> 
> Going back to ZAP, I obviously hope it will be the ideal tool in many
> cases :)
> And helping to establish if this is the case and explaining exactly how
> ZAP can be used may be the most effective way I can contribute to this
> guide.
> 
> But I also want to use this process to learn where ZAP's weaknesses are.
> And depending on how long it takes to produce the guide we (the ZAP
> developers) may be able to enhance specific areas of ZAP as the work on
> the guide develops.
> So please let me know asap if/when you work on an area of the guide that
> you dont think ZAP is effective in helping with, or if you would like
> advice and guidance on how to use ZAP as effectively as possible.
> 
> Cheers,
> 
> Simon (ZAP Project Lead)
> 
> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <matteo.meucci at owasp.org
> <mailto:matteo.meucci at owasp.org>> wrote:
> 
>     Perfect!
>     I've updated the wiki, thanks!
> 
>     Mat
> 
>     On 08/30/2012 11:15 PM, Amro wrote:
>     > Thanks Mat,
>     >
>     > Please assign this task to me and I will make sure that our tool
>     sets are updated.
>     >
>     > Regards,
>     > Amro
>     > Sent from BlackBerry®. Excuse typo's and brevity.
>     >
>     > -----Original Message-----
>     > From: Matteo Meucci <matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>>
>     > Date: Thu, 30 Aug 2012 23:11:41
>     > To: <amro at owasp.org <mailto:amro at owasp.org>>
>     > Cc: <owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>>;
>     <owasp-testing at lists.owasp.org <mailto:owasp-testing at lists.owasp.org>>
>     > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>     >
>     > Hi Amro,
>     > good question related to the tools. Here we have to update many
>     references.
>     >
>     > Usually at the end of each article we suggest to use a particular open
>     > source tool to perform the test. I think we can use and suggest
>     both the
>     > tools in many situations.
>     > Also the Appendix A "Testing Tools" should pick all the testing tools
>     > cited in the Testing Guide and give more details.
>     >
>     > Thanks,
>     > Mat
>     >
>     > On 08/30/2012 10:58 PM, Amro wrote:
>     >> Please count me in as well .. Are we gonna use ZAP instead of
>     WebScarab in the new version?
>     >>
>     >> Regards,
>     >> Amro
>     >> Sent from BlackBerry®. Excuse typo's and brevity.
>     >>
>     >> -----Original Message-----
>     >> From: Matteo Meucci <matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>>
>     >> Sender: owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>
>     >> Date: Thu, 30 Aug 2012 17:40:29
>     >> To: <owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>>
>     >> Subject: [Owasp-testing] Testing Guide V4 - Start up
>     >>
>     >> Hi all Testing Guide contributors.
>     >>
>     >> Testing Guide v4 has been approved as Projects Reboot 2012!
>     >> https://www.owasp.org/index.php/Projects_Reboot_2012
>     >>
>     >> Here is the list of contributors I've collected:
>     >>
>     >> Pavol Luptak
>     >> Marco Morana
>     >> Giorgio Fedon
>     >> Stefano Di Paola
>     >> Gianrico Ingrosso
>     >> Giuseppe Bonfà
>     >> Roberto Suggi Liverani
>     >> Robert Smith
>     >> Andrew Muller
>     >> Robert Winkel
>     >> tripurari rai
>     >> Thomas Ryan
>     >> tim bertels
>     >> Cecil Su
>     >> Aung KhAnt
>     >> Norbert Szetei
>     >> michael.boman
>     >> Wagner Elias
>     >> Kevin Horvat
>     >> Juan Galiana Lara
>     >> Kenan Gursoy
>     >> Jason Flood
>     >> Javier Marcos de Prado
>     >> Sumit Siddharth
>     >> Mike Hryekewicz
>     >> psiinon
>     >> Ray Schippers
>     >> Raul Siles
>     >> Jayanta Karmakar
>     >> Brad Causey
>     >> Vicente Aguilera
>     >> Ismael Gonçalves
>     >>
>     >> Reviewers team:
>     >>
>     >> Paolo Perego
>     >> Daniel Cuthbert
>     >> Matthew Churcher
>     >> Lode Vanstechelman
>     >> Sebastien Gioria
>     >>
>     >>
>     >> Introduction and Project purpose for v4:
>     >> ============================ =============
>     >> The OWASP Testing Guide v3 includes a "best practice" penetration
>     >> testing framework which users can implement in their own
>     organizations
>     >> and a "low level" penetration testing guide that describes techniques
>     >> for testing most common web application and web service security
>     >> issues. Nowadays the Testing Guide has become the standard to perform
>     >> a Web Application Penetration Testing and many Companies all around
>     >> the world have adopted it.
>     >> It is vital for the project mantaining an updated project that
>     >> represents the state of the art for WebAppSec.
>     >>
>     >> Project Roadmap
>     >> =============
>     >>
>     >> - (1) 1st phase: Brainstorming and create a new table of contents
>     >>
>     >> Objective: creating a new table of contents of the OTGv4
>     >> assigning a task for each contributor.
>     >> I created a new OWASP Testing Guide v4 table of Contents here:
>     >>
>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>     >>
>     >> - (2) 2nd phase:  Writing
>     >> 20th September 2012: Start writing the articles
>     >> 1st November 2012: 1st Draft
>     >> 30th November: end of writing phase
>     >>
>     >> - (3) 3rd phase: Reviewing
>     >>
>     >> - 1st December 2012: Starting the review phase,
>     >> - 15th December 2012: Create the RC1,
>     >> - 31st January 2013: Release the version 4.
>     >>
>     >> Timeline November 2012 1st Draft, January 2013 Final Release
>     >>
>     >> So, let's start discussion about phase (1)!
>     >>
>     >> Thanks!
>     >> Mat
>     >>
>     >> --
>     >> Matteo Meucci
>     >> OWASP Testing Guide Lead
>     >> OWASP-Italy President
>     >>
>     >>
>     >> _______________________________________________
>     >> Owasp-testing mailing list
>     >> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>     >>
>     >
> 
>     --
>     --
>     Matteo Meucci
>     OWASP Testing Guide Lead
>     OWASP Italy President
>     _______________________________________________
>     Owasp-testing mailing list
>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-testing
> 
> 
> 
> 
> -- 
> OWASP ZAP: Toolsmith Tool of the Year 2011
> <http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
> 

-- 
--
Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President


More information about the Owasp-testing mailing list