[Owasp-testing] Template for the OWASP Testing Guide v3

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Tue May 27 15:46:29 EDT 2008 

Careful there, I don't know if I got it correctly when I sent my fist
email

I support mentioning the tools exist in a tools list, but I don't think
is a good idea to mention specific characteristics for testing specific
issues, specially if only that tool have the ability, as we will be
making people (or at least make them thing they) depend on buying
commercial tools for doing proper testing according to OWASP.

Sorry if I send the wrong message initially

Regards,
Juan Carlos Calderon


-----Original Message-----
From: kevin horvath [mailto:kevin.horvath at gmail.com] 
Sent: Martes, 27 de Mayo de 2008 02:06 p.m.
To: Dave van Stein
Cc: Calderon, Juan Carlos (GE, Corporate, consultant); owasp-testing
Subject: Re: [Owasp-testing] Template for the OWASP Testing Guide v3

Thanks for the feedback.  I originally was just saying to not have any
mention of commercial tools so that users of the guide would not
potentially see OWASP as promoting a commerical tool and the potential
of being biased (such as naming HP's webinspect but not Appscan for
example).  If the group thinks we should include commerical tools then
we should also list the commerical tools seperately from open source
ones in the subsection.  Also I think a quick disclaimer in the
beginning or appendix noting that OWASP does not endorse any commercial
tools only that we make mention of tools that could aide in the testing
of an application.  As for giving the pros and cons of certain tools I
think that would be beyond the scope of the guide unless you were
referring to for example using the cookie analyer within webscarab for
speed or use the cookie cruncher from HP for pretty graphs to be used
for inserting into reports (management likes pretty pics ;-).  But
listing the pros and cons of each tool would be pretty lengthly and
beyond scope.  Just my 2 cents.

Kevin

On Tue, May 27, 2008 at 2:42 PM, Dave van Stein <dvstein at gmail.com>
wrote:
> and I think we all agree that the commercial products have 1 
> impressive property in common; the speed at which they can generate
false positives...
> that is worth mentioning I recon
>
> *grin*
>
> 2008/5/27 Calderon, Juan Carlos (GE, Corporate, consultant)
> <juan.calderon at ge.com>:
>>
>> Yeah definitely, very controversial
>>
>> Why not?
>> Vendors use to use whatever they see to do marketing on their 
>> product, so you should be 100%, 200% or 1000% sure to make clear 
>> OWASP is not endorsing in any way their product.
>>
>> Why yes?
>> to be unbiased, I think as well you should mention them, as there are

>> people willing to know what else is there beyond the open source
horizon.
>>
>> Note: you can always use a hard to read color and small font for 
>> commercial ones :P (just kidding)
>>
>> Regards,
>> Juan Carlos Calderon
>>
>> ________________________________
>> From: owasp-testing-bounces at lists.owasp.org
>> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Daniel 
>> Cuthbert
>> Sent: Martes, 27 de Mayo de 2008 11:20 a.m.
>> To: Dave van Stein
>> Cc: owasp-testing
>> Subject: Re: [Owasp-testing] Template for the OWASP Testing Guide v3
>>
>> as i said, shark infested waters :0)
>> On 27 May 2008, at 6:18 PM, Dave van Stein wrote:
>>
>> Or just do not talk at all about pro's and con's in the case of 
>> commercial products?
>> we can always use their non-GNU status as an excuse :)
>>
>> 2008/5/27 Daniel Cuthbert <daniel.cuthbert at owasp.org>:
>>>
>>> Agreed but these are shark infested waters :) I never had any issues

>>> referencing them in previous versions, as long as we offer the pro's

>>> and con's of both
>>>
>>> On 27 May 2008, at 6:03 PM, Dave van Stein wrote:
>>>
>>> Personally I think if we want to be absolutely unbiased we should 
>>> mention commercial tools. Off course we do not have to go in to 
>>> details what every tool is capable of, but if, for example, a 
>>> chapter deals with automated vulnerability scanners, products of HP,

>>> IBM, Acunetix and others should at least be mentioned to exist.
>>>
>>> but, off course, that is just my opinion :)
>>>
>>> 2008/5/27 Matteo Meucci <matteo.meucci at gmail.com>:
>>>>
>>>> Hi Kevin,
>>>> sure we would not like to promote any commercial tools.
>>>> Do you mean to create 2 separate tool indexes? One for commercial 
>>>> and one for open source? We usually suggest only open source tools.
>>>> Look for example at the following:
>>>> https://www.owasp.org/index.php/Testing_for_SQL_Injection
>>>>
>>>> Mat
>>>>
>>>> On Tue, May 27, 2008 at 3:31 PM, kevin horvath 
>>>> <kevin.horvath at gmail.com>
>>>> wrote:
>>>> > Matt,
>>>> >
>>>> > The format looks good to me.  One suggestion is change the
"Tools"
>>>> > subsection to "Type of Tools" so that we are not seen as 
>>>> > promoting any certain tools such as commericial type tools or 
>>>> > open source tools which may have been backdoored.  For example we

>>>> > could say "Web proxy or browser plugin", unless OWASP has a tool 
>>>> > for it in which it could go like this, "Web proxy such as
Webscarab or a browser plug-in".
>>>> > Just want to make sure we are still seen as unbiased and not seen

>>>> > as promoting any commercial vendor.
>>>> >
>>>> >
>>>> > Kevin
>>>> >
>>>> > On Sun, May 25, 2008 at 6:46 PM, Matteo Meucci 
>>>> > <matteo.meucci at gmail.com> wrote:
>>>> >> Hi all,
>>>> >> does it fit for you the following template for each paragraph?
>>>> >> https://www.owasp.org/index.php/Template_Paragraph_Testing_v3
>>>> >>
>>>> >> That is the old Template for the OWASP Testing Guide v2, I think

>>>> >> it should work also for this new version.
>>>> >>
>>>> >> Mat
>>>> >> _______________________________________________
>>>> >> Owasp-testing mailing list
>>>> >> Owasp-testing at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>> >>
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Matteo Meucci
>>>> OWASP-Italy Chair, CISSP, CISA
>>>> http://www.owasp.org/index.php/Italy
>>>> OWASP Testing Guide lead
>>>> http://www.owasp.org/index.php/Testing_Guide
>>>> _______________________________________________
>>>> Owasp-testing mailing list
>>>> Owasp-testing at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>
>>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>

More information about the Owasp-testing mailing list