Jason, Hope this helps. You might want to consider signing up for webappsec if you're into web security. Also, http://www.owasp.org/testing/ has a little more information. apl ----- Original Message ----- From: "Mark Curphey" <markat_private> To: <webappsecat_private> Sent: Monday, August 05, 2002 10:52 PM Subject: OWASP Update > Seems like ages since I sent out an OWASP update and > as the list seems pretty quiet these days (with > people nursing hangovers from last weeks festivities > in Vegas no doubt) so here goes. > > Firstly we are proud to say we have a few initial > sponsors. We have an anonymous donor of unlimited > bandwidth and some rack space (Steve you are a hero) > where we will be housing the portal. Secondly Altova > have given all OWASP contributors a copy of their > XML tool which supports DocBook so we can move all > documentation to an open format. Lastly > Butterflysecurity.com have donated some hardware for > the portal and development resources for the VulnXML > application. Very very much appreciated and will be > put to some very good use. > > WebScarab - For those that don't know WebScarab is > aiming to be the Nessus of the webappsec world and > continues to be the No 1 priority and the most > challenging and rewarding project to date. There is > now a GUI, the spiders working and XSS, SQL > injection and session hijacking will be working very > soon. Why is it taking so long ? Well apart from the > fact its volunteers, things are being done WELL > rather than fast. No cutting corners ! WebScarab > will be able to be back-ended by an array of > databases for instance like MySQL, PostGress or > Oracle ! You get to choose. This baby will scale > outside of a lab! The spider will deal with various > MIME types so can potentially spider pdf and flash > etc as well as work with JavaScript. You can always > take a look at the code in the CVS. Theres even a > module sandbox being developed so people can run > untrusted checks in the tool without worry of > compromise. A big kudos has to go to Ingo Struck, > Steve Taylor, Tim Panton, Zed Shaw and Apurv Singh > for the work so far. As always serious Java > developers are always welcome and needed. Oh and did > we mentioned it is open source, Java, free and > extensible ! > > OWASP Portal (replacement for the current > www.owasp.org) is underway and will be built on > UPortal (www.ja-sig.org) with a Jive channel for a > forum. As well as the current content (in a much > more efficient and pleasant layout) there will be a > customizable news channel where you can select news > for technologies you are interested in and > vulnerability alerts where you can again select > technologies you care about and see the history of > those alerts in your alerts tab. The portal will > also host the VulnXML application below. > > OWASP Guide to Building Secure Web Applications - > was downloaded more 60,000 times in the first month > and continues to see copnstant downloads. Its now > being ported to DocBook format where various typos > etc will be changed. A complete re-write is then on > the cards for version 2 thanks to many new > volunteers and great freedback. WebServices will be > a good sized portion. That project now has its own > Sourceforge site btw. > > OWASP WebMaven will be released in the first week of > September. WebMaven is an intentionally broken web > application written in Perl you can run on your own > Apache web server and investigate web appsec > security holes and issues in the safetly of your own > machines. The first release has a SQL injection bug, > a XSS and some other problems, and the future > releases are likely to support skins, dynamic > vulnerabilities, more holes and other cool features. > We also hope to integrate it into the HoneyD > application at the HoneyNet Project. There is a > project page at Sourceforge and the page at > owasp.org will go up in a few weeks. > > Filters had several false starts but I recently saw > a cool design document and know code is very hot on > its heels. The OWASP filters project will create a > set of "stackable" rule sets that address various > boundary conditions that exist in programs. Each > rule set will address a boundary or target > environment, specifically allowing certain types of > data that should be allowed for each environment. > Probably available in Java, PHP and C initially but > to be decided. > > VulnXML is moving along nicely but needs to wait til > the portal is done before it can really come into > its own. We will be building a web based application > to allow people to both report vulnerabilites in the > format and to author / QA current checks in the > queue with work flow. Anyone will be able to > consume the checks and WebScarab will be certainly > right up there in the queue. If you havent read the > vision doc on the site its well worth it. > > A last but not least is the OWASP Testing Project. > David "securitypimp" Endler (don't belive me check > out www.securitypimps.com) is doing a great job of > getting people to author all sorts of things for > this project. There will be flowcharts of how to > logically test things, templates for planning and a > whole bunch more cool stuff. I won't steal his > thunder but its going to be very cool and drafts due > in August 19th if I recall. > > As always we always need serious Java developers, a > profesional graphics person and anyone else with a > skill and some spare time as well as sposnsorship > etc. The web site www.owasp.org has more details and > vision documents for most projects, the > corresponding Sourceforge page has the code trees etc > > And on that note I owe the pimpadaddy some text ! > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 10:52:55 PDT