[Owasp-testing] Testing Guide : Tools sections

psiinon psiinon at gmail.com
Sun Aug 4 14:51:25 UTC 2013


That sounds good to me, especially the demos against WebGoat / DVWA etc.
Do you have a suggested format for these - eg is a list of instructions
with relevant screenshots ok?

Having said that I doubt I'll be able to find time to update all of the
sections with demos.
However I'll try to recruit some of the other ZAP developers and power
users to help out, stressing that they should collaborate with the article
authors/reviewers.

Cheers,

Simon


On Sun, Aug 4, 2013 at 3:31 PM, Andrew Muller <andrew at ionize.com.au> wrote:

> Hi Simon,
>   I'm glad you raised this Simon. To date I've been thinking that the
> Guide needs to have solid instructional content for security testers. To
> achieve this I've modified the structure of test cases to include a "how to
> test" and a "tools" section. In demonstrating "how to test" I thought it
> appropriate to use examples from tools in the following priority order:
> 1) OWASP tools (e.g. ZAP) because the OTG is an OWASP initiative,
> 2) other free open-source tools because they align closely with OWASP
> principles,
> 3) free closed-source tools because they kinda align with OWASP principles,
> 4) commercial tools, if there is no other way to demonstrate the test.
> I don't believe we should not mention commercial tools at all. Vendors are
> not the devil. They are just folks offering tools in exchange for money. As
> long as we announce our interests in our decision making processes we
> should be okay.
>
> Whatever changes you make, *please collaborate* with the article
> author/reviewer/s listed in the Paragraph Management spreadsheet.
>
> On the topic of tools, it would be great to see demonstrations of testing
> tools against WebGoat, DVWA, etc so the Guide can better guide testers
> during training and testing. If you've already done something like this
> would you be interested in adding that to the Guide as well?
>
> regards,
>   Andrew
>
> Canberra, Australia Chapter Leader
> Testing Guide Project Co-leader
>
>
> ------------------------------
> *From: *"psiinon" <psiinon at gmail.com>
> *To: *"owasp-testing" <owasp-testing at lists.owasp.org>
> *Sent: *Sunday, 4 August, 2013 11:59:30 PM
> *Subject: *[Owasp-testing] Testing Guide : Tools sections
>
>
> I'm planning on going through the guide adding ZAP to the relevant tools
> sections, and will try and add other tools that I know are definitely
> relevant .
>
> Is there a preferred format?
>
> There seem to be verious formats used for similar tools, eg:
>
>    - Web Proxy (*Burp Suite*[6] <http://portswigger.net>, *Paros*[7]<http://www.parosproxy.org/index.shtml>,
>    *WebScarab*[8] <http://www.owasp.org/index.php/OWASP_WebScarab_Project>)
>
>    - OWASP WebScarab: OWASP_WebScarab_Project<https://www.owasp.org/index.php/OWASP_WebScarab_Project>
>    - WebScarab Spider
>    http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
>
> I was thinking of adding a small amount of info to indicate which
> components of ZAP are relevant, but nothing that would exceed one line, eg:
>
>    - OWASP ZAP: OWASP Zed Attack Proxy Project<https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project>- Active scanner and fuzzer
>
> That OK?
> Should tools be listed in any sort of order, eg alphabetical? Or OWASP
> ones first?
> Should only free open source tools be included or are commercial tools
> acceptable?
>
> Cheers,
>
> Simon
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130804/1c35cce6/attachment.html>


More information about the Owasp-testing mailing list