[OWASP-TESTING] Section 1 - done

David Endler DEndler at iDefense.com
Tue Apr 22 10:35:13 EDT 2003 

Hi there,

Unfortunately, the OWASP portal guys are running a little behind schedule.
Instead of posting our first section of the doc to the old site, we wanted
to show it on the new fresh portal.  I'll send out the next section for
edits this week.

-dave

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of
> owasp at moiler.com
> Sent: Tuesday, April 22, 2003 6:39 AM
> To: David Endler; owasp-testing at lists.sourceforge.net
> Cc: 'Dan Cuthbert'
> Subject: RE: [OWASP-TESTING] Section 1 - done
> 
> 
> Its all gone quiet - what are the release plans and next steps for the
> Testing Guide?
> 
> Glyn.
> 
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net 
> > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Glyn
> > Sent: 07 April 2003 13:06
> > To: 'David Endler'; owasp-testing at lists.sourceforge.net
> > Cc: 'Dan Cuthbert'
> > Subject: RE: [OWASP-TESTING] Section 1 - done
> > 
> > 
> > Hiya,
> > 
> > I totally agree that we need to keep traditional pen-testing 
> > out of the app testing guide.  It should perhaps be mentioned 
> > that application testing is not intended to replace 
> > vulnerability identification within the OS's, web-servers, 
> > app-server platforms etc., but to compliment it.
> > 
> > I feel the confusion comes in where you draw the line between 
> > the two. The crossover we frequently see is in the area of 
> > deployment of the shrink-wrapped parts (up to and including 
> > web-server components) as they relate to the app.  E.g. 
> > web-server configuration and hardening, middleware 
> > configuration, database security....
> > 
> > Some clients feel that checking for *known* vulnerable CGI's, 
> > for example, is appropriate in an application test, even 
> > though this is more a deployment issue.  Others want the 
> > testing focussed on the bespoke application logic regardless 
> > of the platform.  It's not to say that the underlying checks 
> > won't be performed, just that they may not be relevant in the 
> > context of the specific phase of testing.
> > 
> > My feeling is that by separating the two it is clearer to 
> > readers of the document that, whilst deployment of the 
> > application support components is important, it is separate 
> > from testing of the bespoke web-app and can be tested 
> > separately.  We tend to look at the profile of the teams 
> > we're going to be dealing with to help define the scope.  If 
> > it's the coders and app developers, chance are the focus 
> > should be on input validation, session management, 
> > authentication etc.  If it's the guys that build the servers, 
> > the focus is probably on making sure the servers are patched 
> > appropriately, and unnecessary features removed/disabled.  
> > Sometimes its both.
> > 
> > We could even qualify the infrastructure phase accordingly - 
> > e.g. add a line that says "This is arguably infrastructure 
> > pen-testing and therefore may be out of scope of this 
> > document.  It is included, however, as it is a vital stage in 
> > assuring the application environment is secure"
> > 
> > Debaters - prepare to debate ;)
> > 
> > > -----Original Message-----
> > > From: owasp-testing-admin at lists.sourceforge.net
> > > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> > > Of David Endler
> > > Sent: 07 April 2003 12:46
> > > To: 'Glyn'; 'owasp-testing at lists.sourceforge.net'
> > > Cc: 'Dan Cuthbert'
> > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > > 
> > > 
> > > Hi Glyn and Dan,
> > > 
> > > I actually went back and forth on this issue and decided on
> > > the larger subset of "Implementation Testing" for a couple 
> > of reasons:
> > > 
> > > 1.)  I think as you define "Infrastructure Testing", it is
> > > very easily handled in a few paragraphs that mentions 
> > > "Looking for Known System/Hardware/Application 
> > > Vulnerabilities" and "Analyzing Infrastructure Dependencies" 
> > > (router rules, firewall ACLs, primary DNS servers, etc.).
> > > 
> > > 2.) I didn't want us to get too bogged down in "penetration
> > > testing" as there are countless other sources on this that we 
> > > can reference. 
> > > 
> > > I am more than open to being swayed back the other way :-)
> > > 
> > > Anyone else have an opinion?
> > > 
> > > -dave
> > > 
> > > > -----Original Message-----
> > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > [mailto:owasp-testing-admin at lists.sourceforge.net]On 
> > Behalf Of Glyn
> > > > Sent: Monday, April 07, 2003 4:58 AM
> > > > To: David Endler; owasp-testing at lists.sourceforge.net
> > > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > > > 
> > > > 
> > > > Hiya,
> > > > 
> > > > I think that in Phase II, pp15, the Implementation Review and 
> > > > Testing phase needs to be chopped in two.
> > > > 
> > > > 1/  Infrastructure testing (e.g. os/web server implementation, 
> > > > default scripts etc.) 2/  "Proper" Application testing 
> > (e.g. input 
> > > > validation, authentication & authorisation, bounds 
> checking etc.)
> > > > 
> > > > Reason being that in many organisations I've provided 
> consultancy 
> > > > too, different teams and responsibilities exist relating 
> > to the two.  
> > > > In keeping with the pick and mix approach of the OWASP 
> > Testing Guide 
> > > > - to provide a 'best approach' but reflect the reality of test 
> > > > scope, I feel its better to differentiate.
> > > > 
> > > > E.g.
> > > > 
> > > > * Application Infrastructure Review and Testing
> > > > This section is focussed on the underlying hosts and software 
> > > > supporting the web application, and potential security 
> > flaws.  This 
> > > > phase crosses over heavily with traditional penetration 
> > testing.  It 
> > > > focuses on design problems and security vulnerabilities 
> with the 
> > > > deployment of the hosts, operating systems, web and 
> > database servers 
> > > > on which the application relies.  This phase will also identify 
> > > > insecure or unnecessary application components, such as 
> > vulnerable 
> > > > CGI scripts or inappropriate services or functionality.
> > > > 
> > > > * Application Implementation Review and Testing
> > > > The section is to assess the security of the web-application,
> > > > typically from a user's perspective.  During this Application 
> > > > Security Assessment the correct operation of the site will be 
> > > > analysed from a security perspective.  Compliance with the 
> > > > web application operational and security design will be 
> > > > assessed, together with broader categories such as 
> > > > Authentication and Session Management, Parameter Manipulation 
> > > > and Input Validation is assessed in this stage.
> > > > 
> > > > Cheers,
> > > > G
> > > > 
> > > > > -----Original Message-----
> > > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf
> > > > > Of David Endler
> > > > > Sent: 04 April 2003 22:05
> > > > > To: 'owasp-testing at lists.sourceforge.net'
> > > > > Subject: [OWASP-TESTING] Section 1 - done
> > > > > 
> > > > > 
> > > > > Attached is Section 1, edited and incorporating many of your 
> > > > > suggestions.  I feel the beginning section of "What is a web 
> > > > > application" still needs a little work, or needs to 
> be deleted 
> > > > > altogether and referenced to the Guide instead.  Once 
> > Ivan Arce, 
> > > > > our project advisor, blessses this draft, we will post 
> > it and move 
> > > > > on to the next section!  Basing the quality of the doc on the 
> > > > > first section alone, I feel we are going to produce 
> > something very 
> > > > > powerful at the end of our efforts.
> > > > > Thanks again to everyone contributing thus far.
> > > > > 
> > > > >  <<TestingSection1.zip>>
> > > > > -dave
> > > > > 
> > > > > David Endler, CISSP
> > > > > Director, Technical Intelligence
> > > > > iDEFENSE, Inc.
> > > > > 1875 Campus Commons Drive
> > > > > Suite 210
> > > > > Reston, VA 20191
> > > > > voice: 703.480.5632
> > > > > fax: 703.390.9456
> > > > > 
> > > > > dendler at idefense.com
> > > > > www.idefense.com
> > > > > 
> > > > > 
> > > > 
> > > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: ValueWeb: 
> > Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> > No other company gives more support or power for your 
> > dedicated server 
> > http://click.atdmt.com/AFF/go/sdnxxaff00300020> aff/direct/01/
> > 
> > 
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>

More information about the Owasp-testing mailing list