[OWASP-TESTING] Section 1 - done

Steve Manzuik steve at entrenchtech.com
Mon Apr 7 19:00:31 EDT 2003 

My experience in Canada has been completely the opposite but of course
most of my clients are just now starting to understand application
security.  Of course, I am not saying that this is the best way to do
things separate teams is definitely the way to go here.

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> Of Dan Cuthbert
> Sent: Monday, April 07, 2003 4:55 AM
> To: Owasp Testing
> Subject: RE: [OWASP-TESTING] Section 1 - done
> 
> 
> I Agree with Glyn, here in the UK it seems that the two 
> sections seem to always be dealt with by different teams 
> within the company
> 
> 
> 
> On Mon, 2003-04-07 at 09:59, Glyn wrote:
> > Hiya,
> > 
> > I think that in Phase II, pp15, the Implementation Review 
> and Testing 
> > phase needs to be chopped in two.
> > 
> > 1/  Infrastructure testing (e.g. os/web server 
> implementation, default 
> > scripts etc.) 2/  "Proper" Application testing (e.g. input 
> validation, 
> > authentication & authorisation, bounds checking etc.)
> > 
> > Reason being that in many organisations I've provided 
> consultancy too, 
> > different teams and responsibilities exist relating to the two.  In 
> > keeping with the pick and mix approach of the OWASP Testing 
> Guide - to 
> > provide a 'best approach' but reflect the reality of test scope, I 
> > feel its better to differentiate.
> > 
> > E.g.
> > 
> > * Application Infrastructure Review and Testing
> > This section is focussed on the underlying hosts and software 
> > supporting the web application, and potential security flaws.  This 
> > phase crosses over heavily with traditional penetration 
> testing.  It 
> > focuses on design problems and security vulnerabilities with the 
> > deployment of the hosts, operating systems, web and 
> database servers 
> > on which the application relies.  This phase will also identify 
> > insecure or unnecessary application components, such as 
> vulnerable CGI 
> > scripts or inappropriate services or functionality.
> > 
> > * Application Implementation Review and Testing
> > The section is to assess the security of the 
> web-application, typically from
> > a user's perspective.  During this Application Security 
> Assessment the
> > correct operation of the site will be analysed from a 
> security perspective.
> > Compliance with the web application operational and 
> security design will be
> > assessed, together with broader categories such as 
> Authentication and
> > Session Management, Parameter Manipulation and Input 
> Validation is assessed
> > in this stage.
> > 
> > Cheers,
> > G
> > 
> > > -----Original Message-----
> > > From: owasp-testing-admin at lists.sourceforge.net
> > > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> > > Of David Endler
> > > Sent: 04 April 2003 22:05
> > > To: 'owasp-testing at lists.sourceforge.net'
> > > Subject: [OWASP-TESTING] Section 1 - done
> > > 
> > > 
> > > Attached is Section 1, edited and incorporating many of your
> > > suggestions.  I feel the beginning section of "What is a web 
> > > application" still needs a little work, or needs to be 
> > > deleted altogether and referenced to the Guide instead.  Once 
> > > Ivan Arce, our project advisor, blessses this draft, we will 
> > > post it and move on to the next section!  Basing the quality 
> > > of the doc on the first section alone, I feel we are going to 
> > > produce something very powerful at the end of our efforts.  
> > > Thanks again to everyone contributing thus far.
> > > 
> > >  <<TestingSection1.zip>>
> > > -dave
> > > 
> > > David Endler, CISSP
> > > Director, Technical Intelligence
> > > iDEFENSE, Inc.
> > > 1875 Campus Commons Drive
> > > Suite 210
> > > Reston, VA 20191
> > > voice: 703.480.5632
> > > fax: 703.390.9456
> > > 
> > > dendler at idefense.com
> > > www.idefense.com
> > > 
> > > 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your 
> dedicated server 
> http://click.atdmt.com/AFF/go/sdnxxaff00300020> aff/direct/01/
> 
> 
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>

More information about the Owasp-testing mailing list