OWASP Data Exchange Format Project
At the moment exchanging data between pentest tools it is far too difficult.
So ... the purpose of this project is to define a simple, open format for exchanging data between pentest tools!
Involvement is encouraged, so if you would like to contribute to this project then please join the mailing list and / or contact one of the project leaders.
Theres also a Google Code project http://code.google.com/p/owasp-def/ which we're using to store things like example formats used by pentest products. Contact Simon or Dinis to get commit access to this project.
The format must be open, and licensed so that it can be adopted by all products, whether open, closed, free or commercial.
It must be as simple to adopt as possible, and ideally based on existing open formats.
The high level roadmap is:
- Psiinon to document a strawman proposal
- All - rip the strawman to pieces and agree an improved format
- Finalize DEF v1.0
- Supporting project leaders to adopt the format in their tools
- Publicize and drive adoption in other tools
- Learn from our experiences and start on the next version, repeat ;)
This tab will document a strawman proposal for all concerned to rip to pieces :)
Rather than diving into the detail of the format I think its worth agreeing some of the proposed characteristics of v1.0:
- The format will be JSON (to make it as simple as possible)
- Products can generate and/or consume DEF
- Products will be able to generate DEF via a defined REST interface and/or simple files - products can choose
- Products which consume DEF must support both REST and file options
- There will be minimal security (but REST based services can limit by IP addr)
- The data model will cover: hosts, ports, sites (host:port), urls, issues, requests/responses
- Products can generate a subset of DEF, the level support will be described in the DEF
The following project leaders have agreed to support this format and (once it has been agreed) adopt it within their projects.
If you would like your project added to this list then feel free to update it, or contact one of the project leaders to update it for you.
|Burp Suite||Dafydd Stuttard (PortSwigger)|
|O2 Platform||Dinis Cruz|
|Zed Attack Proxy||Simon Bennetts (Psiinon)|
|Yasca||Michael Scovetta (Scovetta)|
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?