[OWASP-TESTING] Testing Project: Phase II
dan at denimgroup.com
Tue Jan 18 08:46:28 EST 2005
> there was a fair amount of talk about adding tools such as
> nikto/nmap and nessus to this document previously, but im
> happy to open it up again
> nikto does have some good points and with ver 2 in
> development, yeah i can see it needing to be in there.
I am less familiar with Nikto, but we use Nessus extensively and we have
found that it has a good deal of overlap (for web application deployment
configuration management) with some of the expensive and proprietary
tools like Kavado in that it does checks for some versioning and
configuration issues for web servers (default apps, IIS .dlls available,
For the purposes of the OWASP testing guide I would imagine that ports
80 and 443 would be the dividing line between the output we "care" about
from tools like Nessus, Nikto and nmap. I suppose there are
recommendations that go beyond that (don't run mail from the same server
that you run web from, etc) but that would put the guide on a slippery
slope that will probably outpace the community's ability to develop and
maintain relevant content. Also, in-depth host-level security
recommendations should be readily available from other sources.
> For a list which has over 70 people subscribed, its pretty
> silent in here?
That's a fair estimation. This is my first post and I've been lurking
for a while...
So in the interest of putting my money(time) where my mouth is I will
volunteer to write a "Using Nessus for Application Security Testing"
section for the Part II Testing Guide. My caveat is that my schedule is
a complete disaster until mid February, so I probably won't have it
finished until late/end of February. As long as that works for everyone
I will put this in my calendar.
More information about the Owasp-testing