[WEB SECURITY] Re: [Owasp-webscarab] MITM proxies, Ontologies, and Enterprise Architecture
lists at dawes.za.net
Tue Apr 8 13:24:37 EDT 2008
Christopher H Mitchell wrote:
> I'll apologize for the cross posting up front, but I am interested in
> any comments that might be offered
> As a security analyst I find the WebScarab application and Pantera quite
> helpful. In fact, I am quite excited to find out how well the WebScarab
> NG version will progress from this point. I am constantly writing
> /security reviews/ and maintain a /database/ detailing various facets of
> my company's web apps. NG's potential towards assisting in the data
> collection process would be indispensable. *Dreaming of open sourced
> process automation* For instance, I can use Pantera's MySQL store to
> help automate the report writing. Unfortunately, the feature set in the
> new version of WebScarab is rather pale by comparison.
> Given the recent focus on newer semantic and ontology based
> technologies, it would make sense to organize our documentation in a
> machine readable format some time in the near future. The basic
> frameworks are available to start migrating our "web app" security
> database towards our own ontology; and a repository "worthy of the gods"
> seems within our grasp. However, I would be interested in your thoughts
> on how I might learn more to attempt/assist in developing a solution
> that would use Webscarab to facilitate some of this.
> Virtually all of the information that Webscarab comes in contact with
> would be potentially worthy of collection for expanding our site
> documentation. Although I am not a java developer by nature, I have
> noticed the work at http://wscarabeclipse.sourceforge.net I am willing
> to further develop my understanding of java and the bean shell
> framework, yet it all seems a bit overwhelming. Nevertheless, the
> Eclipse work seems to have grown stale and it would seem that scripting
> around the problem might serve just as well for a solution. Has there
> been much consideration towards your software's future direction?
> White Box assessments are killing our budget so I am thinking
> open-source is a definite requirement. I have even looked into how
> Plone might do Content Management pretty well and Mantis offers a decent
> bug tracking tool, as possibilities/alternatives would have it. They
> simply don't seem to feasible when the sites are hosted by external
> servers or third parties and I want to keep the majority of our
> Enterprise Architecture metadata in a centralized location.
Yes, WS-NG is still under development, and unfortunately, I don't get as
much time as I'd like to work on it. That said, YOU can influence its
future by participating on the mailing list, and coming up with
suggestions. You can start by listing the kind of information that you'd
like to be able to extract from it for your "documentation".
The Eclipse port of webscarab was done some time ago, and I never
actually had anything to do with it, other than providing the core proxy
that it used. I have no idea what its current status is.
So, once I have some kind of idea what information you want from
WebScarab(-NG), I can certainly start to make some suggestions as to how
you can go about getting it, whether with Bean Shell, or otherwise.
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity