Dear Aloy,
The "Open Web Application Security Project" (founded by Mark Curphey
in September 2001) seems like a very interesting project. The project
bases itself on vulenteers and works in an open source environment and
Linux platforms. However, its aims are to enhance the security of new
developments and Web applications. It contains several different
projects regarding web and application security.
Regarding the motives to start these projects, Dave Wreski writes, "At
the time there was no central place where developers and security
professionals could learn how to build secure web applications or test
the security of their products. At the same time the commercial
marketplace for web application started to evolve. Certain vendors
were pedaling some significant marketing claims around products that
really only tested a small portion of the problems web applications
were facing; and service companies were marketing application security
testing that really left companies with a false sense of security"
(source: http://www.linuxsecurity.com/articles/projects_article-5192.html).
Because it is open source and based on vulenteers, it is very easily
to divert it into a language which has enough vulenteers, like
Russian, so there are explanations and projects in Russian, too
<http://owasp.securitylab.ru/>
For example, they released a guide: "The Guide covers various web
application security topics from architecture to preventing attack
specifics like cross site scripting, cookie poisoning and SQL
injection" (http://online.securityfocus.com/archive/107/278687/2002-06-25/2002-07-01/0)
.
The Web Scarab <http://www.owasp.org/webscarab/> is one of the
components of OWASP. Linux Planet, probably based on OWASP press
releases, describes it as "a web application vulnerability scanner.
The tool will crawl a web site searching for potentially vulnerable
web applications and then dynamically build a set of security tests
for problems based on scenarios it finds. Types of problems will
include SQL Injection, Cross Site Scripting, Cookie Poisoning and
Parameter Tampering. The tool have an interactive proxy for manual
examination as well as using the VulnXML format for 1,000's of static
checks".
It is important to note, that the Web Scarab has not been released yet
(it will be erleased by the end of next month - September 2002), in an
alpha, not clean of problems, version. In other words, concerning your
question on usefulness, it sounds great on paper and could be a *very*
useful tool (see a little about it in a article which reviews security
developments in general -
http://www.infoworld.com/articles/op/xml/02/03/18/020318opsecurity.xml).
The Web Scarab is based on vulenteers. They can probably explain more
to you, and you can read their notes in the site as well as any
development. You can aslo read more about it here -
http://sourceforge.net/projects/webscarab/
There are also other projects and components of the OWASP. Others
include filters to sanitize malicious user input and output used in
attacks like SQL Injection or Cross Site Scripting; VulnXML, a project
developing a common format from which security researchers can
describe static vulnerabilities in web applications; Web Maven, a
project an intentionally insecure application that is used as an
interactive learning center - it is supposed to be released by the end
of this month (Aug. 2002); the guide mentioned before; Guide to
Testing Security of Web Applications and Web Services; and a
collection of
Application Security Attack Components Common Language and
Definitions.
Information on the project:
Linux Planet - http://www.linuxplanet.com/linuxplanet/reports/4332/1/
Linux Security - http://www.linuxsecurity.com/articles/projects_article-5192.html
Computer World - www.computerworld.com/securitytopics/
security/story/0,10801,71800,00.html
Search strategy:
"Web Scarab"
"Mark Curphey"
"Open Web Application Security Project"
I think that answered your questions. However, I'll be happy to answer
any clarification requests you might have before you rate the
question. |
