[WEB SECURITY] MITM proxies, Ontologies, and Enterprise Architecture

Christopher H Mitchell itasca at insightbb.com
Tue Apr 8 12:06:51 EDT 2008

I'll apologize for the cross posting up front, but I am interested in any
comments that might be offered
As a security analyst I find the WebScarab application and Pantera quite
helpful.  In fact, I am quite excited to find out how well the WebScarab NG
version will progress from this point.  I am constantly writing security
reviews and maintain a database detailing various facets of my company's web
apps.  NG's potential towards assisting in the data collection process would
be indispensable.  *Dreaming of open sourced process automation*  For
instance, I can use Pantera's MySQL store to help automate the report
writing.  Unfortunately, the feature set in the new version of WebScarab is
rather pale by comparison.
Given the recent focus on newer semantic and ontology based technologies, it
would make sense to organize our documentation in a machine readable format
some time in the near future.  The basic frameworks are available to start
migrating our "web app" security database towards our own ontology; and a
repository "worthy of the gods" seems within our grasp.  However, I would be
interested in your thoughts on how I might learn more to attempt/assist in
developing a solution that would use Webscarab to facilitate some of this.
Virtually all of the information that Webscarab comes in contact with would
be potentially worthy of collection for expanding our site documentation.
Although I am not a java developer by nature, I have noticed the work at
http://wscarabeclipse.sourceforge.net  I am willing to further develop my
understanding of java and the bean shell framework, yet it all seems a bit
overwhelming.  Nevertheless, the Eclipse work seems to have grown stale and
it would seem that scripting around the problem might serve just as well for
a solution.  Has there been much consideration towards your software's
future direction?
White Box assessments are killing our budget so I am thinking open-source is
a definite requirement.  I have even looked into how Plone might do Content
Management pretty well and Mantis offers a decent bug tracking tool, as
possibilities/alternatives would have it.  They simply don't seem to
feasible when the sites are hosted by external servers or third parties and
I want to keep the majority of our Enterprise Architecture metadata in a
centralized location.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080408/daa7d3fb/attachment.html>

More information about the websecurity mailing list