[Owasp-testing] Add new tools

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Mon Sep 21 09:52:45 EDT 2009


Hello Guys

Here are a few challenges and proposed solutions as I though on this in
the past for OWASP.

All the time I see a tool list my first question is "which of this ones
(regardless of license) is best?", I am a lazy person and wonder this so
I don't have to spend lots of time with the ones in very early stages or
with very limited scope. And that question is the one OWASP cannot
answer without falling in "preferring" (no mater how big, colorful and
blinking the disclaimer is) an specific tool. To solve this problem I
recommend you not only list the tool, but link to sites with reviews to
that tool. 

Notice that regardless of how useful is one over another we should
always list them alphabetically or any other "democratic" way without
taking in consideration those reviews. People will tend to add their
old, clunky or to-be tool in the list as an intend to catch attention
and there is nothing you can do to remove them. But at least having
reviews from other independent sources will put them apart since it is
fairly hard they have any.

The idea is to not allow the list to be too big and clutter with useless
or partially working tools or it will be easily dismissed.

Mentioning the license is fine but do not use that as a category, use
the tool type instead (port scanner, sniffer, App Firewall, etc). I mean
putting that information in a table as the license type that is fine but
do not put it as a header before the actual list or you will tend to
have "Commercial" before "Open Source". But if the tools are listed
alphabetically and the license is mentioned in a column then maybe you
have a good mixture to avoid any appearance of biasing the list (I know
is not the objective).

Having a table is also a good idea as it allows you to show much more
information like the technologies and platforms supported, the version
and release level (Alpha, Beta, RC, production) and much more.

One final one, specialize the list, this is, make sure you focus
exclusively in tools for web applications as there are hundreds of tools
for network security and you will end up being another security tools
list on the net.

Good luck, I hope it helps,
Juan C Calderon

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Pavol Luptak
Sent: Domingo, 20 de Septiembre de 2009 04:11 p.m.
To: dinis cruz
Cc: Paulo Coimbra; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Add new tools

On Sun, Sep 20, 2009 at 10:05:12PM +0100, dinis cruz wrote:
>    This information on tools is valuable to our community, the
challenge is
>    to do it in a way that we keep our 'vendor independence'

For this reason I think we should distinguish between opensource and
commercial tools (maybe prefer opensource tools).

Pavol
--
Pavol Luptak, CISSP, CEH
OWASP Slovakia chapter leader
http://www.owasp.org/index.php/Slovakia


More information about the Owasp-testing mailing list