[Owasp-testing] Testing Guide V4 - Start up

Simone Onofri simone.onofri at gmail.com
Fri Aug 31 10:58:22 UTC 2012


hi all,

as for experience some people like to have a paragraph called "tools"
on each test.

but can be nice to organize a table with tools (simon, i love zap :) )
and test covered?

cheers,

s.

On Fri, Aug 31, 2012 at 12:48 PM, psiinon <psiinon at gmail.com> wrote:
> I'd definitely like to be closely involved in the ZAP related sections, but
> very happy for Amro to lead on it.
>
> Cheers,
>
> Simon
>
>
> On Fri, Aug 31, 2012 at 11:28 AM, Matteo Meucci <matteo.meucci at owasp.org>
> wrote:
>>
>> Hi Simon,
>> yep I agree.
>>
>> Maybe we can distinguish as follow for each paragraph:
>> - OWASP Tools:
>>  (Flagship, Labs, Incubator, Archive)
>> - Other Open Source tools:
>>
>> I think that a contributor should be dedicated to verifies which tests
>> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
>> Tools")?
>>
>> Thanks,
>> Mat
>>
>>
>>
>> On 08/31/2012 09:56 AM, psiinon wrote:
>> > I think its right for us to suggest an open source tool (or tools) for
>> > using in each section, however I dont think we should view this as a ZAP
>> > vs WebScarab contest.
>> > We want to suggest the best possible tool, but I also think that its
>> > reasonable for us to /prefer /OWASP ones.
>> > But we should also favour tools that are more mature and/or more
>> > frequently updated.
>> > For OWASP tools I think we can rely on the new classifications:
>> > Flagship, Labs, Incubator, Archive.
>> > So I think its really a sliding scale.
>> > If theres a Flagship OWASP project that is great at finding a specific
>> > type of vulnerability then we should definitely use that as the example.
>> > If not then we have to balance how relevant that tool is likely to
>> > remain.
>> > A brand new Incubator project might be great in one specific case, but
>> > may also not really be in a fit state for most people to use, or the
>> > project may quickly wither and die.
>> > And if a well regarded non OWASP open source tool is the best option
>> > then we should use that.
>> >
>> > Going back to ZAP, I obviously hope it will be the ideal tool in many
>> > cases :)
>> > And helping to establish if this is the case and explaining exactly how
>> > ZAP can be used may be the most effective way I can contribute to this
>> > guide.
>> >
>> > But I also want to use this process to learn where ZAP's weaknesses are.
>> > And depending on how long it takes to produce the guide we (the ZAP
>> > developers) may be able to enhance specific areas of ZAP as the work on
>> > the guide develops.
>> > So please let me know asap if/when you work on an area of the guide that
>> > you dont think ZAP is effective in helping with, or if you would like
>> > advice and guidance on how to use ZAP as effectively as possible.
>> >
>> > Cheers,
>> >
>> > Simon (ZAP Project Lead)
>> >
>> > On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <matteo.meucci at owasp.org
>> > <mailto:matteo.meucci at owasp.org>> wrote:
>> >
>> >     Perfect!
>> >     I've updated the wiki, thanks!
>> >
>> >     Mat
>> >
>> >     On 08/30/2012 11:15 PM, Amro wrote:
>> >     > Thanks Mat,
>> >     >
>> >     > Please assign this task to me and I will make sure that our tool
>> >     sets are updated.
>> >     >
>> >     > Regards,
>> >     > Amro
>> >     > Sent from BlackBerry®. Excuse typo's and brevity.
>> >     >
>> >     > -----Original Message-----
>> >     > From: Matteo Meucci <matteo.meucci at owasp.org
>> >     <mailto:matteo.meucci at owasp.org>>
>> >     > Date: Thu, 30 Aug 2012 23:11:41
>> >     > To: <amro at owasp.org <mailto:amro at owasp.org>>
>> >     > Cc: <owasp-testing-bounces at lists.owasp.org
>> >     <mailto:owasp-testing-bounces at lists.owasp.org>>;
>> >     <owasp-testing at lists.owasp.org
>> > <mailto:owasp-testing at lists.owasp.org>>
>> >     > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>> >     >
>> >     > Hi Amro,
>> >     > good question related to the tools. Here we have to update many
>> >     references.
>> >     >
>> >     > Usually at the end of each article we suggest to use a particular
>> > open
>> >     > source tool to perform the test. I think we can use and suggest
>> >     both the
>> >     > tools in many situations.
>> >     > Also the Appendix A "Testing Tools" should pick all the testing
>> > tools
>> >     > cited in the Testing Guide and give more details.
>> >     >
>> >     > Thanks,
>> >     > Mat
>> >     >
>> >     > On 08/30/2012 10:58 PM, Amro wrote:
>> >     >> Please count me in as well .. Are we gonna use ZAP instead of
>> >     WebScarab in the new version?
>> >     >>
>> >     >> Regards,
>> >     >> Amro
>> >     >> Sent from BlackBerry®. Excuse typo's and brevity.
>> >     >>
>> >     >> -----Original Message-----
>> >     >> From: Matteo Meucci <matteo.meucci at owasp.org
>> >     <mailto:matteo.meucci at owasp.org>>
>> >     >> Sender: owasp-testing-bounces at lists.owasp.org
>> >     <mailto:owasp-testing-bounces at lists.owasp.org>
>> >     >> Date: Thu, 30 Aug 2012 17:40:29
>> >     >> To: <owasp-testing at lists.owasp.org
>> >     <mailto:owasp-testing at lists.owasp.org>>
>> >     >> Subject: [Owasp-testing] Testing Guide V4 - Start up
>> >     >>
>> >     >> Hi all Testing Guide contributors.
>> >     >>
>> >     >> Testing Guide v4 has been approved as Projects Reboot 2012!
>> >     >> https://www.owasp.org/index.php/Projects_Reboot_2012
>> >     >>
>> >     >> Here is the list of contributors I've collected:
>> >     >>
>> >     >> Pavol Luptak
>> >     >> Marco Morana
>> >     >> Giorgio Fedon
>> >     >> Stefano Di Paola
>> >     >> Gianrico Ingrosso
>> >     >> Giuseppe Bonfà
>> >     >> Roberto Suggi Liverani
>> >     >> Robert Smith
>> >     >> Andrew Muller
>> >     >> Robert Winkel
>> >     >> tripurari rai
>> >     >> Thomas Ryan
>> >     >> tim bertels
>> >     >> Cecil Su
>> >     >> Aung KhAnt
>> >     >> Norbert Szetei
>> >     >> michael.boman
>> >     >> Wagner Elias
>> >     >> Kevin Horvat
>> >     >> Juan Galiana Lara
>> >     >> Kenan Gursoy
>> >     >> Jason Flood
>> >     >> Javier Marcos de Prado
>> >     >> Sumit Siddharth
>> >     >> Mike Hryekewicz
>> >     >> psiinon
>> >     >> Ray Schippers
>> >     >> Raul Siles
>> >     >> Jayanta Karmakar
>> >     >> Brad Causey
>> >     >> Vicente Aguilera
>> >     >> Ismael Gonçalves
>> >     >>
>> >     >> Reviewers team:
>> >     >>
>> >     >> Paolo Perego
>> >     >> Daniel Cuthbert
>> >     >> Matthew Churcher
>> >     >> Lode Vanstechelman
>> >     >> Sebastien Gioria
>> >     >>
>> >     >>
>> >     >> Introduction and Project purpose for v4:
>> >     >> ============================ =============
>> >     >> The OWASP Testing Guide v3 includes a "best practice" penetration
>> >     >> testing framework which users can implement in their own
>> >     organizations
>> >     >> and a "low level" penetration testing guide that describes
>> > techniques
>> >     >> for testing most common web application and web service security
>> >     >> issues. Nowadays the Testing Guide has become the standard to
>> > perform
>> >     >> a Web Application Penetration Testing and many Companies all
>> > around
>> >     >> the world have adopted it.
>> >     >> It is vital for the project mantaining an updated project that
>> >     >> represents the state of the art for WebAppSec.
>> >     >>
>> >     >> Project Roadmap
>> >     >> =============
>> >     >>
>> >     >> - (1) 1st phase: Brainstorming and create a new table of contents
>> >     >>
>> >     >> Objective: creating a new table of contents of the OTGv4
>> >     >> assigning a task for each contributor.
>> >     >> I created a new OWASP Testing Guide v4 table of Contents here:
>> >     >>
>> >
>> > https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>> >     >>
>> >     >> - (2) 2nd phase:  Writing
>> >     >> 20th September 2012: Start writing the articles
>> >     >> 1st November 2012: 1st Draft
>> >     >> 30th November: end of writing phase
>> >     >>
>> >     >> - (3) 3rd phase: Reviewing
>> >     >>
>> >     >> - 1st December 2012: Starting the review phase,
>> >     >> - 15th December 2012: Create the RC1,
>> >     >> - 31st January 2013: Release the version 4.
>> >     >>
>> >     >> Timeline November 2012 1st Draft, January 2013 Final Release
>> >     >>
>> >     >> So, let's start discussion about phase (1)!
>> >     >>
>> >     >> Thanks!
>> >     >> Mat
>> >     >>
>> >     >> --
>> >     >> Matteo Meucci
>> >     >> OWASP Testing Guide Lead
>> >     >> OWASP-Italy President
>> >     >>
>> >     >>
>> >     >> _______________________________________________
>> >     >> Owasp-testing mailing list
>> >     >> Owasp-testing at lists.owasp.org
>> > <mailto:Owasp-testing at lists.owasp.org>
>> >     >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >     >>
>> >     >
>> >
>> >     --
>> >     --
>> >     Matteo Meucci
>> >     OWASP Testing Guide Lead
>> >     OWASP Italy President
>> >     _______________________________________________
>> >     Owasp-testing mailing list
>> >     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>> >     https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >
>> >
>> >
>> >
>> > --
>> > OWASP ZAP: Toolsmith Tool of the Year 2011
>> >
>> > <http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
>> >
>>
>> --
>> --
>> Matteo Meucci
>> OWASP Testing Guide Lead
>> OWASP Italy President
>
>
>
>
> --
> OWASP ZAP: Toolsmith Tool of the Year 2011
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>


More information about the Owasp-testing mailing list