Web App Sec Tools and webappsec

[Mark Curphey <mark () curphey com>]

Its a weird place; a list that doesn't allow discussion about commercial
tools but is dedicated to web application security of which testing is a
key component so I thought I would take some time to explain the reason
for that and suggest a solution for those that want to know about
commercial tools.

In the past we have tried rational discussion but every single time it
ends up in a marketing war, "my tool does that" "I think its only fair I
have the final say" etc. I try to use my judgment like allowing Kevin
Spetts post yesterday which I think was appropriate and clearly had
value to the discussion, but it never seems to work out. One vendors
even tried to have me removed from moderating this list ("speaking for
the community") because I wouldn't let posts about their commercial
tools through. It just ends up being stressful and unnecessary and the
quality, impartial moderated debate that I think  makes this list great
suffers. I wish there was another way but we haven't been able to find
it. So to avoid you all being spammed by marketing a simple rule was put
in place that doesn't allow discussion for commercial tools but does
allow for discussion and announcements about open source tools that
abide by an OSI license. 

Why OSI only ? Far too many people are abusing the open source ideals in
my opinion by releasing open source tools that they own the copyright to
and only to close source them and commercialize them when they have got
a good market presence. Thats one of the reasons all OWASP code is
copyrighted to the Free Software Foundation so people can contribute
without thinking that they may be helping someone else profit.Sure OSI
doesn't completely protect against that but its all we have today and
seems like the right thing to do.

If you are a vendor and you want to advertise your commercial tools at
securityfocus you can do so by contacting Al Huger
(ah () securityfocus com) who can put you in touch with the advertising
folks. You can sponsor a footer on lists like pen-test and securityjobs
for reasonable rates.

That all said clearly a lot of people want to have a list of tools with
reviews and comments. As the OWASP portal really is getting close (see
the cvs "honest Governor") we will maintain a tools page. Eventually you
will be able to go to the page and complete a form to submit tools but
for now you will need to send the owasp-portal list an xml file with the
details. If you are a vendor or a user want to see an open source tool
listed you need to do the following. 

First take a look at the current CVS data file to see if the tool is
already listed.

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/owasp/portal/src/documentation/testingtoolsdata.xml

If it is not listed you should send a single XML file as an attachment
to owasp-portal () lists sourceforge net with the completed information. 
The file should be your tool only ie from <tool> to <tool/> tags and not
a complete copy with additions. 

If you are submitting multiple tools then submit multiple xml files.

In the meantime the webappsec FAQ at securityfocus.com is a god source
for the list charter or if you have any other comments or thoughts just
drop me an email.

Cheers


-- 
Mark Curphey <mark () curphey com>