[Owasp-testing] Testing Guide V4 - Start up

psiinon psiinon at gmail.com
Fri Aug 31 11:05:22 UTC 2012


+1

On Fri, Aug 31, 2012 at 11:58 AM, Simone Onofri <simone.onofri at gmail.com>wrote:

> hi all,
>
> as for experience some people like to have a paragraph called "tools"
> on each test.
>
> but can be nice to organize a table with tools (simon, i love zap :) )
> and test covered?
>
> cheers,
>
> s.
>
> On Fri, Aug 31, 2012 at 12:48 PM, psiinon <psiinon at gmail.com> wrote:
> > I'd definitely like to be closely involved in the ZAP related sections,
> but
> > very happy for Amro to lead on it.
> >
> > Cheers,
> >
> > Simon
> >
> >
> > On Fri, Aug 31, 2012 at 11:28 AM, Matteo Meucci <matteo.meucci at owasp.org
> >
> > wrote:
> >>
> >> Hi Simon,
> >> yep I agree.
> >>
> >> Maybe we can distinguish as follow for each paragraph:
> >> - OWASP Tools:
> >>  (Flagship, Labs, Incubator, Archive)
> >> - Other Open Source tools:
> >>
> >> I think that a contributor should be dedicated to verifies which tests
> >> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
> >> Tools")?
> >>
> >> Thanks,
> >> Mat
> >>
> >>
> >>
> >> On 08/31/2012 09:56 AM, psiinon wrote:
> >> > I think its right for us to suggest an open source tool (or tools) for
> >> > using in each section, however I dont think we should view this as a
> ZAP
> >> > vs WebScarab contest.
> >> > We want to suggest the best possible tool, but I also think that its
> >> > reasonable for us to /prefer /OWASP ones.
> >> > But we should also favour tools that are more mature and/or more
> >> > frequently updated.
> >> > For OWASP tools I think we can rely on the new classifications:
> >> > Flagship, Labs, Incubator, Archive.
> >> > So I think its really a sliding scale.
> >> > If theres a Flagship OWASP project that is great at finding a specific
> >> > type of vulnerability then we should definitely use that as the
> example.
> >> > If not then we have to balance how relevant that tool is likely to
> >> > remain.
> >> > A brand new Incubator project might be great in one specific case, but
> >> > may also not really be in a fit state for most people to use, or the
> >> > project may quickly wither and die.
> >> > And if a well regarded non OWASP open source tool is the best option
> >> > then we should use that.
> >> >
> >> > Going back to ZAP, I obviously hope it will be the ideal tool in many
> >> > cases :)
> >> > And helping to establish if this is the case and explaining exactly
> how
> >> > ZAP can be used may be the most effective way I can contribute to this
> >> > guide.
> >> >
> >> > But I also want to use this process to learn where ZAP's weaknesses
> are.
> >> > And depending on how long it takes to produce the guide we (the ZAP
> >> > developers) may be able to enhance specific areas of ZAP as the work
> on
> >> > the guide develops.
> >> > So please let me know asap if/when you work on an area of the guide
> that
> >> > you dont think ZAP is effective in helping with, or if you would like
> >> > advice and guidance on how to use ZAP as effectively as possible.
> >> >
> >> > Cheers,
> >> >
> >> > Simon (ZAP Project Lead)
> >> >
> >> > On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <
> matteo.meucci at owasp.org
> >> > <mailto:matteo.meucci at owasp.org>> wrote:
> >> >
> >> >     Perfect!
> >> >     I've updated the wiki, thanks!
> >> >
> >> >     Mat
> >> >
> >> >     On 08/30/2012 11:15 PM, Amro wrote:
> >> >     > Thanks Mat,
> >> >     >
> >> >     > Please assign this task to me and I will make sure that our tool
> >> >     sets are updated.
> >> >     >
> >> >     > Regards,
> >> >     > Amro
> >> >     > Sent from BlackBerry®. Excuse typo's and brevity.
> >> >     >
> >> >     > -----Original Message-----
> >> >     > From: Matteo Meucci <matteo.meucci at owasp.org
> >> >     <mailto:matteo.meucci at owasp.org>>
> >> >     > Date: Thu, 30 Aug 2012 23:11:41
> >> >     > To: <amro at owasp.org <mailto:amro at owasp.org>>
> >> >     > Cc: <owasp-testing-bounces at lists.owasp.org
> >> >     <mailto:owasp-testing-bounces at lists.owasp.org>>;
> >> >     <owasp-testing at lists.owasp.org
> >> > <mailto:owasp-testing at lists.owasp.org>>
> >> >     > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
> >> >     >
> >> >     > Hi Amro,
> >> >     > good question related to the tools. Here we have to update many
> >> >     references.
> >> >     >
> >> >     > Usually at the end of each article we suggest to use a
> particular
> >> > open
> >> >     > source tool to perform the test. I think we can use and suggest
> >> >     both the
> >> >     > tools in many situations.
> >> >     > Also the Appendix A "Testing Tools" should pick all the testing
> >> > tools
> >> >     > cited in the Testing Guide and give more details.
> >> >     >
> >> >     > Thanks,
> >> >     > Mat
> >> >     >
> >> >     > On 08/30/2012 10:58 PM, Amro wrote:
> >> >     >> Please count me in as well .. Are we gonna use ZAP instead of
> >> >     WebScarab in the new version?
> >> >     >>
> >> >     >> Regards,
> >> >     >> Amro
> >> >     >> Sent from BlackBerry®. Excuse typo's and brevity.
> >> >     >>
> >> >     >> -----Original Message-----
> >> >     >> From: Matteo Meucci <matteo.meucci at owasp.org
> >> >     <mailto:matteo.meucci at owasp.org>>
> >> >     >> Sender: owasp-testing-bounces at lists.owasp.org
> >> >     <mailto:owasp-testing-bounces at lists.owasp.org>
> >> >     >> Date: Thu, 30 Aug 2012 17:40:29
> >> >     >> To: <owasp-testing at lists.owasp.org
> >> >     <mailto:owasp-testing at lists.owasp.org>>
> >> >     >> Subject: [Owasp-testing] Testing Guide V4 - Start up
> >> >     >>
> >> >     >> Hi all Testing Guide contributors.
> >> >     >>
> >> >     >> Testing Guide v4 has been approved as Projects Reboot 2012!
> >> >     >> https://www.owasp.org/index.php/Projects_Reboot_2012
> >> >     >>
> >> >     >> Here is the list of contributors I've collected:
> >> >     >>
> >> >     >> Pavol Luptak
> >> >     >> Marco Morana
> >> >     >> Giorgio Fedon
> >> >     >> Stefano Di Paola
> >> >     >> Gianrico Ingrosso
> >> >     >> Giuseppe Bonfà
> >> >     >> Roberto Suggi Liverani
> >> >     >> Robert Smith
> >> >     >> Andrew Muller
> >> >     >> Robert Winkel
> >> >     >> tripurari rai
> >> >     >> Thomas Ryan
> >> >     >> tim bertels
> >> >     >> Cecil Su
> >> >     >> Aung KhAnt
> >> >     >> Norbert Szetei
> >> >     >> michael.boman
> >> >     >> Wagner Elias
> >> >     >> Kevin Horvat
> >> >     >> Juan Galiana Lara
> >> >     >> Kenan Gursoy
> >> >     >> Jason Flood
> >> >     >> Javier Marcos de Prado
> >> >     >> Sumit Siddharth
> >> >     >> Mike Hryekewicz
> >> >     >> psiinon
> >> >     >> Ray Schippers
> >> >     >> Raul Siles
> >> >     >> Jayanta Karmakar
> >> >     >> Brad Causey
> >> >     >> Vicente Aguilera
> >> >     >> Ismael Gonçalves
> >> >     >>
> >> >     >> Reviewers team:
> >> >     >>
> >> >     >> Paolo Perego
> >> >     >> Daniel Cuthbert
> >> >     >> Matthew Churcher
> >> >     >> Lode Vanstechelman
> >> >     >> Sebastien Gioria
> >> >     >>
> >> >     >>
> >> >     >> Introduction and Project purpose for v4:
> >> >     >> ============================ =============
> >> >     >> The OWASP Testing Guide v3 includes a "best practice"
> penetration
> >> >     >> testing framework which users can implement in their own
> >> >     organizations
> >> >     >> and a "low level" penetration testing guide that describes
> >> > techniques
> >> >     >> for testing most common web application and web service
> security
> >> >     >> issues. Nowadays the Testing Guide has become the standard to
> >> > perform
> >> >     >> a Web Application Penetration Testing and many Companies all
> >> > around
> >> >     >> the world have adopted it.
> >> >     >> It is vital for the project mantaining an updated project that
> >> >     >> represents the state of the art for WebAppSec.
> >> >     >>
> >> >     >> Project Roadmap
> >> >     >> =============
> >> >     >>
> >> >     >> - (1) 1st phase: Brainstorming and create a new table of
> contents
> >> >     >>
> >> >     >> Objective: creating a new table of contents of the OTGv4
> >> >     >> assigning a task for each contributor.
> >> >     >> I created a new OWASP Testing Guide v4 table of Contents here:
> >> >     >>
> >> >
> >> >
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> >> >     >>
> >> >     >> - (2) 2nd phase:  Writing
> >> >     >> 20th September 2012: Start writing the articles
> >> >     >> 1st November 2012: 1st Draft
> >> >     >> 30th November: end of writing phase
> >> >     >>
> >> >     >> - (3) 3rd phase: Reviewing
> >> >     >>
> >> >     >> - 1st December 2012: Starting the review phase,
> >> >     >> - 15th December 2012: Create the RC1,
> >> >     >> - 31st January 2013: Release the version 4.
> >> >     >>
> >> >     >> Timeline November 2012 1st Draft, January 2013 Final Release
> >> >     >>
> >> >     >> So, let's start discussion about phase (1)!
> >> >     >>
> >> >     >> Thanks!
> >> >     >> Mat
> >> >     >>
> >> >     >> --
> >> >     >> Matteo Meucci
> >> >     >> OWASP Testing Guide Lead
> >> >     >> OWASP-Italy President
> >> >     >>
> >> >     >>
> >> >     >> _______________________________________________
> >> >     >> Owasp-testing mailing list
> >> >     >> Owasp-testing at lists.owasp.org
> >> > <mailto:Owasp-testing at lists.owasp.org>
> >> >     >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >     >>
> >> >     >
> >> >
> >> >     --
> >> >     --
> >> >     Matteo Meucci
> >> >     OWASP Testing Guide Lead
> >> >     OWASP Italy President
> >> >     _______________________________________________
> >> >     Owasp-testing mailing list
> >> >     Owasp-testing at lists.owasp.org <mailto:
> Owasp-testing at lists.owasp.org>
> >> >     https://lists.owasp.org/mailman/listinfo/owasp-testing
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > OWASP ZAP: Toolsmith Tool of the Year 2011
> >> >
> >> > <
> http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html
> >
> >> >
> >>
> >> --
> >> --
> >> Matteo Meucci
> >> OWASP Testing Guide Lead
> >> OWASP Italy President
> >
> >
> >
> >
> > --
> > OWASP ZAP: Toolsmith Tool of the Year 2011
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
>



-- 
OWASP ZAP: Toolsmith Tool of the Year
2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120831/c2d8b0e9/attachment-0001.html>


More information about the Owasp-testing mailing list