[Owasp-testing] Testing Guide : Tools sections

Andrew Muller andrew at ionize.com.au
Sun Aug 4 15:01:42 UTC 2013

Thanks Simon! The format you suggested sounds perfect (list of instructions with relevant screen shots). 


----- Original Message -----

From: "psiinon" <psiinon at gmail.com> 
To: "Andrew Muller" <andrew at ionize.com.au> 
Cc: "owasp-testing" <owasp-testing at lists.owasp.org> 
Sent: Monday, 5 August, 2013 12:51:25 AM 
Subject: Re: [Owasp-testing] Testing Guide : Tools sections 

That sounds good to me, especially the demos against WebGoat / DVWA etc. 

Do you have a suggested format for these - eg is a list of instructions with relevant screenshots ok? 

Having said that I doubt I'll be able to find time to update all of the sections with demos. 
However I'll try to recruit some of the other ZAP developers and power users to help out, stressing that they should collaborate with the article authors/reviewers. 



On Sun, Aug 4, 2013 at 3:31 PM, Andrew Muller < andrew at ionize.com.au > wrote: 

Hi Simon, 
I'm glad you raised this Simon. To date I've been thinking that the Guide needs to have solid instructional content for security testers. To achieve this I've modified the structure of test cases to include a "how to test" and a "tools" section. In demonstrating "how to test" I thought it appropriate to use examples from tools in the following priority order: 
1) OWASP tools (e.g. ZAP) because the OTG is an OWASP initiative, 
2) other free open-source tools because they align closely with OWASP principles, 
3) free closed-source tools because they kinda align with OWASP principles, 
4) commercial tools, if there is no other way to demonstrate the test. 
I don't believe we should not mention commercial tools at all. Vendors are not the devil. They are just folks offering tools in exchange for money. As long as we announce our interests in our decision making processes we should be okay. 

Whatever changes you make, please collaborate with the article author/reviewer/s listed in the Paragraph Management spreadsheet. 

On the topic of tools, it would be great to see demonstrations of testing tools against WebGoat, DVWA, etc so the Guide can better guide testers during training and testing. If you've already done something like this would you be interested in adding that to the Guide as well? 


Canberra, Australia Chapter Leader 
Testing Guide Project Co-leader 

From: "psiinon" < psiinon at gmail.com > 
To: "owasp-testing" < owasp-testing at lists.owasp.org > 
Sent: Sunday, 4 August, 2013 11:59:30 PM 
Subject: [Owasp-testing] Testing Guide : Tools sections 

I'm planning on going through the guide adding ZAP to the relevant tools sections, and will try and add other tools that I know are definitely relevant . 

Is there a preferred format? 

There seem to be verious formats used for similar tools, eg: 

    * Web Proxy ( Burp Suite [6] , Paros [7] , WebScarab [8] ) 
    * OWASP WebScarab: OWASP_WebScarab_Project 
    * WebScarab Spider http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 

I was thinking of adding a small amount of info to indicate which components of ZAP are relevant, but nothing that would exceed one line, eg: 

    * OWASP ZAP: OWASP Zed Attack Proxy Project - Active scanner and fuzzer 

That OK? 
Should tools be listed in any sort of order, eg alphabetical? Or OWASP ones first? 
Should only free open source tools be included or are commercial tools acceptable? 



OWASP ZAP Project leader 

Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 

OWASP ZAP Project leader 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130805/e7ad4acd/attachment.html>

More information about the Owasp-testing mailing list