Reference NSA for TLS Automated Tests

[cmlh]

What's the issue?

This issue is related to https://github.com/OWASP/ASVS/issues/992

The NSA has published "Scanning Tools" within "Mitigating Obsolete TLS" which may not be listed by the "Automated Testing" section of WSTG-CRYP-01.

How do we solve it?

1. Insert the missing "Scanning Tools" of "Mitigating Obsolete TLS" into the "Automated Testing" section of WSTG-CRYP-01.
2. Push any missing "Scanning Tools" from "Mitigating Obsolete TLS" upstream to the NSA that were already listed in the "Automated Testing" section of WSTG-CRYP-01 prior to this change.

Would you like to be assigned to this issue?

• [X] Assign me, please!

[rbsec]

That list of scanning tools has some interesting choices. Some of them are clearly intended to push a commercial product (such as https://www.hardenize.com, or the link to the Nessus plugins), which I'm not so keen on (although to be fair, Qualys does this to a lesser extent).

Some of them are just odd. Do we really want to recommend that someone doing a webapp assessment uses something like https://www.thesslstore.com/ssltools/ssl-checker.php ?

My inclination would be that maybe it's worth having a link to this list (with an appropriate caveat), or pulling out some of the ones that we like here but haven't included in guide. There are a huge number of different SSL/TLS scanning tools - are there any in this list that you think are particularly worth including?

[kingthorin]

Agreed, I wouldn't want us to use this list directly. Though I'm fine referencing it.

[ThunderSon]

Maybe a good split between OSS tools versus off the shelf software sections would give this justice? I am against including a couple of tools on github that are barely maintained, otherwise it looks feasible to inject some of them into the guide.

[cmlh]

@rbsec @kingthorin @ThunderSon

It's a slippery slope to exclude specific product[s] listed on "Scanning Tools" of "Mitigating Obsolete TLS". Some OWASP Board Members have promoted their own commercial products (much to my own horror) within OWASP therefore based on this precedence it would be unfair to others.

However I can tag each product related to recent commercial or FOSS licensing, TLS 1.3 support and changes/maintenance is that a reasonable compromise?

[kingthorin]

No there’s no point adding junk tools just because they appear in some other reference. Either we pick things that are actually useful or we just reference the resource with no guarantees.

Or, close this and don’t worry about other projects or the NSA.

[cmlh]

No there’s no point adding junk tools just because they appear in some other reference. Either we pick things that are actually useful or we just reference the resource with no guarantees.

My intention was to reference without guarantee as I am not convinced that these products are "junk" due to the high standing of NSA.

Or, close this and don’t worry about other projects or the NSA.

Please refer to the citation of https://samate.nist.gov/SARD/testsuite.php within https://owasp.org/www-project-benchmark/ @kingthorin as an example of OWASP citing NSA.

[kingthorin]

I’m not saying we shouldn’t cite the NSA, I’m saying blindly trusting a resource simply based on organizational relationship might not be the best move (when we don’t agree on the content).

My stance remains that at most we include it as a reference and not try to duplicate the content.

[cmlh]

My stance remains that at most we include it as a reference and not try to duplicate the content.

Can we hold off on comments until I have compared the NSA "Scanning Tools" to that of the "Automated Testing" section of WSTG-CRYP-01 please @kingthorin ?

[rbsec]

It's a slippery slope to exclude specific product[s] listed on "Scanning Tools" of "Mitigating Obsolete TLS". Some OWASP Board Members have promoted their own commercial products (much to my own horror) within OWASP therefore based on this precedence it would be unfair to others.

I don't think it should really be a case of excluding tools at all. There are hundreds (thousands?) of tools out there that can be use to scan SSL/TLS implementations, so it's not realistic to try and justify why they are not included from a guide like this. AFAIK there aren't really any hard criteria for which tools are included, but the main areas to consider are:

• Is the tool effective and reliable (i.e, have you used it, or is it widely used and trusted)?
• Is it still actively supported and maintained?
• Is there any reason to believe that that the author/vendor is untrustworthy (bundling adware/spyware, reputation, etc)?
• Is the tool free (and ideally open source)?
  • If not, is the tool so widely used and trusted (such as Burpsuite) that not including it would seem to be a major omission.
• Does it add something that previous tools don't? Providing a user with dozens of options makes it harder for them to choose, especially if they've not heard of any of them and we don't give much explanation about them.

There are definitely some tools included in that list (the as thesslstore's online checker) that I wouldn't really consider to meet those criteria. There are also others such as tls-scan which look like they might be good additions as they have support for protocols that many other tools don't have (assuming it works - I've never used it personally). But I think that they should be considered on their individual merits, rather than just imported as a list because someone else recommends them - especially where we don't know what kind of vetting process was applied upstream.

[kingthorin]

💯 @rbsec

[cmlh]

https://github.com/OWASP/www-community/blame/master/pages/attacks/Brute_force_attack.md#L52 committed by @kingthorin on 31 October 2020 endorsed DirBuster which has been deprecated for well over a decade @rbsec

¯ \ ( ツ ) / ¯

Can we hold off on comments until I have compared the NSA "Scanning Tools" to that of the "Automated Testing" section of WSTG-CRYP-01 please @kingthorin ?

I'll close this issue for the moment until the above is delivered with consideration to what has been put forth in the various other comments above.

[kingthorin]

Actually if you actually look at the diff/history you "should" note that was just clean-up of auto-migrated content.

[ThunderSon]

@cmlh please do not propose any changes, we are not here for you to poke at. I will not accept any PR from your side. @kingthorin took on massive work on the community website to help the migration, just for you to throw such a thing out of nowhere? And how is the community website in any way related to this project? I respectfully ask you to stay off and away from the project.