List,
w3af 1.0 is just around the corner, and I thought that a good way
to check if we've done things right, was to check some old email I
sent "Fri, Jul 4, 2008 at 11:15 PM", so... here it is:
On Fri, Jul 4, 2008 at 11:15 PM, Andres Riancho
<[email protected]> wrote:
> List,
>
> First of all, thanks to all the people who answered my email, it
> is really important for me to know what the community thinks about the
> project, and how I can improve it. To be honest, I sent this email to
> see the "bottom 3" results and start working on them, but I was also
> amazed by some answers to the "top 3" section =). Here is a small
> summary of what was said and what I think that we could do:
>
> I don't have much too say about the good things, most of them were the
> initial objectives of the project, and I'm glad that the community got
> the idea... so... this are the best things about w3af:
> - Architecture
> - Console user interface
> - GTK user interface
> - Lots of plugins
> - Cross platform
> - Free software
>
> Worse things about w3af:
> - *BUGS*: This was the most mentioned by far! I think that after
> all this time, if we still have a buggy project its because I'm not
> careful enough when adding new code or reviewing others code. The last
> couple of months I have been dedicating most of my time to the bug
> finding and fixing process and I'm sure this will pay off in the next
> release. I think that we should have something stable by September
> when we are going to release a new version. What can you guys do? If
> you want to help fixing bugs, please contact me or send a mail to the
> developers mailing list; or do something really easy: REPORT A BUG! We
> can't test w3af on every platform and target web application, but the
> whole community can, so please report your bugs and we'll fix them.
1.0 is a BIG step towards a clean and stable version with no bugs,
I've been working a lot on fixing bugs, and I'm starting to feel that
w3af is stable.
> - Reporting: I didn't thought about this because as somebody else
> said: "I use w3af to see if I missed something in my manual tests".
> But I'll keep this in mind whenever I have some spare time to code a
> new output plugin.
Some steps have been taken into the right direction, for example the
rickybobby branch objective is to build a vulnerability reference for
each vulnerability found in w3af; which will then help a lot in
building reports. Whan we are missing, is a good output plugin that
generates nice reports with graphs, and *long* descriptions for
vulnerabilities.
Maybe we can push this particular task to OWASP SoC?
> - Release schedule + please freeze: Having a release schedule is
> hard mostly because we have to release version X on date Y and I
> wouldn't feel comfortable with myself if I couldn't make it to the
> deadline. Maybe the future will be different, and w3af development
> will be much more stable and we can decide to schedule a release every
> 4 months or something. Related to the freeze, once again, this is kind
> of hard to do when the core developers aren't many; if I freeze a
> version and bugs are found, I'll need to fix the bug in the freezed
> version AND in the current version... (I don't like duplicated work)
> but I understand the need for this and it will be done in September.
We've freezed 1.0, and only bug fixes are applied to it.
The release schedule isn't really there, but at least we are releasing
more promiscuously.
> - Documentation: Nobody likes to write documentation, but if the
> project keeps growing we'll have to keep on writing documentation for
> it. The users guide is outdated but I think that in a few months it
> will be updated by Facundo when he adds the GTK Ui section to it.
The gtkUi documentation is pretty complete, and the console user
interface was updated and translated to French. The w3af plugin
writers guide is still in my TODO list :(
> - Pause a scan, turn of computer, start again: This is nearly
> impossible to do right; I tried... but it is really hard. So please do
> not hold your breath waiting for this feature.
Not going to be implemented in the short term.
> - Client server architecture: Once again, don't hold your breath
> waiting for this =) This is a feature that I didn't thought about in
> the initial design, and adding it right now would be a huge task.
Not going to be implemented in the short term.
>
>
> So... to sum up, thanks for your opinions, we are going to be
> working on them in the next months and hopefully w3af will be a little
> better =) Thanks, and please report all your bugs =)
What do you guys think? How did w3af evolve during these months?
Cheers,
>
> Cheers,
> --
> Andres Riancho
> http://w3af.sourceforge.net/
> Web Application Attack and Audit Framework
>
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensign option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
