[Owasp-testing] Testing Guide V4 - Start up

Matteo Meucci matteo.meucci at owasp.org
Fri Aug 31 11:08:32 UTC 2012


Yes, that's good.

I think also that maybe this requests a lot of time to do that for many
tools. We can do that only for OWASP tools or only for ZAP that is at
the moment the more active project related to the Testing Guide.

Mat

On 08/31/2012 01:05 PM, psiinon wrote:
> +1
> 
> On Fri, Aug 31, 2012 at 11:58 AM, Simone Onofri <simone.onofri at gmail.com
> <mailto:simone.onofri at gmail.com>> wrote:
> 
>     hi all,
> 
>     as for experience some people like to have a paragraph called "tools"
>     on each test.
> 
>     but can be nice to organize a table with tools (simon, i love zap :) )
>     and test covered?
> 
>     cheers,
> 
>     s.
> 
>     On Fri, Aug 31, 2012 at 12:48 PM, psiinon <psiinon at gmail.com
>     <mailto:psiinon at gmail.com>> wrote:
>     > I'd definitely like to be closely involved in the ZAP related
>     sections, but
>     > very happy for Amro to lead on it.
>     >
>     > Cheers,
>     >
>     > Simon
>     >
>     >
>     > On Fri, Aug 31, 2012 at 11:28 AM, Matteo Meucci
>     <matteo.meucci at owasp.org <mailto:matteo.meucci at owasp.org>>
>     > wrote:
>     >>
>     >> Hi Simon,
>     >> yep I agree.
>     >>
>     >> Maybe we can distinguish as follow for each paragraph:
>     >> - OWASP Tools:
>     >>  (Flagship, Labs, Incubator, Archive)
>     >> - Other Open Source tools:
>     >>
>     >> I think that a contributor should be dedicated to verifies which
>     tests
>     >> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
>     >> Tools")?
>     >>
>     >> Thanks,
>     >> Mat
>     >>
>     >>
>     >>
>     >> On 08/31/2012 09:56 AM, psiinon wrote:
>     >> > I think its right for us to suggest an open source tool (or
>     tools) for
>     >> > using in each section, however I dont think we should view this
>     as a ZAP
>     >> > vs WebScarab contest.
>     >> > We want to suggest the best possible tool, but I also think
>     that its
>     >> > reasonable for us to /prefer /OWASP ones.
>     >> > But we should also favour tools that are more mature and/or more
>     >> > frequently updated.
>     >> > For OWASP tools I think we can rely on the new classifications:
>     >> > Flagship, Labs, Incubator, Archive.
>     >> > So I think its really a sliding scale.
>     >> > If theres a Flagship OWASP project that is great at finding a
>     specific
>     >> > type of vulnerability then we should definitely use that as the
>     example.
>     >> > If not then we have to balance how relevant that tool is likely to
>     >> > remain.
>     >> > A brand new Incubator project might be great in one specific
>     case, but
>     >> > may also not really be in a fit state for most people to use,
>     or the
>     >> > project may quickly wither and die.
>     >> > And if a well regarded non OWASP open source tool is the best
>     option
>     >> > then we should use that.
>     >> >
>     >> > Going back to ZAP, I obviously hope it will be the ideal tool
>     in many
>     >> > cases :)
>     >> > And helping to establish if this is the case and explaining
>     exactly how
>     >> > ZAP can be used may be the most effective way I can contribute
>     to this
>     >> > guide.
>     >> >
>     >> > But I also want to use this process to learn where ZAP's
>     weaknesses are.
>     >> > And depending on how long it takes to produce the guide we (the ZAP
>     >> > developers) may be able to enhance specific areas of ZAP as the
>     work on
>     >> > the guide develops.
>     >> > So please let me know asap if/when you work on an area of the
>     guide that
>     >> > you dont think ZAP is effective in helping with, or if you
>     would like
>     >> > advice and guidance on how to use ZAP as effectively as possible.
>     >> >
>     >> > Cheers,
>     >> >
>     >> > Simon (ZAP Project Lead)
>     >> >
>     >> > On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci
>     <matteo.meucci at owasp.org <mailto:matteo.meucci at owasp.org>
>     >> > <mailto:matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>>> wrote:
>     >> >
>     >> >     Perfect!
>     >> >     I've updated the wiki, thanks!
>     >> >
>     >> >     Mat
>     >> >
>     >> >     On 08/30/2012 11:15 PM, Amro wrote:
>     >> >     > Thanks Mat,
>     >> >     >
>     >> >     > Please assign this task to me and I will make sure that
>     our tool
>     >> >     sets are updated.
>     >> >     >
>     >> >     > Regards,
>     >> >     > Amro
>     >> >     > Sent from BlackBerry®. Excuse typo's and brevity.
>     >> >     >
>     >> >     > -----Original Message-----
>     >> >     > From: Matteo Meucci <matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>
>     >> >     <mailto:matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>>>
>     >> >     > Date: Thu, 30 Aug 2012 23:11:41
>     >> >     > To: <amro at owasp.org <mailto:amro at owasp.org>
>     <mailto:amro at owasp.org <mailto:amro at owasp.org>>>
>     >> >     > Cc: <owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>
>     >> >     <mailto:owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>>>;
>     >> >     <owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>
>     >> > <mailto:owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>>>
>     >> >     > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>     >> >     >
>     >> >     > Hi Amro,
>     >> >     > good question related to the tools. Here we have to
>     update many
>     >> >     references.
>     >> >     >
>     >> >     > Usually at the end of each article we suggest to use a
>     particular
>     >> > open
>     >> >     > source tool to perform the test. I think we can use and
>     suggest
>     >> >     both the
>     >> >     > tools in many situations.
>     >> >     > Also the Appendix A "Testing Tools" should pick all the
>     testing
>     >> > tools
>     >> >     > cited in the Testing Guide and give more details.
>     >> >     >
>     >> >     > Thanks,
>     >> >     > Mat
>     >> >     >
>     >> >     > On 08/30/2012 10:58 PM, Amro wrote:
>     >> >     >> Please count me in as well .. Are we gonna use ZAP
>     instead of
>     >> >     WebScarab in the new version?
>     >> >     >>
>     >> >     >> Regards,
>     >> >     >> Amro
>     >> >     >> Sent from BlackBerry®. Excuse typo's and brevity.
>     >> >     >>
>     >> >     >> -----Original Message-----
>     >> >     >> From: Matteo Meucci <matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>
>     >> >     <mailto:matteo.meucci at owasp.org
>     <mailto:matteo.meucci at owasp.org>>>
>     >> >     >> Sender: owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>
>     >> >     <mailto:owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>>
>     >> >     >> Date: Thu, 30 Aug 2012 17:40:29
>     >> >     >> To: <owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>
>     >> >     <mailto:owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>>>
>     >> >     >> Subject: [Owasp-testing] Testing Guide V4 - Start up
>     >> >     >>
>     >> >     >> Hi all Testing Guide contributors.
>     >> >     >>
>     >> >     >> Testing Guide v4 has been approved as Projects Reboot 2012!
>     >> >     >> https://www.owasp.org/index.php/Projects_Reboot_2012
>     >> >     >>
>     >> >     >> Here is the list of contributors I've collected:
>     >> >     >>
>     >> >     >> Pavol Luptak
>     >> >     >> Marco Morana
>     >> >     >> Giorgio Fedon
>     >> >     >> Stefano Di Paola
>     >> >     >> Gianrico Ingrosso
>     >> >     >> Giuseppe Bonfà
>     >> >     >> Roberto Suggi Liverani
>     >> >     >> Robert Smith
>     >> >     >> Andrew Muller
>     >> >     >> Robert Winkel
>     >> >     >> tripurari rai
>     >> >     >> Thomas Ryan
>     >> >     >> tim bertels
>     >> >     >> Cecil Su
>     >> >     >> Aung KhAnt
>     >> >     >> Norbert Szetei
>     >> >     >> michael.boman
>     >> >     >> Wagner Elias
>     >> >     >> Kevin Horvat
>     >> >     >> Juan Galiana Lara
>     >> >     >> Kenan Gursoy
>     >> >     >> Jason Flood
>     >> >     >> Javier Marcos de Prado
>     >> >     >> Sumit Siddharth
>     >> >     >> Mike Hryekewicz
>     >> >     >> psiinon
>     >> >     >> Ray Schippers
>     >> >     >> Raul Siles
>     >> >     >> Jayanta Karmakar
>     >> >     >> Brad Causey
>     >> >     >> Vicente Aguilera
>     >> >     >> Ismael Gonçalves
>     >> >     >>
>     >> >     >> Reviewers team:
>     >> >     >>
>     >> >     >> Paolo Perego
>     >> >     >> Daniel Cuthbert
>     >> >     >> Matthew Churcher
>     >> >     >> Lode Vanstechelman
>     >> >     >> Sebastien Gioria
>     >> >     >>
>     >> >     >>
>     >> >     >> Introduction and Project purpose for v4:
>     >> >     >> ============================ =============
>     >> >     >> The OWASP Testing Guide v3 includes a "best practice"
>     penetration
>     >> >     >> testing framework which users can implement in their own
>     >> >     organizations
>     >> >     >> and a "low level" penetration testing guide that describes
>     >> > techniques
>     >> >     >> for testing most common web application and web service
>     security
>     >> >     >> issues. Nowadays the Testing Guide has become the
>     standard to
>     >> > perform
>     >> >     >> a Web Application Penetration Testing and many Companies all
>     >> > around
>     >> >     >> the world have adopted it.
>     >> >     >> It is vital for the project mantaining an updated
>     project that
>     >> >     >> represents the state of the art for WebAppSec.
>     >> >     >>
>     >> >     >> Project Roadmap
>     >> >     >> =============
>     >> >     >>
>     >> >     >> - (1) 1st phase: Brainstorming and create a new table of
>     contents
>     >> >     >>
>     >> >     >> Objective: creating a new table of contents of the OTGv4
>     >> >     >> assigning a task for each contributor.
>     >> >     >> I created a new OWASP Testing Guide v4 table of Contents
>     here:
>     >> >     >>
>     >> >
>     >> >
>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>     >> >     >>
>     >> >     >> - (2) 2nd phase:  Writing
>     >> >     >> 20th September 2012: Start writing the articles
>     >> >     >> 1st November 2012: 1st Draft
>     >> >     >> 30th November: end of writing phase
>     >> >     >>
>     >> >     >> - (3) 3rd phase: Reviewing
>     >> >     >>
>     >> >     >> - 1st December 2012: Starting the review phase,
>     >> >     >> - 15th December 2012: Create the RC1,
>     >> >     >> - 31st January 2013: Release the version 4.
>     >> >     >>
>     >> >     >> Timeline November 2012 1st Draft, January 2013 Final Release
>     >> >     >>
>     >> >     >> So, let's start discussion about phase (1)!
>     >> >     >>
>     >> >     >> Thanks!
>     >> >     >> Mat
>     >> >     >>
>     >> >     >> --
>     >> >     >> Matteo Meucci
>     >> >     >> OWASP Testing Guide Lead
>     >> >     >> OWASP-Italy President
>     >> >     >>
>     >> >     >>
>     >> >     >> _______________________________________________
>     >> >     >> Owasp-testing mailing list
>     >> >     >> Owasp-testing at lists.owasp.org
>     <mailto:Owasp-testing at lists.owasp.org>
>     >> > <mailto:Owasp-testing at lists.owasp.org
>     <mailto:Owasp-testing at lists.owasp.org>>
>     >> >     >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>     >> >     >>
>     >> >     >
>     >> >
>     >> >     --
>     >> >     --
>     >> >     Matteo Meucci
>     >> >     OWASP Testing Guide Lead
>     >> >     OWASP Italy President
>     >> >     _______________________________________________
>     >> >     Owasp-testing mailing list
>     >> >     Owasp-testing at lists.owasp.org
>     <mailto:Owasp-testing at lists.owasp.org>
>     <mailto:Owasp-testing at lists.owasp.org
>     <mailto:Owasp-testing at lists.owasp.org>>
>     >> >     https://lists.owasp.org/mailman/listinfo/owasp-testing
>     >> >
>     >> >
>     >> >
>     >> >
>     >> > --
>     >> > OWASP ZAP: Toolsmith Tool of the Year 2011
>     >> >
>     >> >
>     <http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
>     >> >
>     >>
>     >> --
>     >> --
>     >> Matteo Meucci
>     >> OWASP Testing Guide Lead
>     >> OWASP Italy President
>     >
>     >
>     >
>     >
>     > --
>     > OWASP ZAP: Toolsmith Tool of the Year 2011
>     >
>     >
>     > _______________________________________________
>     > Owasp-testing mailing list
>     > Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-testing
>     >
> 
> 
> 
> 
> -- 
> OWASP ZAP: Toolsmith Tool of the Year 2011
> <http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
> 

-- 
--
Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President


More information about the Owasp-testing mailing list