This page is for brainstorming and discussion about the 2nd generation sectools.org site we are working on. This is mostly meant to be a private page, but if anyone finds it, well, please send us feedback or add your comments :).

REQUIREMENTS AND GOALS FOR NEW SECTOOLS SITE

SUMMARY OF GOALS

• Allow users to leave comments on tools
• Allow users to score tools (1 to 5 stars)
• Allow site to "live on its own" without requiring the regular surveys. This means new tools can be added and existing tools can be ranked in a way that affects the tool order in real time.
• Dynamically generated pages, allow to sort by rank or last release date (maybe number of ratings too) and select by category or tags.
• Improved design

FUNDAMENTAL THESIS

They days of updating a static site every few years are over. Things change very fast, especially in the security tools world, and users expect sites which are interactive and constantly updated. The good news is that sites like Wikipedia, Yelp, Twitter, Digg, and the like show that users are willing to help provide that content if you give them the proper infrastructure.

PLANNED CHANGES

These are my current thoughts on what I'd like to have for a new http://sectools.org (for release within a small number of months). Nothing is carved in stone though, so I'm looking for better ideas and other features people might want.

Allow users to give comments

There should be a comment form where users are encouraged to provide reviews, tips/tricks, tutorials, or whatever other notes other users might find helpful. (we should be sure to make it clear that the comment form is for all these things).

I worry that requiring users to set up an account and log in to provide comments might be too high of a barrier. I was thinking of doing it like some blogs where they can just enter their name and optional URL/email below the comment. We should probably encourage people to enter a URL if we go that route (it could be their home page, twitter/facebook profile, company, etc.). Another option would be some sort of federated login system where people can use their Facebook or OpenID logins (like disqus.com, js-kit.com), but that might be a pain to implement with the federation systems directly, and using a canned system like disqus might limit our flexibility. Plus, there are a lot of users who are anti-social-networking (for reasonably good security reasons). And I worry about whether Google can properly index something like a Disqus widget Javascript iframe thingy on a page. But that would be easy to test.

• Example of comment system just asking for name: http://www.paloaltoonline.com/news/show_story.php?id=19318
• Here is another comment system which just asks for a name, but note that there are impersonation accusations in the comments (search for Owen Gleiberman): http://www.ew.com/ew/article/0,,20450944,00.html
• Another example is this "Simple Comments" system written in Perl (uses SSI): http://www.webreference.com/programming/perl/comments/
  • Does not require login
  • Allows threading
  • Kind of ugly output, but maybe can be fixed with CSS.
    • No releases since 2008
• The development framework we use might have modules to support common social network auth schemes. For example, this Django app purportedly allows login via twitter, facebook, openid, yahoo, or Google: http://uswaretech.com/blog/2009/08/django-socialauth-login-via-twitter-facebook-openid-yahoo-google/
• Jah notes this site which allows many federated login types: http://stackoverflow.com
• Some notes about pretty-much-rejected Disqus and JS-Kit Echo options:
  • Disqus lets users choose Facebook Connect, OpenID, or Twitter sign in for comments.
    • But I don't trust "Facebook Connect", posting as a guest is too much of a pain and it tries to bug users to create a "Disqus profile", etc. Still, it is extremely popular. We may want to look into it more in case it has improved recently.
    • JS-Kit ECHO hypes a bunch of crap features we don't need, but it grew from a simple threaded comment system. Here is an example allowing anon comments: http://techcrunch.com/2006/11/29/quick-embed-code-to-add-comments-to-any-site/

We'll need to have some sort of CAPTCHA-like feature. I don't think this site will be big enough to attract many dedicated spammers, so we could probably do something reasonably simple and amusing (e.g. make people answer a security question or identify what service uses a port number of whatever).

We may not need comment threading capability since the comments aren't primarily for discussion. Though I suppose threading could be useful if one person wants to clarify information from another comment.

On the main Sectools page tools lists, it should tell how many comments there are and provide a way to view them and/or add your own.

For tracking abuse (including companies trying to astroturf their own projects), we should save the information on who left a comment (IP address, browser user agent, date/time, email address or web site if we got one). This should be available for admin viewing.

We need a way for admins to reasonably easily delete useless comments. Similarly, we need a way to notify admins of new comments to catch spam and stupidity early. (an RSS feed for new comments would suffice, as we could use an rss to email service to email those to us if desired).

Allow users to give ratings

Each tool should have a rating from 1 to 5 stars. It should be displayed along with the number of ratings for that tool (as an example of this sort of UI, see Amazon products or Yelp reviews). Users can only rank in whole star increments, but the average ranking display should be able to show half-stars (e.g. 3.5 stars).

We'll start the ratings based on the 2010 survey results. That survey asked users to list their 8 favorite tools, so treating those as 5 star reviews seems reasonable. But site users can rate tools themselves, so the tool ratings won't be static for years like they currently are.

I'm leaning toward only allowing star ratings when someone leaves a comment, as opposed to letting people just rate things without comment. I don't think Yelp or Amazon let you give a rating without comment. My hope is that raising the bar a little to rating like this will force people to justify their ratings. But another option would be to let anyone easily give a rating. Users should be able to leave a comment without giving a rating, if they wish.

We should be like Yelp in that the color of the stars differs based on how many they have (e.g. 5 stars are shown in a different color than a 3 star would be). Using the star images just like Yelp would be fine with me. Or maybe we should design our own, with Insecure purple being used for 4.5 or 5 stars, blue for 3.5 or 4, etc. Amazon.com reviews are a good comparable example too.

We need a way to prevent people from voting multiple times. We should use cookies and IP addresses should help with this. There should be text near the rating widget which tells companies not to rate their own products or ask their customers to rate them. And it should ask people to report vendors who ask them for ratings. If we catch companies doing that, we can put a turd logo by their product.

Ideally, if a user votes multiple times for a tool, only the latest vote should count. (the other option is to only allow the first vote, but I think allowing vote changes would be nice). Users should probably be allowed to comment multiple times.

When users vote, we need to store the information we have such as time, date, tool, number of stars, comments, etc.

I thought about using "like buttons" (a la Facebook) rather than star reviews. Amazon has recently added their own like buttons to products too (the Nmap book has 1 "Like"), but like buttons don't really provide ways to leave negative feedback. If a product doesn't work for you or has become unmaintained and no longer compiles on popular platforms or whatever, it is nice for users to be able to rate it down.

The tool detail page (with the comments) should give a histogram of the rankings (see Amazon for an example).

We should probably provide a way to show and sort by the survey poularity values (maybe we'll call this 'popularity' rather than score or rating). After all, the survey was a very big part of this site and we also may want citeable values that don't change, especially at first.

Allow users to suggest new tools

The current list of tools stays the same for years until the new survey is complete. But that can prevent great new tools from being added and noticed. The new Seclists should have a "suggest new tool" page.

This page should require people to give the tool name, URL, their email address, and a comment form for describing anything they want to say about the tool and why they think it belongs on the list. I tend to think we shouldn't require them to add all the tool fields (description, tagline, categories, tags, etc.) because I want to encourage many people to add tools. The page should say that they should only add tools they think are worth five stars because their comments will turn into a 5-star review if we accept the tool.

From time to time we would go through the submissions and add new tools. It is OK to be selective, we don't want to add everything. Tools should at least be significant and useful and have a reasonable web presence. We may want to wait until a tool accumulates a certain minimum number of submissions. Once we accept a tool, we'd start it with a 5-star ranking for each submission it had, and the comments the users submitted would go in too.

Tag system

This is similar to what we already have with icons for supported platforms, whether a tools if free, open source, etc. Each tag needs a small logo for the tag line.

A difference is that users should be able to click on any tag and get a list of other tools matching that tag. But what about people who want to see tools WITHOUT a certain tag? I think this will only be common with a few tags, such as the paid app tag (you might want to see just the free apps). In those cases, a good approach might be to just define a 2nd tag (e.g. some apps would have the "paid" tag still, but the others would have a "free" tag). Another option would be to add a note to the top of tag-selected pages that this page contains tools with the tag (whatever), but you can (click here) for tools without that tag.

We might want to treat categories differently than tags, like we do now.

Design improvements

In an ideal world, we'd have a professional designer redesign the Insecure chrome and also design the new Sectools site. But that is probably not realistic in the time frame we're looking at. So we'll probably do the best we can for now. And maybe someday we will identify a wonderful designer who can go through and redesign things.

Instead of using <hr> tag between tools, maybe we should use a purple insecure header bar, but with a gradient and also related text. For example, look at Freshmeat's newest interface: http://freshmeat.net/search?q=security&submit=Search

When you mouse over information such as categories or tags, we should, were practical, provide some UI responsiveness to let the user know. As an example, go to http://freshmeat.net/ and mouse around an entry.

If we find a place to put software screenshots (e.g. a thumbnail that people can click on to expand), we should add them. We will keep showing the software icons in any case.

We should have a contact line with links to a project's Facebook page, twitter page, Wikipedia page, home page, etc. Of course the links don't show up if we don't have a record of them. We should have a Mailing list link for mailing list archives (this would go to SecLists for lists we archive).

Users should be able to sort by rank (for tools with the same # of stars, it would subsort by number of ratings), or by date of last release (newest first - see section on this later), or probably by number of ratings.

Editorial improvements

Fyodor needs to go through all the description and tagline text and categories, edit as appropriate.

We need to find some other qualified reviewers too. I will be sure to hit up the Nmap council for that too :).

The site should make it clear how users can submit private comments/corrections/updates (this may be as simple as listing an email address).

For now we will still exclude Nmap project software such as Nmap, Zenmap, Ndiff, Ncat, Nping, and Ncrack. We should note this near the top of the page. Someday maybe we'll set up a way to include our software but just not let it be ranked or have a huge disclaimer or something.

We should encourage beta participants to leave some comments, etc. to seed things for the formal release. If it starts out empty, users are much less likely to interact.

Latest release field

A latest release field would be really nice, as that is a major key to how active development for a project is. But the problem is keeping it up to date. Maybe we could just let anyone set that field, but I suppose we'd need a way to revert in case some bonehead set them all.

If we had this field, users could sort the tools by latest release date.

It should display latest version number + date. Maybe some sort of indicator for how long it has been since the last release. There should probably be a tag for actively developed projects based on time since latest release .

Search

We need to figure out what sort of search we need to offer. We could easily have the normal "SecSearch" boxes, but those search all the nmap.org sites and so users might get a bunch of SecLists results.

IMPLEMENTATION NOTES

Once the requirements are settled, we're going to have to build the thing. And quickly, I hope. So we also need to think about the implementation. I'm very open to ideas here.

In an ideal world, there would be an existing webapp which could be configured to basically do what we want. But I don't know of such a thing (any ideas?), so we will probably have to put together something ourselves.

I tend to slightly favor Django since it is a Python based framework. It has worked well so far for Nscan development, and of course a lot of Nmap stuff is written in Python (most notably Zenmap and Ndiff).

Frameworks:

• Django
• Flask
• Sinatra

The current system is based on pre-generated HTML files (we run a make file which creates the man software ranking pages, the category pages, etc.) That is great for security and performance, but the reality is that we will probably have to move to dynamic generation for Sectools. I just doubt that we'll be able to meet the requirements for filtering, searching, sorting, showing comments, and the like without generating the pages on the fly. But hopefully the system can cache popular pages/results for solid performance.

The SecurityTube tools site (http://tools.securitytube.net) is entirely wiki based. That is particularly interesting idea since we're already working on a new security wiki site. But I feel that the tool rating and rankings are a very important component of SecTools.Org, and the wiki approach doesn't really allow that. The SecurityTube tools wiki is basically a tools hierarchy with some information about each tool. That is useful, but I think SecTools can do much more. Here is another security tools listing/ranking site: http://www.securitytoollist.com/

We need to make sure that old URLs like http://sectools.org/crackers.html still work, either by using the same ones for categories, or just adding some redirects.