Re: [Owasp-webscarab] MITM proxies, Ontologies, and Enterprise Architecture

[Rogan Dawes <lists () dawes za net>]

Christopher H Mitchell wrote:
> I'll apologize for the cross posting up front, but I am interested in 
> any comments that might be offered
>  
> As a security analyst I find the WebScarab application and Pantera quite 
> helpful.  In fact, I am quite excited to find out how well the WebScarab 
> NG version will progress from this point.  I am constantly writing 
> /security reviews/ and maintain a /database/ detailing various facets of 
> my company's web apps.  NG's potential towards assisting in the data 
> collection process would be indispensable.  *Dreaming of open sourced 
> process automation*  For instance, I can use Pantera's MySQL store to 
> help automate the report writing.  Unfortunately, the feature set in the 
> new version of WebScarab is rather pale by comparison.
>  
> Given the recent focus on newer semantic and ontology based 
> technologies, it would make sense to organize our documentation in a 
> machine readable format some time in the near future.  The basic 
> frameworks are available to start migrating our "web app" security 
> database towards our own ontology; and a repository "worthy of the gods" 
> seems within our grasp.  However, I would be interested in your thoughts 
> on how I might learn more to attempt/assist in developing a solution 
> that would use Webscarab to facilitate some of this.
>  
> Virtually all of the information that Webscarab comes in contact with 
> would be potentially worthy of collection for expanding our site 
> documentation.  Although I am not a java developer by nature, I have 
> noticed the work at http://wscarabeclipse.sourceforge.net   I am willing 
> to further develop my understanding of java and the bean shell 
> framework, yet it all seems a bit overwhelming.  Nevertheless, the 
> Eclipse work seems to have grown stale and it would seem that scripting 
> around the problem might serve just as well for a solution.  Has there 
> been much consideration towards your software's future direction?
>  
> White Box assessments are killing our budget so I am thinking 
> open-source is a definite requirement.  I have even looked into how 
> Plone might do Content Management pretty well and Mantis offers a decent 
> bug tracking tool, as possibilities/alternatives would have it.  They 
> simply don't seem to feasible when the sites are hosted by external 
> servers or third parties and I want to keep the majority of our 
> Enterprise Architecture metadata in a centralized location.

Yes, WS-NG is still under development, and unfortunately, I don't get as 
much time as I'd like to work on it. That said, YOU can influence its 
future by participating on the mailing list, and coming up with 
suggestions. You can start by listing the kind of information that you'd 
like to be able to extract from it for your "documentation".

The Eclipse port of webscarab was done some time ago, and I never 
actually had anything to do with it, other than providing the core proxy 
that it used. I have no idea what its current status is.

So, once I have some kind of idea what information you want from 
WebScarab(-NG), I can certainly start to make some suggestions as to how 
you can go about getting it, whether with Bean Shell, or otherwise.

Regards,

Rogan


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------