[Owasp-leaders] A neutral Benchmark
johanna curiel curiel
johanna.curiel at owasp.org
Fri Nov 27 22:16:27 UTC 2015
>>I don¹t have licenses to any of these tools and so far, no one has stepped
up and offered to run any of these tools against the Benchmark.
I think that the Contrast marketing campaign hurt the participation of a
promising project before it could take off.
For every specific xml output report , you need to create a parser in order
to produce the reports. Without their collaboration or people with licences
to test, you won't get their input
As a neutral party with no conflict of interests in this project, I think
we can request licenses to these vendors and with the participation of
other volunteers that have no commercial ulterior motives to this. I have
added Ali Ramzoo, who is also part of the OWASP Research initiative
We could indeed:
- Promote that the project is under a neutral research initiative
- Ask for licenses,
- Deploy them in a VM we can all have access to
- Verify if the tools can produce an XML output report (if not you
- Discuss with them our findings privately before publishing our findings
- We have also to be very conscious that if the XML report does not
generate all the findings in their tool (as the case of ZAP with Fuzzing)
then we need mention this very clear. Otherwise you can hurt the reputation
of the tool.
This is how I can help this project and try to create a neutral clean view
of a tool which I believe has potential but it needs to shake off all the
publicity around Contrast
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders