[Owasp-leaders] A neutral Benchmark

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 27 22:16:27 UTC 2015


Hi Dave

>>I don¹t have licenses to any of these tools and so far, no one has stepped
up and offered to run any of these tools against the Benchmark.

I think that the Contrast marketing campaign hurt the participation of a
promising project before it could take off.

For every specific xml output report , you need to create a parser in order
to produce the reports. Without their collaboration or people with licences
to test, you won't get their input

As a neutral party with no conflict of interests in this project, I think
we can request licenses to these vendors and with the participation of
other volunteers that have no commercial ulterior motives to this. I have
added Ali Ramzoo, who is also part of the  OWASP Research initiative

We could indeed:

   - Promote that the project is under a neutral research initiative
   - Ask for licenses,
   - Deploy them in a VM we can all have access to
   - Verify if the tools can produce an XML output report (if not you
   cannot parse)
   - Discuss with them our findings privately before publishing our findings
   - We have also to be very conscious that if the XML report does not
   generate all the findings in their tool (as the case of ZAP with Fuzzing)
   then we need mention this very clear. Otherwise you can hurt the reputation
   of the tool.


This is how I can help this project and try to create a neutral clean view
of a tool which I believe has potential but it needs to shake off all the
publicity around Contrast

Regards

Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151127/00b815fc/attachment.html>


More information about the OWASP-Leaders mailing list