[Owasp-testing] Add new tools

Aung Khant aungkhant at yehg.net
Thu Sep 10 14:16:41 EDT 2009


Hi Paulo

No hesitation for such a cool project according to the list's feedback.
Let me start it when I become free from some workload.

The project is not tool-centric.

Tool centric for me means

- Hey this is Tool A - this is used for what A.

Tool centric approach is never intelligent.

I make the project like methodology-based or testing-based approach  like
the Test Guide

- Hey here we go for web server testing - use the following tools - Tool A,
Tool B .... Tool Z

We're clear enough that adding long lists of tools to the Testing Guide is
inappropriate.

Useful tools are really really scattered across the web.

Again, this project is not mere list of tools.

This will contain the screenshots/demo movies contributed by community for
the ease of
followers.

Well, there will be a notice/disclaimer like "OWASP does not endorse any
tool .... "
Should I wait for the Committee decision ?




Regards


On Fri, Sep 11, 2009 at 12:10 AM, Paulo Coimbra <paulo.coimbra at owasp.org>wrote:

>  Hello Projects Committee,
>
>
>
> Please see below this interesting thread. Does anybody want to step in?
> Interesting arguments are being exchanged and the question of creating a new
> project - OWASP Web Pentesting Tool Database Projects - is also being
> discussed.  As my 2 cents, I’d say that usually any proposal to create a new
> project is welcomed as long as it respects OWASP’s Principles*
> http://www.owasp.org/index.php/About_OWASP. *
>
> * *
>
> Thanks,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Dave van Stein [mailto:dvstein at gmail.com]
> *Sent:* quinta-feira, 10 de Setembro de 2009 18:07
> *To:* Aung Khant
> *Cc:* Kevin Horvath; Paulo Coimbra; owasp-testing at lists.owasp.org
> *Subject:* Re: [Owasp-testing] Add new tools
>
>
>
> Hi Aung,
>
> I think creating an overview of testing tools is a good idea and the idea
> actually already has been proposed at the beginning of writing the Testing
> Guide v3.
> The reasons that it has not been included are the following:
>
> 1) OWASP wants to be as unbiased as possible and does not want to give the
> impression that the guide (or OWASP itself for that matter) endorses any
> tool or vendor
> 2) creating, and especially maintaining, such a list would require a
> tremendous amount of time and work and possibly many updates of the guide.
>
> The idea was also raised to create a separate database and make a reference
> to it in the guide, but for some reason (i can't remember, but I'm guessing
> time/effort) that never happened.
>
> I think resurrecting the idea for a tooling database is a good idea, but I
> am afraid that it will not have a long life ...
>
> Like I said getting and maintaining such a list would require a tremendous
> amount of work and I think it might be difficult finding enough people
> getting the job done.
> However, if you really want to give it a try, I'd say write a project plan
> and send it to OWASP (see
> http://www.owasp.org/index.php/How_to_Start_an_OWASP_Project for
> procedure).
> If the project starts, count me in;  I am willing to spent a few hours a
> week.
>
> regards, Dave
>
>
> 2009/9/10 Aung Khant <aungkhant at yehg.net>
>
> Hi Kevin
>
> I can't agree with you more.
>
> I'm in no doubt that tools makes our life a lot easier in some situations
> when
> manual testing is our default arsenal.
>
> As far as I'm concerned, such a tool project rarely interests folks
> and they usually underestimate such.
>
> One example is notable certification - CEH, which people have been saying
> - a collection of tools and their usage.
>
> Without tools, penetration testing will take a lot longer.
> Without methodology, penetration testing won't be complete and perfect.
>
> Should we start - OWASP Web Pentesting Tool Database Projects?
>
> I think we should. There is no such Distro designed for thorough web
> testing.
> BackTrack lists just a few of web tools. Either does Samurai.
> A big challenge is that we can't stick to one platform. Some tools are for
> Windows [Can't run with wine].
> Some for Linux. We have to use both.
>
> Some may point to me sites like http://www.security-database.com/.
> As far as I know, no single site is dedicated to app sec.
>
>
>
> On Thu, Sep 10, 2009 at 9:45 PM, Kevin Horvath <kevin.horvath at gmail.com>
> wrote:
>
> Hello Aung,
>
> The guide is about the methodology and some tools are given as an
> example of what can be used but in no means is meant to be all
> encompasing.  To have a list of tools that would be useful in app
> testing could be a seperate project in itself that would need to be
> constantly updated.  Although I believe having a tool listing would be
> a nice project to have for all aspects of app testing i dont think
> that it should be part of this guide (IMHO).
>
>
> On Thu, Sep 10, 2009 at 11:06 AM, Aung Khant <aungkhant at yehg.net> wrote:
> > Hi Mat and List
> >
> > New web app test tools are developed from time to time.
> > Is it good to add new tools to the Guide wiki?
> >
> > Or does it  introduce over redundancy ?
> >
> > --
> > Best Regards
> > YGN Ethical Hacker Group
> > http://yehg.net
> >
>
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
>
>
>
>  --
>
> Best Regards
> YGN Ethical Hacker Group
> http://yehg.net
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>



-- 
Best Regards
YGN Ethical Hacker Group
http://yehg.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20090911/47079f0c/attachment-0001.html 


More information about the Owasp-testing mailing list