+1<br><br><div class="gmail_quote">On Fri, Aug 31, 2012 at 11:58 AM, Simone Onofri <span dir="ltr"><<a href="mailto:simone.onofri@gmail.com" target="_blank">simone.onofri@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
hi all,<br>
<br>
as for experience some people like to have a paragraph called "tools"<br>
on each test.<br>
<br>
but can be nice to organize a table with tools (simon, i love zap :) )<br>
and test covered?<br>
<br>
cheers,<br>
<br>
s.<br>
<div><div class="h5"><br>
On Fri, Aug 31, 2012 at 12:48 PM, psiinon <<a href="mailto:psiinon@gmail.com">psiinon@gmail.com</a>> wrote:<br>
> I'd definitely like to be closely involved in the ZAP related sections, but<br>
> very happy for Amro to lead on it.<br>
><br>
> Cheers,<br>
><br>
> Simon<br>
><br>
><br>
> On Fri, Aug 31, 2012 at 11:28 AM, Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</a>><br>
> wrote:<br>
>><br>
>> Hi Simon,<br>
>> yep I agree.<br>
>><br>
>> Maybe we can distinguish as follow for each paragraph:<br>
>> - OWASP Tools:<br>
>> (Flagship, Labs, Incubator, Archive)<br>
>> - Other Open Source tools:<br>
>><br>
>> I think that a contributor should be dedicated to verifies which tests<br>
>> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing<br>
>> Tools")?<br>
>><br>
>> Thanks,<br>
>> Mat<br>
>><br>
>><br>
>><br>
>> On 08/31/2012 09:56 AM, psiinon wrote:<br>
>> > I think its right for us to suggest an open source tool (or tools) for<br>
>> > using in each section, however I dont think we should view this as a ZAP<br>
>> > vs WebScarab contest.<br>
>> > We want to suggest the best possible tool, but I also think that its<br>
>> > reasonable for us to /prefer /OWASP ones.<br>
>> > But we should also favour tools that are more mature and/or more<br>
>> > frequently updated.<br>
>> > For OWASP tools I think we can rely on the new classifications:<br>
>> > Flagship, Labs, Incubator, Archive.<br>
>> > So I think its really a sliding scale.<br>
>> > If theres a Flagship OWASP project that is great at finding a specific<br>
>> > type of vulnerability then we should definitely use that as the example.<br>
>> > If not then we have to balance how relevant that tool is likely to<br>
>> > remain.<br>
>> > A brand new Incubator project might be great in one specific case, but<br>
>> > may also not really be in a fit state for most people to use, or the<br>
>> > project may quickly wither and die.<br>
>> > And if a well regarded non OWASP open source tool is the best option<br>
>> > then we should use that.<br>
>> ><br>
>> > Going back to ZAP, I obviously hope it will be the ideal tool in many<br>
>> > cases :)<br>
>> > And helping to establish if this is the case and explaining exactly how<br>
>> > ZAP can be used may be the most effective way I can contribute to this<br>
>> > guide.<br>
>> ><br>
>> > But I also want to use this process to learn where ZAP's weaknesses are.<br>
>> > And depending on how long it takes to produce the guide we (the ZAP<br>
>> > developers) may be able to enhance specific areas of ZAP as the work on<br>
>> > the guide develops.<br>
>> > So please let me know asap if/when you work on an area of the guide that<br>
>> > you dont think ZAP is effective in helping with, or if you would like<br>
>> > advice and guidance on how to use ZAP as effectively as possible.<br>
>> ><br>
>> > Cheers,<br>
>> ><br>
>> > Simon (ZAP Project Lead)<br>
>> ><br>
>> > On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</a><br>
>> > <mailto:<a href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</a>>> wrote:<br>
>> ><br>
>> > Perfect!<br>
>> > I've updated the wiki, thanks!<br>
>> ><br>
>> > Mat<br>
>> ><br>
>> > On 08/30/2012 11:15 PM, Amro wrote:<br>
>> > > Thanks Mat,<br>
>> > ><br>
>> > > Please assign this task to me and I will make sure that our tool<br>
>> > sets are updated.<br>
>> > ><br>
>> > > Regards,<br>
>> > > Amro<br>
>> > > Sent from BlackBerry®. Excuse typo's and brevity.<br>
>> > ><br>
>> > > -----Original Message-----<br>
>> > > From: Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</a><br>
>> > <mailto:<a href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</a>>><br>
>> > > Date: Thu, 30 Aug 2012 23:11:41<br>
>> > > To: <<a href="mailto:amro@owasp.org">amro@owasp.org</a> <mailto:<a href="mailto:amro@owasp.org">amro@owasp.org</a>>><br>
>> > > Cc: <<a href="mailto:owasp-testing-bounces@lists.owasp.org">owasp-testing-bounces@lists.owasp.org</a><br>
>> > <mailto:<a href="mailto:owasp-testing-bounces@lists.owasp.org">owasp-testing-bounces@lists.owasp.org</a>>>;<br>
>> > <<a href="mailto:owasp-testing@lists.owasp.org">owasp-testing@lists.owasp.org</a><br>
>> > <mailto:<a href="mailto:owasp-testing@lists.owasp.org">owasp-testing@lists.owasp.org</a>>><br>
>> > > Subject: Re: [Owasp-testing] Testing Guide V4 - Start up<br>
>> > ><br>
>> > > Hi Amro,<br>
>> > > good question related to the tools. Here we have to update many<br>
>> > references.<br>
>> > ><br>
>> > > Usually at the end of each article we suggest to use a particular<br>
>> > open<br>
>> > > source tool to perform the test. I think we can use and suggest<br>
>> > both the<br>
>> > > tools in many situations.<br>
>> > > Also the Appendix A "Testing Tools" should pick all the testing<br>
>> > tools<br>
>> > > cited in the Testing Guide and give more details.<br>
>> > ><br>
>> > > Thanks,<br>
>> > > Mat<br>
>> > ><br>
>> > > On 08/30/2012 10:58 PM, Amro wrote:<br>
>> > >> Please count me in as well .. Are we gonna use ZAP instead of<br>
>> > WebScarab in the new version?<br>
>> > >><br>
>> > >> Regards,<br>
>> > >> Amro<br>
>> > >> Sent from BlackBerry®. Excuse typo's and brevity.<br>
>> > >><br>
>> > >> -----Original Message-----<br>
>> > >> From: Matteo Meucci <<a href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</a><br>
>> > <mailto:<a href="mailto:matteo.meucci@owasp.org">matteo.meucci@owasp.org</a>>><br>
>> > >> Sender: <a href="mailto:owasp-testing-bounces@lists.owasp.org">owasp-testing-bounces@lists.owasp.org</a><br>
>> > <mailto:<a href="mailto:owasp-testing-bounces@lists.owasp.org">owasp-testing-bounces@lists.owasp.org</a>><br>
>> > >> Date: Thu, 30 Aug 2012 17:40:29<br>
>> > >> To: <<a href="mailto:owasp-testing@lists.owasp.org">owasp-testing@lists.owasp.org</a><br>
>> > <mailto:<a href="mailto:owasp-testing@lists.owasp.org">owasp-testing@lists.owasp.org</a>>><br>
>> > >> Subject: [Owasp-testing] Testing Guide V4 - Start up<br>
>> > >><br>
>> > >> Hi all Testing Guide contributors.<br>
>> > >><br>
>> > >> Testing Guide v4 has been approved as Projects Reboot 2012!<br>
>> > >> <a href="https://www.owasp.org/index.php/Projects_Reboot_2012" target="_blank">https://www.owasp.org/index.php/Projects_Reboot_2012</a><br>
>> > >><br>
>> > >> Here is the list of contributors I've collected:<br>
>> > >><br>
>> > >> Pavol Luptak<br>
>> > >> Marco Morana<br>
>> > >> Giorgio Fedon<br>
>> > >> Stefano Di Paola<br>
>> > >> Gianrico Ingrosso<br>
>> > >> Giuseppe Bonfŕ<br>
>> > >> Roberto Suggi Liverani<br>
>> > >> Robert Smith<br>
>> > >> Andrew Muller<br>
>> > >> Robert Winkel<br>
>> > >> tripurari rai<br>
>> > >> Thomas Ryan<br>
>> > >> tim bertels<br>
>> > >> Cecil Su<br>
>> > >> Aung KhAnt<br>
>> > >> Norbert Szetei<br>
>> > >> michael.boman<br>
>> > >> Wagner Elias<br>
>> > >> Kevin Horvat<br>
>> > >> Juan Galiana Lara<br>
>> > >> Kenan Gursoy<br>
>> > >> Jason Flood<br>
>> > >> Javier Marcos de Prado<br>
>> > >> Sumit Siddharth<br>
>> > >> Mike Hryekewicz<br>
>> > >> psiinon<br>
>> > >> Ray Schippers<br>
>> > >> Raul Siles<br>
>> > >> Jayanta Karmakar<br>
>> > >> Brad Causey<br>
>> > >> Vicente Aguilera<br>
>> > >> Ismael Gonçalves<br>
>> > >><br>
>> > >> Reviewers team:<br>
>> > >><br>
>> > >> Paolo Perego<br>
>> > >> Daniel Cuthbert<br>
>> > >> Matthew Churcher<br>
>> > >> Lode Vanstechelman<br>
>> > >> Sebastien Gioria<br>
>> > >><br>
>> > >><br>
>> > >> Introduction and Project purpose for v4:<br>
>> > >> ============================ =============<br>
>> > >> The OWASP Testing Guide v3 includes a "best practice" penetration<br>
>> > >> testing framework which users can implement in their own<br>
>> > organizations<br>
>> > >> and a "low level" penetration testing guide that describes<br>
>> > techniques<br>
>> > >> for testing most common web application and web service security<br>
>> > >> issues. Nowadays the Testing Guide has become the standard to<br>
>> > perform<br>
>> > >> a Web Application Penetration Testing and many Companies all<br>
>> > around<br>
>> > >> the world have adopted it.<br>
>> > >> It is vital for the project mantaining an updated project that<br>
>> > >> represents the state of the art for WebAppSec.<br>
>> > >><br>
>> > >> Project Roadmap<br>
>> > >> =============<br>
>> > >><br>
>> > >> - (1) 1st phase: Brainstorming and create a new table of contents<br>
>> > >><br>
>> > >> Objective: creating a new table of contents of the OTGv4<br>
>> > >> assigning a task for each contributor.<br>
>> > >> I created a new OWASP Testing Guide v4 table of Contents here:<br>
>> > >><br>
>> ><br>
>> > <a href="https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents" target="_blank">https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents</a><br>
>> > >><br>
>> > >> - (2) 2nd phase: Writing<br>
>> > >> 20th September 2012: Start writing the articles<br>
>> > >> 1st November 2012: 1st Draft<br>
>> > >> 30th November: end of writing phase<br>
>> > >><br>
>> > >> - (3) 3rd phase: Reviewing<br>
>> > >><br>
>> > >> - 1st December 2012: Starting the review phase,<br>
>> > >> - 15th December 2012: Create the RC1,<br>
>> > >> - 31st January 2013: Release the version 4.<br>
>> > >><br>
>> > >> Timeline November 2012 1st Draft, January 2013 Final Release<br>
>> > >><br>
>> > >> So, let's start discussion about phase (1)!<br>
>> > >><br>
>> > >> Thanks!<br>
>> > >> Mat<br>
>> > >><br>
>> > >> --<br>
>> > >> Matteo Meucci<br>
>> > >> OWASP Testing Guide Lead<br>
>> > >> OWASP-Italy President<br>
>> > >><br>
>> > >><br>
>> > >> _______________________________________________<br>
>> > >> Owasp-testing mailing list<br>
>> > >> <a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a><br>
>> > <mailto:<a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a>><br>
>> > >> <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>
>> > >><br>
>> > ><br>
>> ><br>
>> > --<br>
>> > --<br>
>> > Matteo Meucci<br>
>> > OWASP Testing Guide Lead<br>
>> > OWASP Italy President<br>
>> > _______________________________________________<br>
>> > Owasp-testing mailing list<br>
>> > <a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a> <mailto:<a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a>><br>
>> > <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>
>> ><br>
>> ><br>
>> ><br>
>> ><br>
>> > --<br>
>> > OWASP ZAP: Toolsmith Tool of the Year 2011<br>
>> ><br>
>> > <<a href="http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html" target="_blank">http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html</a>><br>
>> ><br>
>><br>
>> --<br>
>> --<br>
>> Matteo Meucci<br>
>> OWASP Testing Guide Lead<br>
>> OWASP Italy President<br>
><br>
><br>
><br>
><br>
> --<br>
> OWASP ZAP: Toolsmith Tool of the Year 2011<br>
><br>
><br>
> _______________________________________________<br>
> Owasp-testing mailing list<br>
> <a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a><br>
</div></div>> <a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>
><br>
</blockquote></div><br><br clear="all"><br>-- <br>OWASP ZAP: <a href="http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html" target="_blank">Toolsmith Tool of the Year 2011</a><br><br>