On 02/08/2011 05:15 AM, Taras wrote: > Hi, all! > > There are 2 ideas: > 1. What do you think about simple false-positive management in w3af? > For example, we can add capability to read list of regex patterns from > special file and test them against request before it will be reported. It can > be useful in automated usage (scan+reporting) of w3af.
This is a good idea, but I'm not sure blind regex is the way to do it. It might be better to give the user more info in the lists of issues and allow sorting by request time/delay/size/search term/HTTP status code/etc. Then it's easy to multi-select from that sorted list and right click or hit a menu entry to mark as false positive, confirmed, etc. Hmm.. I suppose the text interface could do the same by numbering sorted rows of findings and allow marking false positive, confirmed, etc by range. Those are just my ideas. BTW, most of my ideas are "be more like burp" ;-) Give the user as much feedback and tools as possible instead of trying to do magic in the background. There's too many corner cases in web app security to trust magic in the background yet ;-) > 2. Last days sf.net works too slowly and had been attacked. Don't you think > about migration to something like googlecode project hosting or even github? > > > With git server speed doesn't matter near as much. The server is a sync point, and for most of your work you never touch the server. When I'm working on Web Security Dojo (which is in git on SF) I only really need to interact with the server once a day or so for a quick sync over SSH. Everything else happens client side, so who cares what the speed of the server is? It pains me to wait for svn Git does SHA-1 signing of each changeset as the identifier, so it would be hard for an attacker to change the code without git screaming bloody murder when you try to pull from the server next time. If svn on SF is causing problems, I recommend git. Git on SF works fine for my usage, but github does have better collaboration features that make it easier to get contributions from non-core developers. Last time I was singing the praises of git, the the discussion stopped with: On 01/20/2011 01:56 PM, Andres Riancho wrote: > On Thu, Jan 20, 2011 at 1:03 PM, Steve Pinkham <steve.pink...@gmail.com> wrote: >> My main point is that if you're not branching for tool limitation >> reasons, perhaps it's time to re-evaluate your tools. ;-) > > Agreed! > >> Git(or hg) makes branching and merging so easy you'll do it all the >> time, and discover when it's useful in your methodology instead of >> having the "fear of merging" syndrome that svn inspires. This tends to >> lead to both more stability and innovation since it's simple to try out >> a new idea in a branch and merge it if it works out well. > > Agreed! > @Javier: you're going to be one of the most affected persons if we > change to git, any comments on this thread? So Javier, what's your take? Some excellent free git resources for the uninitiated: http://progit.org/book/ http://library.edgecase.com/git_immersion/index.html http://help.github.com/ http://peepcode.com/products/git (I'll buy this video for any of the core contributors if it would help) Moving off trac would be... Annoying and time consuming. ;-) If SF isn't a good choice for hosting, you can host trac yourself(then have to do your own backups, patches, etc) or there are free services like http://www.assembla.com/ that allow importing databases. Personally I doubt moving trac off of sourceforge would be worth it in the long run. I'd wait for a while until the pain gets higher before moving trac if it was me. -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB |
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop