[OWASP-TESTING] Section 1 - done
Mark Curphey
mark at curphey.com
Tue Apr 22 10:48:10 EDT 2003
The def launch date is May 5th. By hook or by crook!
On Tue, 2003-04-22 at 07:35, David Endler wrote:
> Hi there,
>
> Unfortunately, the OWASP portal guys are running a little behind schedule.
> Instead of posting our first section of the doc to the old site, we wanted
> to show it on the new fresh portal. I'll send out the next section for
> edits this week.
>
> -dave
>
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net
> > [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of
> > owasp at moiler.com
> > Sent: Tuesday, April 22, 2003 6:39 AM
> > To: David Endler; owasp-testing at lists.sourceforge.net
> > Cc: 'Dan Cuthbert'
> > Subject: RE: [OWASP-TESTING] Section 1 - done
> >
> >
> > Its all gone quiet - what are the release plans and next steps for the
> > Testing Guide?
> >
> > Glyn.
> >
> > > -----Original Message-----
> > > From: owasp-testing-admin at lists.sourceforge.net
> > > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Glyn
> > > Sent: 07 April 2003 13:06
> > > To: 'David Endler'; owasp-testing at lists.sourceforge.net
> > > Cc: 'Dan Cuthbert'
> > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > >
> > >
> > > Hiya,
> > >
> > > I totally agree that we need to keep traditional pen-testing
> > > out of the app testing guide. It should perhaps be mentioned
> > > that application testing is not intended to replace
> > > vulnerability identification within the OS's, web-servers,
> > > app-server platforms etc., but to compliment it.
> > >
> > > I feel the confusion comes in where you draw the line between
> > > the two. The crossover we frequently see is in the area of
> > > deployment of the shrink-wrapped parts (up to and including
> > > web-server components) as they relate to the app. E.g.
> > > web-server configuration and hardening, middleware
> > > configuration, database security....
> > >
> > > Some clients feel that checking for *known* vulnerable CGI's,
> > > for example, is appropriate in an application test, even
> > > though this is more a deployment issue. Others want the
> > > testing focussed on the bespoke application logic regardless
> > > of the platform. It's not to say that the underlying checks
> > > won't be performed, just that they may not be relevant in the
> > > context of the specific phase of testing.
> > >
> > > My feeling is that by separating the two it is clearer to
> > > readers of the document that, whilst deployment of the
> > > application support components is important, it is separate
> > > from testing of the bespoke web-app and can be tested
> > > separately. We tend to look at the profile of the teams
> > > we're going to be dealing with to help define the scope. If
> > > it's the coders and app developers, chance are the focus
> > > should be on input validation, session management,
> > > authentication etc. If it's the guys that build the servers,
> > > the focus is probably on making sure the servers are patched
> > > appropriately, and unnecessary features removed/disabled.
> > > Sometimes its both.
> > >
> > > We could even qualify the infrastructure phase accordingly -
> > > e.g. add a line that says "This is arguably infrastructure
> > > pen-testing and therefore may be out of scope of this
> > > document. It is included, however, as it is a vital stage in
> > > assuring the application environment is secure"
> > >
> > > Debaters - prepare to debate ;)
> > >
> > > > -----Original Message-----
> > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf
> > > > Of David Endler
> > > > Sent: 07 April 2003 12:46
> > > > To: 'Glyn'; 'owasp-testing at lists.sourceforge.net'
> > > > Cc: 'Dan Cuthbert'
> > > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > > >
> > > >
> > > > Hi Glyn and Dan,
> > > >
> > > > I actually went back and forth on this issue and decided on
> > > > the larger subset of "Implementation Testing" for a couple
> > > of reasons:
> > > >
> > > > 1.) I think as you define "Infrastructure Testing", it is
> > > > very easily handled in a few paragraphs that mentions
> > > > "Looking for Known System/Hardware/Application
> > > > Vulnerabilities" and "Analyzing Infrastructure Dependencies"
> > > > (router rules, firewall ACLs, primary DNS servers, etc.).
> > > >
> > > > 2.) I didn't want us to get too bogged down in "penetration
> > > > testing" as there are countless other sources on this that we
> > > > can reference.
> > > >
> > > > I am more than open to being swayed back the other way :-)
> > > >
> > > > Anyone else have an opinion?
> > > >
> > > > -dave
> > > >
> > > > > -----Original Message-----
> > > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > > [mailto:owasp-testing-admin at lists.sourceforge.net]On
> > > Behalf Of Glyn
> > > > > Sent: Monday, April 07, 2003 4:58 AM
> > > > > To: David Endler; owasp-testing at lists.sourceforge.net
> > > > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > > > >
> > > > >
> > > > > Hiya,
> > > > >
> > > > > I think that in Phase II, pp15, the Implementation Review and
> > > > > Testing phase needs to be chopped in two.
> > > > >
> > > > > 1/ Infrastructure testing (e.g. os/web server implementation,
> > > > > default scripts etc.) 2/ "Proper" Application testing
> > > (e.g. input
> > > > > validation, authentication & authorisation, bounds
> > checking etc.)
> > > > >
> > > > > Reason being that in many organisations I've provided
> > consultancy
> > > > > too, different teams and responsibilities exist relating
> > > to the two.
> > > > > In keeping with the pick and mix approach of the OWASP
> > > Testing Guide
> > > > > - to provide a 'best approach' but reflect the reality of test
> > > > > scope, I feel its better to differentiate.
> > > > >
> > > > > E.g.
> > > > >
> > > > > * Application Infrastructure Review and Testing
> > > > > This section is focussed on the underlying hosts and software
> > > > > supporting the web application, and potential security
> > > flaws. This
> > > > > phase crosses over heavily with traditional penetration
> > > testing. It
> > > > > focuses on design problems and security vulnerabilities
> > with the
> > > > > deployment of the hosts, operating systems, web and
> > > database servers
> > > > > on which the application relies. This phase will also identify
> > > > > insecure or unnecessary application components, such as
> > > vulnerable
> > > > > CGI scripts or inappropriate services or functionality.
> > > > >
> > > > > * Application Implementation Review and Testing
> > > > > The section is to assess the security of the web-application,
> > > > > typically from a user's perspective. During this Application
> > > > > Security Assessment the correct operation of the site will be
> > > > > analysed from a security perspective. Compliance with the
> > > > > web application operational and security design will be
> > > > > assessed, together with broader categories such as
> > > > > Authentication and Session Management, Parameter Manipulation
> > > > > and Input Validation is assessed in this stage.
> > > > >
> > > > > Cheers,
> > > > > G
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > > > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf
> > > > > > Of David Endler
> > > > > > Sent: 04 April 2003 22:05
> > > > > > To: 'owasp-testing at lists.sourceforge.net'
> > > > > > Subject: [OWASP-TESTING] Section 1 - done
> > > > > >
> > > > > >
> > > > > > Attached is Section 1, edited and incorporating many of your
> > > > > > suggestions. I feel the beginning section of "What is a web
> > > > > > application" still needs a little work, or needs to
> > be deleted
> > > > > > altogether and referenced to the Guide instead. Once
> > > Ivan Arce,
> > > > > > our project advisor, blessses this draft, we will post
> > > it and move
> > > > > > on to the next section! Basing the quality of the doc on the
> > > > > > first section alone, I feel we are going to produce
> > > something very
> > > > > > powerful at the end of our efforts.
> > > > > > Thanks again to everyone contributing thus far.
> > > > > >
> > > > > > <<TestingSection1.zip>>
> > > > > > -dave
> > > > > >
> > > > > > David Endler, CISSP
> > > > > > Director, Technical Intelligence
> > > > > > iDEFENSE, Inc.
> > > > > > 1875 Campus Commons Drive
> > > > > > Suite 210
> > > > > > Reston, VA 20191
> > > > > > voice: 703.480.5632
> > > > > > fax: 703.390.9456
> > > > > >
> > > > > > dendler at idefense.com
> > > > > > www.idefense.com
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: ValueWeb:
> > > Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> > > No other company gives more support or power for your
> > > dedicated server
> > > http://click.atdmt.com/AFF/go/sdnxxaff00300020> aff/direct/01/
> > >
> > >
> > > _______________________________________________
> > > owasp-testing mailing list
> > > owasp-testing at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> >
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
More information about the Owasp-testing
mailing list