[Owasp-testing] New tool for OWASP-CM-001

Raul Siles raul.siles at gmail.com
Fri May 27 14:06:39 EDT 2011

Hi Rick,
Thanks for the OWASP guidance. I was already on the mailing-list, had
a Wiki account, and saw the v4 related threads this April, so we are
ready to go.

As this has been directly moved to the mailing list, I'm fine with
whatever the community decides:
a) I can replace Example 5 with the new tool (as it is a kind of
improved version of it).
b) I can add Example 6 covering the new tool.

Please, let me know what you prefer (read below to make up your mind).

The tool, called TLSSLed, is a bash script based on sslscan and
openssl, and is inspired by ssl_test.sh (yes, I meant ssl_test.sh and
not ssl_check.sh :( from Example 5 at [0]). IMHO, it doesn't have
enough entity to become a project on itself on one of the open-source
code repositories, so I have put it on our lab page, under "Tools":

Comment, suggestions, new tests, and improvements are more than welcomed!

The related blog post covering the tool purpose is available at:

Raul Siles - www.raulsiles.com
Founder & Senior Security Analyst
Taddong (www.taddong.com)

[0] https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

On Fri, May 27, 2011 at 2:15 PM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> Hi Raul, OWASP is an open project. Feel free to sign-up for the wiki (https://www.owasp.org/index.php/Special:RequestAccount) and make edits/additions yourself. You should also join the mailing list(s) so that you're in the loop on the latest happenings (https://lists.owasp.org/mailman/listinfo). You should also know that things are ramping up to start work on version 4 of the Testing Guide so you should consider editing/adding content for that release.
> If you're trying to get info out about your new tool your best bet is likely to post an announcement to the testing list (https://lists.owasp.org/mailman/listinfo/owasp-testing) and host the tool on sourceforge, googlecode, assembla, github, etc so that people can easily submit bugs/tickets and enhancement requests, get documentation and support, and find the latest version.
> Looking at the page you mentioned I don't actually see any reference to ssl_check.sh, maybe you meant ssl_test.sh. Anyway I'm not sure how others feel but at this point I don't think we (or you) should remove any content (or tool references/examples) from v3, if you want to add in alternative checks using your tool that's probably best (in my opinion).
> Rick
> -----Original Message-----
> From: Raul Siles [mailto:raul at taddong.com]
> Sent: May 27, 2011 4:42 AM
> To: Mitchell, Rick (6030318)
> Subject: New tool for OWASP-CM-001
> Hi Rick,
> I've seen your reference on the OWASP Testing Guide for the SSL/TLS section [0], where ssl_check.sh is mentioned.
> [0] https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
> I plan to publish a tool replacement for ssl_check.sh with some additions, so, who should I send the information about the new tool so that (if OWASP finds it useful) gets posted in [0]?
> Thanks,
> ----
> Raul Siles
> Founder & Senior Security Analyst
> Taddong
> www.taddong.com
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list