This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011/Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation"

From OWASP
Jump to: navigation, search
 
(34 intermediate revisions by 18 users not shown)
Line 1: Line 1:
 +
<BR>__TOC__<BR>
 
'''IMPORTANT DISCLAIMER: THIS LETTER IS NOT AN OFFICIAL OWASP POSITION. THE OWNERSHIP OF ITS REQUEST BELONGS TO THE NAMES UNDER THE 'SIGNED BY' SECTION'''
 
'''IMPORTANT DISCLAIMER: THIS LETTER IS NOT AN OFFICIAL OWASP POSITION. THE OWNERSHIP OF ITS REQUEST BELONGS TO THE NAMES UNDER THE 'SIGNED BY' SECTION'''
__NOEDIT__
+
<br/><br/>
 
+
{{:Summit_2011/Open_letter_to_WebAppSec_Tool_and_Services_vendors:_Release_your_schemas_and_allow_automation/Letter_Content}}
==To WebAppSec vendors==
+
<br/><br/>
This request is mainly focused on the commercial vendors of products and services of the following WebAppSec categories: Pen-testing, Code Review, BlackBox Scanning, WhiteBox Scanning and WAFs
+
==Signed by==
 
+
* Dinis Cruz - Application Security Consultant - Independent
Other software/services categories, including equivalent Open Source tools, are more than welcomed to participate.
+
* Sebastien Deleersnyder - Managing Technical Consultant - SAIT Zenitel
 +
* Alexander Meisel - CTO - art of defence
 +
* Sven Vetsch - Senior Security Tester - Dreamlab Technologies
 +
* Daniel Cuthbert - Assessment Manager - SensePost
 +
* Eoin Keary - EMEIA Attack & Penetration Senior Manager - Ernst & Young
 +
* Anurag Agarwal - Founder - MyAppSecurity
 +
* Zaki Akhmad - Security Analyst - indocisc
 +
* Sebastien Gioria - Head of Security and IT Audit - Groupe Y
 +
* Paolo Perego - Application Security Specialist - armoredcode.com
 +
* Steven van der Baan - Software Architect - Sogeti Nederland
 +
* Andres Andreu - CTO & Founder - neuroFuzz
 +
* Marinus Kuivenhoven - Sr. Security Specialist - Sogeti Nederland
 +
* James McGovern - Chief Security Architect - The Hartford
 +
* Antonio Parata - CTO - Euery
  
==Open Letter==
+
Please use the format: {Name - Role - Company}
{{:Summit_2011/Open_letter_to_WebAppSec_Tool_and_Services_vendors:_Release_your_schemas_and_allow_automation/Letter_Content}}
 
  
==Signed by==
+
==Vendors that agreed to provide some/all requested materials==
(please use the format: {Name - Role - Company}
+
* art of defence
 +
* WhiteHat:
 +
** provided PDF with sample XML files and API details
 +
** provided access to demo account to allow schema development and API tests
 +
* Veracode:
 +
** provided access to demo account to allow schema development and API tests
 +
* [http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP Zed Attack Proxy]
 +
** all code and report formats are (and will remain) open source
 +
** example reports to be supplied
 +
** undertake to enhance ZAP to integrate with other tools in as open and an effective a way as possible
  
* Dinis Cruz - Application Security Consultant - Independent
+
==Relevant initiatives ==
 +
* http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-nistir-7756_feb2011.pdf (NIST: CAESARS FrameworkExtension: An EnterpriseContinuous MonitoringTechnical ReferenceArchitecture (Draft))
 +
* Test suite/cases for C++ and Java http://samate.nist.gov/SRD/testsuite.php.

Latest revision as of 15:52, 31 March 2011



IMPORTANT DISCLAIMER: THIS LETTER IS NOT AN OFFICIAL OWASP POSITION. THE OWNERSHIP OF ITS REQUEST BELONGS TO THE NAMES UNDER THE 'SIGNED BY' SECTION

To WebAppSec vendors

This request is mainly focused on the commercial vendors of products and services of the following WebAppSec categories: Pen-testing, Code Review, BlackBox Scanning, WhiteBox Scanning and WAFs.

Other software/services categories, including equivalent Open Source tools, are more than welcomed to participate.

Open Letter


02/Feb/2010

Open letter to WebAppSec tool/services vendors: Release your schemas and allow automation

Dear vendor,

Although you provide a product or service that automates (as much as you can) the process of evaluating the security of a particular application, at the moment (Feb 2011) it is very hard to consume, consolidate, integrate and instrument your deliverables and technology.

Our industry (and clients) desperately need to move into a world where we are able to consolidate, analyse and present the results created by multiple tools/services. This would create a scenario where we (for example) are able to deliver to developers (as Unit Tests or Software-as-a-Service) 'complete and integrated' findings (i.e. security findings that contain both WhiteBox and BlackBox findings). We also need to be able to create WAF rules from the findings delivered, and must have the ability to integrate them with other technologies used through the Software Development LifeCycle (e.g. BugTracking, Change Control, Application Modelling/Design Tools, Threat Modelling tools, Knowledge-Base/ELearning solutions, etc...)

At the moment there are numerous companies and projects that are trying to achieve such integration (good luck on their endeavours), but we need an independent base we call all work from.

With this in mind, the following data and artifacts are requested from you and ALL product vendors in this space :

  • The XSD (schemas) for ALL released versions of your product/service (starting with the most recent release and going back as far as possible)
  • Sample XML files (or whatever format the data can be exported) of: vulnerable-by-design and Open Source web applications - To kickstart this process please deliver the results for the following applications:
  • Artifacts created during scanning (for example Internal representations of source code or web applications)
  • Rules used during the scans (to allow the replication of findings and the creation of a core 'industry wide' set of rules)
  • APIs that can be used to instrument and control your scanning engine (please provide as much documentation as possible on the currently supported ways to interact with your product)

With these materials (to be uploaded to a google code repository), the OWASP community will try to create the following standards (reusing as much as possible the great work done by others in this space (MITRE, CWE, NIST, OVAL, etc...):

  • Open Findings Schema
  • Open Rules Schema
  • Open Application Artifacts Schema (which could also be called: Open Scan Targets Schema)
  • Open Intermediate Representation Schema (abstraction layer of code and web assets)

The OWASP Summit 2011 represents a unique opportunity to make this happen, so please either provide the requested data yourselves, or allow your current clients to do so (without the thread of a lawsuit)

The undersigned below, urge you to join these effort and to active participate in this endeavour

Signed by

  • Dinis Cruz - Application Security Consultant - Independent
  • Sebastien Deleersnyder - Managing Technical Consultant - SAIT Zenitel
  • Alexander Meisel - CTO - art of defence
  • Sven Vetsch - Senior Security Tester - Dreamlab Technologies
  • Daniel Cuthbert - Assessment Manager - SensePost
  • Eoin Keary - EMEIA Attack & Penetration Senior Manager - Ernst & Young
  • Anurag Agarwal - Founder - MyAppSecurity
  • Zaki Akhmad - Security Analyst - indocisc
  • Sebastien Gioria - Head of Security and IT Audit - Groupe Y
  • Paolo Perego - Application Security Specialist - armoredcode.com
  • Steven van der Baan - Software Architect - Sogeti Nederland
  • Andres Andreu - CTO & Founder - neuroFuzz
  • Marinus Kuivenhoven - Sr. Security Specialist - Sogeti Nederland
  • James McGovern - Chief Security Architect - The Hartford
  • Antonio Parata - CTO - Euery

Please use the format: {Name - Role - Company}

Vendors that agreed to provide some/all requested materials

  • art of defence
  • WhiteHat:
    • provided PDF with sample XML files and API details
    • provided access to demo account to allow schema development and API tests
  • Veracode:
    • provided access to demo account to allow schema development and API tests
  • OWASP Zed Attack Proxy
    • all code and report formats are (and will remain) open source
    • example reports to be supplied
    • undertake to enhance ZAP to integrate with other tools in as open and an effective a way as possible

Relevant initiatives