Christopher H Mitchell wrote:
I'll apologize for the cross posting up front, but I am interested in
any comments that might be offered
As a security analyst I find the WebScarab application and Pantera quite
helpful. In fact, I am quite excited to find out how well the WebScarab
NG version will progress from this point. I am constantly writing
/security reviews/ and maintain a /database/ detailing various facets of
my company's web apps. NG's potential towards assisting in the data
collection process would be indispensable. *Dreaming of open sourced
process automation* For instance, I can use Pantera's MySQL store to
help automate the report writing. Unfortunately, the feature set in the
new version of WebScarab is rather pale by comparison.
Given the recent focus on newer semantic and ontology based
technologies, it would make sense to organize our documentation in a
machine readable format some time in the near future. The basic
frameworks are available to start migrating our "web app" security
database towards our own ontology; and a repository "worthy of the gods"
seems within our grasp. However, I would be interested in your thoughts
on how I might learn more to attempt/assist in developing a solution
that would use Webscarab to facilitate some of this.
Virtually all of the information that Webscarab comes in contact with
would be potentially worthy of collection for expanding our site
documentation. Although I am not a java developer by nature, I have
noticed the work at http://wscarabeclipse.sourceforge.net I am willing
to further develop my understanding of java and the bean shell
framework, yet it all seems a bit overwhelming. Nevertheless, the
Eclipse work seems to have grown stale and it would seem that scripting
around the problem might serve just as well for a solution. Has there
been much consideration towards your software's future direction?
White Box assessments are killing our budget so I am thinking
open-source is a definite requirement. I have even looked into how
Plone might do Content Management pretty well and Mantis offers a decent
bug tracking tool, as possibilities/alternatives would have it. They
simply don't seem to feasible when the sites are hosted by external
servers or third parties and I want to keep the majority of our
Enterprise Architecture metadata in a centralized location.
Yes, WS-NG is still under development, and unfortunately, I don't get as
much time as I'd like to work on it. That said, YOU can influence its
future by participating on the mailing list, and coming up with
suggestions. You can start by listing the kind of information that you'd
like to be able to extract from it for your "documentation".
The Eclipse port of webscarab was done some time ago, and I never
actually had anything to do with it, other than providing the core proxy
that it used. I have no idea what its current status is.
So, once I have some kind of idea what information you want from
WebScarab(-NG), I can certainly start to make some suggestions as to how
you can go about getting it, whether with Bean Shell, or otherwise.
Regards,
Rogan
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
