[Owasp-testing] Add new tools

Dave van Stein dvstein at gmail.com
Thu Sep 10 13:06:37 EDT 2009


Hi Aung,

I think creating an overview of testing tools is a good idea and the idea
actually already has been proposed at the beginning of writing the Testing
Guide v3.
The reasons that it has not been included are the following:

1) OWASP wants to be as unbiased as possible and does not want to give the
impression that the guide (or OWASP itself for that matter) endorses any
tool or vendor
2) creating, and especially maintaining, such a list would require a
tremendous amount of time and work and possibly many updates of the guide.

The idea was also raised to create a separate database and make a reference
to it in the guide, but for some reason (i can't remember, but I'm guessing
time/effort) that never happened.

I think resurrecting the idea for a tooling database is a good idea, but I
am afraid that it will not have a long life ...

Like I said getting and maintaining such a list would require a tremendous
amount of work and I think it might be difficult finding enough people
getting the job done.
However, if you really want to give it a try, I'd say write a project plan
and send it to OWASP (see
http://www.owasp.org/index.php/How_to_Start_an_OWASP_Project for procedure).
If the project starts, count me in;  I am willing to spent a few hours a
week.

regards, Dave


2009/9/10 Aung Khant <aungkhant at yehg.net>

> Hi Kevin
>
> I can't agree with you more.
>
> I'm in no doubt that tools makes our life a lot easier in some situations
> when
> manual testing is our default arsenal.
>
> As far as I'm concerned, such a tool project rarely interests folks
> and they usually underestimate such.
>
> One example is notable certification - CEH, which people have been saying
> - a collection of tools and their usage.
>
> Without tools, penetration testing will take a lot longer.
> Without methodology, penetration testing won't be complete and perfect.
>
> Should we start - OWASP Web Pentesting Tool Database Projects?
>
> I think we should. There is no such Distro designed for thorough web
> testing.
> BackTrack lists just a few of web tools. Either does Samurai.
> A big challenge is that we can't stick to one platform. Some tools are for
> Windows [Can't run with wine].
> Some for Linux. We have to use both.
>
> Some may point to me sites like http://www.security-database.com/.
> As far as I know, no single site is dedicated to app sec.
>
>
> On Thu, Sep 10, 2009 at 9:45 PM, Kevin Horvath <kevin.horvath at gmail.com>wrote:
>
>> Hello Aung,
>>
>> The guide is about the methodology and some tools are given as an
>> example of what can be used but in no means is meant to be all
>> encompasing.  To have a list of tools that would be useful in app
>> testing could be a seperate project in itself that would need to be
>> constantly updated.  Although I believe having a tool listing would be
>> a nice project to have for all aspects of app testing i dont think
>> that it should be part of this guide (IMHO).
>>
>> On Thu, Sep 10, 2009 at 11:06 AM, Aung Khant <aungkhant at yehg.net> wrote:
>> > Hi Mat and List
>> >
>> > New web app test tools are developed from time to time.
>> > Is it good to add new tools to the Guide wiki?
>> >
>> > Or does it  introduce over redundancy ?
>> >
>> > --
>> > Best Regards
>> > YGN Ethical Hacker Group
>> > http://yehg.net
>> >
>> > _______________________________________________
>> > Owasp-testing mailing list
>> > Owasp-testing at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >
>> >
>>
>
>
>
> --
> Best Regards
> YGN Ethical Hacker Group
> http://yehg.net
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20090910/c5b0cfc8/attachment.html 


More information about the Owasp-testing mailing list