[Owasp-testing] Testing Guide : Tools sections

Andrew Muller andrew at ionize.com.au
Sun Aug 4 14:31:23 UTC 2013


Hi Simon, 
I'm glad you raised this Simon. To date I've been thinking that the Guide needs to have solid instructional content for security testers. To achieve this I've modified the structure of test cases to include a "how to test" and a "tools" section. In demonstrating "how to test" I thought it appropriate to use examples from tools in the following priority order: 
1) OWASP tools (e.g. ZAP) because the OTG is an OWASP initiative, 
2) other free open-source tools because they align closely with OWASP principles, 
3) free closed-source tools because they kinda align with OWASP principles, 
4) commercial tools, if there is no other way to demonstrate the test. 
I don't believe we should not mention commercial tools at all. Vendors are not the devil. They are just folks offering tools in exchange for money. As long as we announce our interests in our decision making processes we should be okay. 

Whatever changes you make, please collaborate with the article author/reviewer/s listed in the Paragraph Management spreadsheet. 

On the topic of tools, it would be great to see demonstrations of testing tools against WebGoat, DVWA, etc so the Guide can better guide testers during training and testing. If you've already done something like this would you be interested in adding that to the Guide as well? 

regards, 
Andrew 


Canberra, Australia Chapter Leader 
Testing Guide Project Co-leader 


----- Original Message -----

From: "psiinon" <psiinon at gmail.com> 
To: "owasp-testing" <owasp-testing at lists.owasp.org> 
Sent: Sunday, 4 August, 2013 11:59:30 PM 
Subject: [Owasp-testing] Testing Guide : Tools sections 






I'm planning on going through the guide adding ZAP to the relevant tools sections, and will try and add other tools that I know are definitely relevant . 

Is there a preferred format? 

There seem to be verious formats used for similar tools, eg: 

    * Web Proxy ( Burp Suite [6] , Paros [7] , WebScarab [8] ) 
    * OWASP WebScarab: OWASP_WebScarab_Project 
    * WebScarab Spider http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 


I was thinking of adding a small amount of info to indicate which components of ZAP are relevant, but nothing that would exceed one line, eg: 

    * OWASP ZAP: OWASP Zed Attack Proxy Project - Active scanner and fuzzer 


That OK? 
Should tools be listed in any sort of order, eg alphabetical? Or OWASP ones first? 
Should only free open source tools be included or are commercial tools acceptable? 

Cheers, 

Simon 







-- 
OWASP ZAP Project leader 

_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130805/dae61beb/attachment-0001.html>


More information about the Owasp-testing mailing list