WebApp Sec mailing list archives
Web App Sec Tools and webappsec
From: Mark Curphey <mark () curphey com>
Date: 05 Mar 2003 09:33:51 -0800
Its a weird place; a list that doesn't allow discussion about commercial tools but is dedicated to web application security of which testing is a key component so I thought I would take some time to explain the reason for that and suggest a solution for those that want to know about commercial tools. In the past we have tried rational discussion but every single time it ends up in a marketing war, "my tool does that" "I think its only fair I have the final say" etc. I try to use my judgment like allowing Kevin Spetts post yesterday which I think was appropriate and clearly had value to the discussion, but it never seems to work out. One vendors even tried to have me removed from moderating this list ("speaking for the community") because I wouldn't let posts about their commercial tools through. It just ends up being stressful and unnecessary and the quality, impartial moderated debate that I think makes this list great suffers. I wish there was another way but we haven't been able to find it. So to avoid you all being spammed by marketing a simple rule was put in place that doesn't allow discussion for commercial tools but does allow for discussion and announcements about open source tools that abide by an OSI license. Why OSI only ? Far too many people are abusing the open source ideals in my opinion by releasing open source tools that they own the copyright to and only to close source them and commercialize them when they have got a good market presence. Thats one of the reasons all OWASP code is copyrighted to the Free Software Foundation so people can contribute without thinking that they may be helping someone else profit.Sure OSI doesn't completely protect against that but its all we have today and seems like the right thing to do. If you are a vendor and you want to advertise your commercial tools at securityfocus you can do so by contacting Al Huger (ah () securityfocus com) who can put you in touch with the advertising folks. You can sponsor a footer on lists like pen-test and securityjobs for reasonable rates. That all said clearly a lot of people want to have a list of tools with reviews and comments. As the OWASP portal really is getting close (see the cvs "honest Governor") we will maintain a tools page. Eventually you will be able to go to the page and complete a form to submit tools but for now you will need to send the owasp-portal list an xml file with the details. If you are a vendor or a user want to see an open source tool listed you need to do the following. First take a look at the current CVS data file to see if the tool is already listed. http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/owasp/portal/src/documentation/testingtoolsdata.xml If it is not listed you should send a single XML file as an attachment to owasp-portal () lists sourceforge net with the completed information. The file should be your tool only ie from <tool> to <tool/> tags and not a complete copy with additions. If you are submitting multiple tools then submit multiple xml files. In the meantime the webappsec FAQ at securityfocus.com is a god source for the list charter or if you have any other comments or thoughts just drop me an email. Cheers -- Mark Curphey <mark () curphey com>
Current thread:
- Web App Sec Tools and webappsec Mark Curphey (Mar 05)