Saturday, 13 September 2014

OWTF 1.0 "Lionheart": Call for testers + GSoC Poll

Call for testers

OWTF 1.0 "Lionheart" is inminent, PLEASE help us:
1) Testing the bleeding edge branch here: https://github.com/owtf/owtf/tree/lions_2014
2) Reporting bugs here: https://github.com/owtf/owtf/issues 

-other options: tutorials, demos, documentation, ideas, suggestions, bug fixes and any other form of contribution you can think of :)-

How to get started:

OWASP OWTF GSoC 2014 Student participation poll


In a similar fashion to what we did last year, in the scientific spirit of “observe and record” a poll was run among GSoC participants that submitted or showed interest to participate in the GSoC for OWASP OWTF.

Poll format



The poll was based on the following questions:

CASE 1) IF you submitted something for OWTF this year, could you please
answer the following question?

What made you submit a proposal for OWASP OWTF? (i.e. as opposed to
other OWASP projects and/or organisations)

CASE 2) IF you decided *NOT* to submit for OWTF this year, could you
please answer the following question?

What made you NOT submit a proposal for OWASP OWTF?

Poll answers - CASE 1) Students who submitted


NOTE: I have only redacted what could identify the student and/or project.

Student 1 - OWTF is written in Python, which is a one of prog. languages I love and is all about Infosec. OWTF is all about automating boring, but rewarding work in pentesting. Lastly, there is heavy active development in the project compared to others.



Student 2 - I have successfully submitted a Proposal to OWASP OWTF *only* because of your support. Initially when I contacted you, I was thinking that I am too late to do a GSoC. My primary aim was to do a *good project* under a really helpful *Mentor* so that I can increase my skills under his guidance. Luckily for me, I got a chance to talk with you and I must say that made a significant difference. After started talking to you, within a week, I was confident that I can do a GSoC (or at-least a good project) with you. That motivated me to submit a proposal for OWTF. -redacted-. Thank you so much for helping me out.

Also even if I didn't get into GSoC, I am planning to complete the project which I have started. I am hoping to start working on it from -redacted-. I love to work, with you as my mentor. Also, I need your valuable suggestion on my project -redacted- so that I can make it a good project (since you are very experienced, I hope you can give some tips).

As tunnelshade said : *You are a project leader which every project must have ;)  *. That's one statement I completely agree.



Student 3 - Because I am familiar with OWTF, and its because a raising project that seems have a brilliant future



Student 4 - Case 1) I submitted to OWASP OWTF because I met my interests: a project related to security, networking, Python or C language. I saw OWASP ZAP 2 or 3 days before OWTF, I was impressed, that an open source project has such great success and is used by a lot of pen-testers, security specialists, programmers. So, I decided to search more about OWASP and its projects, this way I found OWTF and an important step to begin working on proposal was fast and clear response from Abraham Aranguren, thank you Abraham! Before my research for proposal, I knew basic concepts about proxy servers, present technologies in information security, thus OWTF project became an incentive to study more about. Thank you very much OWASP team, for all that you are doing!



Student 5 - What made me submit a proposal was that the project aligned with my skills and helped me grow. Plus the mentors were more supportive than any other org I had interacted with :)



Student 6 - I submitted a project proposal for OWTF because I have been part of OWTF from last -redacted- and my major aim from the beginning was to pick one project (and it was OWTF) and work for it.Honestly, initially when I decided working on OWTF, it was completely a random decision . I just wanted a project in python with few contributors. I asked around, in OWASP mailing list, and gradually Samantha and Fabio suggested me this one. And there I came in contact with Abraham Aranguren, that was the most amazing thing that happened to me. His continuous guidance, motivation and quick responses made me stick with the OWTF project.
I am glad I made that choice :)



Student 7 - Well, I guess this is not the right time for me to answer this question. But to be honest, the reply that I got from you(Compared to other OWASP mentors) after I dropped my first mail in the OWASP mailing list was my motivation to submit proposal to OWTF. Though there are a lot to tell, lot to work on and a way to go but still...



Student 8 - I have a passion for security ever since I have been into it. I started working more on it when I joined my college for undergraduate course. Since then, I have had a good platform to do more research on it. I started playing CTFs as member of team -redacted-. I have great interest in web application security and reverse engineering obfuscated codes.

What I always wanted when I played CTFs was task automation, especially in attack-defence ( service based ) CTFs involving real-time attacks. Python was the best language I found for this, which has heavy modules support (including third party) and, simplicity and efficiency in data handling. I use it for automating blob vulnerabilities over the network against all insecure opponents.

I also wanted to do work on a security project and I believe that doing GSoC would be the best immediate way to actively work on an existing project. In the long run, I would like to keep contributing to Open Source projects outside GSoC too.

Taking all these into consideration, OWTF turned out to be the security project I want to work on. This could be the chance of working on a big Open Source Project. When I started working on it, I came to know more technical details and got really interested and confidant. This motivated me in totally focusing totally on OWASP OWTF.

The mentors in this project are sincerely motivating us at every stage and are happy to help. I am sure that they will be a great source of motivation for all those who work with them.

I am doing GSoC just for gaining experience, it is definitely going to amp up my skills and confidence. But my long term intention is to work on the project beyond GSoC and be a part of it for long enough. And I am interested in this project.
If at all I would have not chosen to work on OWTF, it would be just because I was not lucky enough to notice how relevant this project is to what I do.



Student 9 - Before the GSoC organizations list was released, I was thinking about applying
for a HoneyNet project. When I learned that, this year, this organization was
not selected, I changed my plan.
First of all, I have downloaded the GSoC organizations list and searched for
the Python and security keywords.
Why these keywords? Well, I have been using the Python language for a couple of
years now and it is the language, along with the C one, that I feel the more
confident about. Then security because I am fond of security since a long time
now.
After applying the filter, several organizations appeared.
Among them, the TOR foundation and the OWASP organization. While looking at
the two organizations’ projects list, I found OWTF, which gathered both
criteria.
Furthermore, I have spent the last six months working in the security service
of -redacted- where I discovered what the work of pentesters was
about. I have learned about the deadlines during which the pentesters had to
accomplish their work and I was surprised about how short they were.
As a conclusion, I have found a great interest in the OWTF which aims to
accomplish the information gathering step that pentesters have to accomplish
before doing further investigations. That way, the pentesters will be more
efficient while doing their work.
All together, I have contacted the mentor of the OWASP OWTF project, Abraham
Aranguren, in order to get started on the project.
In order to sum up my answer, I have applied to work on the OWASP OWTF project
because:
  • It is written in Python
  • It is about security
  • It aims to solve a problem I feel concerned about
PS: I am not sure if it is related but the project name if OWTF like “Oh WTF!”,
which sounds awesome!



Student 10 - I have submit a proposal to OWTF because of the following reasons:
- I Like this project.
- I had contribute to OWTF in the past and this makes me to like this project even more.
- The community R0cKs!
- I am using this program in my work (internship), so I want to help to make it even better.

I didn't choose another project from OWASP because I am not as familiar as OWTF and also i wanted to focus 100% to one project for higher chances of acceptance.

Poll answers - CASE 2) Students who did NOT submit

NOTE: I have only redacted what could identify the student and/or project.

Student 1 - I'm on the second case. I couldn't submit a proposal this year because I didn't have time to write it (because of studies, work, etc.) and I won't be able to work in a GSoC project during the summer. Despite of that, I found you emails really encouraging, and I think it is a good way of motivating the GSoC candidates, so keep doing it.



Student 2 - I decided not to submit for OWTF this year. I had initially chosen 3 organizations to submit a gsoc proposal (OWTF being one of them). But due to shortage of time, I decided to focus on only 1, to increase my chances of getting selected.



Student 3 - well i was very interested to learn pentesting but there are many resources on internet for learning(actually confusing) but owtf combines the best tools so obviously we are going to learn the best ones and gives us a chance to  excel in this field without wasting time  and it is written in PYTHON



Student 4 - Sorry I wasn't able to submit! For your poll, I am definitely a case 2 - I got other offers for work over the summer and decided I wanted to spend my time working for a company this summer instead of doing GSoC. I would still like to contribute to OWTF however! If no one picks up the boilerplate/scripting project for GSoC, is there any way I can still work on it? The topic still really interests me, and I would love to put work into on my own time if I can. Let me know what you think! :)



Student 5 - I am part of case 2 where I couldn't submit the proposal for OWASP OWTF this year. I was determined to submit my proposal but due to lack of time since I am new and got to know about the program late, I couldn't submit the proposal. I thank you for helping me out and supporting me even in the 11 th hour which most wouldn't have done.