[Owasp-testing] [GPC] Add new tools

Aung Khant aungkhant at yehg.net
Thu Sep 10 15:10:26 EDT 2009


Matt,

Thanks for the links.
I've known them for ages and added some tools to the Phoenix list.
Still I feel something is missing.



On Fri, Sep 11, 2009 at 12:57 AM, Matt Tesauro <mtesauro at gmail.com> wrote:

> Aung,
>
>    Someone else had a similar idea and asked a few questions of the GPC
> a while back.  Here's what I told them:  (for context, I was speaking
> about when I did the initial SoC release of the OWASP Live CD.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>      Actually, I threw up a wiki as a online scratch space while I was
> working on the SoC release.  It was not on the OWASP wiki but it is
> using the same wiki software so the wiki 'source' could be migrated by
> copy & paste.  The list of stuff is broken into 3 separate lists.  You
> find all three linked here:
> http://mtesauro.com/livecd/index.php?title=Potential_Tool_List
>
> The three lists are:
>   1. Tools listed in the OWASP Testing Guide v2 (70 tools)
>   2. Other potential tools that I know, use, like, etc (51 tools)
>   3. Tools from the Phoenix Tools list on the OWASP site (210 tools)
>
> You might compare the data I captured with what's in your roadmap to see
> if there are any things that might be useful to add to your roadmap.
> One useful thing would be to list tools in the OWASP Testing Guide (I've
> got v2 but v3 has been released since I created the lists)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> That list is there and I've not had a chance to do more with it so feel
> free to use it if it helps.  It list things like what the tool is
> written in, its license, etc.
>
> -
> -- Matt Tesauro
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
>
>
> On Thu, 2009-09-10 at 19:22 +0100, Paulo Coimbra wrote:
> > It’s perfect to me! I’ll be waiting for more news. Do not hesitate and
> > get back to me if you think I can be of any assistance.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Paulo Coimbra,
> >
> > OWASP Project Manager
> >
> >
> >
> > From: Aung Khant [mailto:aungkhant at yehg.net]
> > Sent: quinta-feira, 10 de Setembro de 2009 19:17
> > To: paulo.coimbra at owasp.org; owasp-testing at lists.owasp.org
> > Cc: Global Projects Committee
> > Subject: Re: [Owasp-testing] Add new tools
> >
> >
> >
> >
> > Hi Paulo
> >
> > No hesitation for such a cool project according to the list's
> > feedback.
> > Let me start it when I become free from some workload.
> >
> > The project is not tool-centric.
> >
> > Tool centric for me means
> >
> > - Hey this is Tool A - this is used for what A.
> >
> > Tool centric approach is never intelligent.
> >
> > I make the project like methodology-based or testing-based approach
> > like the Test Guide
> >
> > - Hey here we go for web server testing - use the following tools -
> > Tool A, Tool B .... Tool Z
> >
> > We're clear enough that adding long lists of tools to the Testing
> > Guide is inappropriate.
> >
> > Useful tools are really really scattered across the web.
> >
> > Again, this project is not mere list of tools.
> >
> > This will contain the screenshots/demo movies contributed by community
> > for the ease of
> > followers.
> >
> > Well, there will be a notice/disclaimer like "OWASP does not endorse
> > any tool .... "
> > Should I wait for the Committee decision ?
> >
> >
> >
> >
> > Regards
> >
> >
> >
> > On Fri, Sep 11, 2009 at 12:10 AM, Paulo Coimbra
> > <paulo.coimbra at owasp.org> wrote:
> >
> > Hello Projects Committee,
> >
> >
> >
> > Please see below this interesting thread. Does anybody want to step
> > in? Interesting arguments are being exchanged and the question of
> > creating a new project - OWASP Web Pentesting Tool Database Projects -
> > is also being discussed.  As my 2 cents, I’d say that usually any
> > proposal to create a new project is welcomed as long as it respects
> > OWASP’s Principles http://www.owasp.org/index.php/About_OWASP.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Paulo Coimbra,
> >
> > OWASP Project Manager
> >
> >
> >
> > From: Dave van Stein [mailto:dvstein at gmail.com]
> > Sent: quinta-feira, 10 de Setembro de 2009 18:07
> > To: Aung Khant
> > Cc: Kevin Horvath; Paulo Coimbra; owasp-testing at lists.owasp.org
> > Subject: Re: [Owasp-testing] Add new tools
> >
> >
> >
> >
> > Hi Aung,
> >
> > I think creating an overview of testing tools is a good idea and the
> > idea actually already has been proposed at the beginning of writing
> > the Testing Guide v3.
> > The reasons that it has not been included are the following:
> >
> > 1) OWASP wants to be as unbiased as possible and does not want to give
> > the impression that the guide (or OWASP itself for that matter)
> > endorses any tool or vendor
> > 2) creating, and especially maintaining, such a list would require a
> > tremendous amount of time and work and possibly many updates of the
> > guide.
> >
> > The idea was also raised to create a separate database and make a
> > reference to it in the guide, but for some reason (i can't remember,
> > but I'm guessing time/effort) that never happened.
> >
> > I think resurrecting the idea for a tooling database is a good idea,
> > but I am afraid that it will not have a long life ...
> >
> > Like I said getting and maintaining such a list would require a
> > tremendous amount of work and I think it might be difficult finding
> > enough people getting the job done.
> > However, if you really want to give it a try, I'd say write a project
> > plan and send it to OWASP (see
> > http://www.owasp.org/index.php/How_to_Start_an_OWASP_Project for
> > procedure).
> > If the project starts, count me in;  I am willing to spent a few hours
> > a week.
> >
> > regards, Dave
> >
> >
> > 2009/9/10 Aung Khant <aungkhant at yehg.net>
> >
> > Hi Kevin
> >
> > I can't agree with you more.
> >
> > I'm in no doubt that tools makes our life a lot easier in some
> > situations when
> > manual testing is our default arsenal.
> >
> > As far as I'm concerned, such a tool project rarely interests folks
> > and they usually underestimate such.
> >
> > One example is notable certification - CEH, which people have been
> > saying
> > - a collection of tools and their usage.
> >
> > Without tools, penetration testing will take a lot longer.
> > Without methodology, penetration testing won't be complete and
> > perfect.
> >
> > Should we start - OWASP Web Pentesting Tool Database Projects?
> >
> > I think we should. There is no such Distro designed for thorough web
> > testing.
> > BackTrack lists just a few of web tools. Either does Samurai.
> > A big challenge is that we can't stick to one platform. Some tools are
> > for Windows [Can't run with wine].
> > Some for Linux. We have to use both.
> >
> > Some may point to me sites like http://www.security-database.com/.
> > As far as I know, no single site is dedicated to app sec.
> >
> >
> >
> > On Thu, Sep 10, 2009 at 9:45 PM, Kevin Horvath
> > <kevin.horvath at gmail.com> wrote:
> >
> > Hello Aung,
> >
> > The guide is about the methodology and some tools are given as an
> > example of what can be used but in no means is meant to be all
> > encompasing.  To have a list of tools that would be useful in app
> > testing could be a seperate project in itself that would need to be
> > constantly updated.  Although I believe having a tool listing would be
> > a nice project to have for all aspects of app testing i dont think
> > that it should be part of this guide (IMHO).
> >
> >
> > On Thu, Sep 10, 2009 at 11:06 AM, Aung Khant <aungkhant at yehg.net>
> > wrote:
> > > Hi Mat and List
> > >
> > > New web app test tools are developed from time to time.
> > > Is it good to add new tools to the Guide wiki?
> > >
> > > Or does it  introduce over redundancy ?
> > >
> > > --
> > > Best Regards
> > > YGN Ethical Hacker Group
> > > http://yehg.net
> > >
> >
> >
> > > _______________________________________________
> > > Owasp-testing mailing list
> > > Owasp-testing at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-testing
> > >
> > >
> >
> >
> >
> >
> > --
> >
> > Best Regards
> > YGN Ethical Hacker Group
> > http://yehg.net
> >
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Best Regards
> > YGN Ethical Hacker Group
> > http://yehg.net
> >
> >
> > _______________________________________________
> > Global-projects-committee mailing list
> > Global-projects-committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
>


-- 
Best Regards
YGN Ethical Hacker Group
http://yehg.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20090911/476b1711/attachment-0001.html 


More information about the Owasp-testing mailing list