[OWASP-TESTING] Section 1 - done

Glyn glyng at moiler.com
Tue Apr 22 10:45:16 EDT 2003


Cool.  I'll keep my eyes open then.

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> Of David Endler
> Sent: 22 April 2003 15:35
> To: 'owasp at moiler.com'; 'owasp-testing at lists.sourceforge.net'
> Cc: 'Dan Cuthbert'
> Subject: RE: [OWASP-TESTING] Section 1 - done
> 
> 
> Hi there,
> 
> Unfortunately, the OWASP portal guys are running a little 
> behind schedule. Instead of posting our first section of the 
> doc to the old site, we wanted to show it on the new fresh 
> portal.  I'll send out the next section for edits this week.
> 
> -dave
> 
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net
> > [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of 
> > owasp at moiler.com
> > Sent: Tuesday, April 22, 2003 6:39 AM
> > To: David Endler; owasp-testing at lists.sourceforge.net
> > Cc: 'Dan Cuthbert'
> > Subject: RE: [OWASP-TESTING] Section 1 - done
> > 
> > 
> > Its all gone quiet - what are the release plans and next 
> steps for the 
> > Testing Guide?
> > 
> > Glyn.
> > 
> > > -----Original Message-----
> > > From: owasp-testing-admin at lists.sourceforge.net
> > > [mailto:owasp-testing-admin at lists.sourceforge.net] On 
> Behalf Of Glyn
> > > Sent: 07 April 2003 13:06
> > > To: 'David Endler'; owasp-testing at lists.sourceforge.net
> > > Cc: 'Dan Cuthbert'
> > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > > 
> > > 
> > > Hiya,
> > > 
> > > I totally agree that we need to keep traditional pen-testing
> > > out of the app testing guide.  It should perhaps be mentioned 
> > > that application testing is not intended to replace 
> > > vulnerability identification within the OS's, web-servers, 
> > > app-server platforms etc., but to compliment it.
> > > 
> > > I feel the confusion comes in where you draw the line between
> > > the two. The crossover we frequently see is in the area of 
> > > deployment of the shrink-wrapped parts (up to and including 
> > > web-server components) as they relate to the app.  E.g. 
> > > web-server configuration and hardening, middleware 
> > > configuration, database security....
> > > 
> > > Some clients feel that checking for *known* vulnerable CGI's,
> > > for example, is appropriate in an application test, even 
> > > though this is more a deployment issue.  Others want the 
> > > testing focussed on the bespoke application logic regardless 
> > > of the platform.  It's not to say that the underlying checks 
> > > won't be performed, just that they may not be relevant in the 
> > > context of the specific phase of testing.
> > > 
> > > My feeling is that by separating the two it is clearer to
> > > readers of the document that, whilst deployment of the 
> > > application support components is important, it is separate 
> > > from testing of the bespoke web-app and can be tested 
> > > separately.  We tend to look at the profile of the teams 
> > > we're going to be dealing with to help define the scope.  If 
> > > it's the coders and app developers, chance are the focus 
> > > should be on input validation, session management, 
> > > authentication etc.  If it's the guys that build the servers, 
> > > the focus is probably on making sure the servers are patched 
> > > appropriately, and unnecessary features removed/disabled.  
> > > Sometimes its both.
> > > 
> > > We could even qualify the infrastructure phase accordingly -
> > > e.g. add a line that says "This is arguably infrastructure 
> > > pen-testing and therefore may be out of scope of this 
> > > document.  It is included, however, as it is a vital stage in 
> > > assuring the application environment is secure"
> > > 
> > > Debaters - prepare to debate ;)
> > > 
> > > > -----Original Message-----
> > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf
> > > > Of David Endler
> > > > Sent: 07 April 2003 12:46
> > > > To: 'Glyn'; 'owasp-testing at lists.sourceforge.net'
> > > > Cc: 'Dan Cuthbert'
> > > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > > > 
> > > > 
> > > > Hi Glyn and Dan,
> > > > 
> > > > I actually went back and forth on this issue and decided on the 
> > > > larger subset of "Implementation Testing" for a couple
> > > of reasons:
> > > > 
> > > > 1.)  I think as you define "Infrastructure Testing", it is very 
> > > > easily handled in a few paragraphs that mentions "Looking for 
> > > > Known System/Hardware/Application Vulnerabilities" and 
> "Analyzing 
> > > > Infrastructure Dependencies" (router rules, firewall 
> ACLs, primary 
> > > > DNS servers, etc.).
> > > > 
> > > > 2.) I didn't want us to get too bogged down in "penetration 
> > > > testing" as there are countless other sources on this 
> that we can 
> > > > reference.
> > > > 
> > > > I am more than open to being swayed back the other way :-)
> > > > 
> > > > Anyone else have an opinion?
> > > > 
> > > > -dave
> > > > 
> > > > > -----Original Message-----
> > > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > > [mailto:owasp-testing-admin at lists.sourceforge.net]On
> > > Behalf Of Glyn
> > > > > Sent: Monday, April 07, 2003 4:58 AM
> > > > > To: David Endler; owasp-testing at lists.sourceforge.net
> > > > > Subject: RE: [OWASP-TESTING] Section 1 - done
> > > > > 
> > > > > 
> > > > > Hiya,
> > > > > 
> > > > > I think that in Phase II, pp15, the Implementation Review and
> > > > > Testing phase needs to be chopped in two.
> > > > > 
> > > > > 1/  Infrastructure testing (e.g. os/web server implementation,
> > > > > default scripts etc.) 2/  "Proper" Application testing 
> > > (e.g. input
> > > > > validation, authentication & authorisation, bounds
> > checking etc.)
> > > > > 
> > > > > Reason being that in many organisations I've provided
> > consultancy
> > > > > too, different teams and responsibilities exist relating
> > > to the two.
> > > > > In keeping with the pick and mix approach of the OWASP
> > > Testing Guide
> > > > > - to provide a 'best approach' but reflect the reality of test
> > > > > scope, I feel its better to differentiate.
> > > > > 
> > > > > E.g.
> > > > > 
> > > > > * Application Infrastructure Review and Testing
> > > > > This section is focussed on the underlying hosts and software
> > > > > supporting the web application, and potential security 
> > > flaws.  This
> > > > > phase crosses over heavily with traditional penetration
> > > testing.  It
> > > > > focuses on design problems and security vulnerabilities
> > with the
> > > > > deployment of the hosts, operating systems, web and
> > > database servers
> > > > > on which the application relies.  This phase will 
> also identify
> > > > > insecure or unnecessary application components, such as 
> > > vulnerable
> > > > > CGI scripts or inappropriate services or functionality.
> > > > > 
> > > > > * Application Implementation Review and Testing
> > > > > The section is to assess the security of the web-application, 
> > > > > typically from a user's perspective.  During this Application 
> > > > > Security Assessment the correct operation of the site will be 
> > > > > analysed from a security perspective.  Compliance 
> with the web 
> > > > > application operational and security design will be assessed, 
> > > > > together with broader categories such as Authentication and 
> > > > > Session Management, Parameter Manipulation and Input 
> Validation 
> > > > > is assessed in this stage.
> > > > > 
> > > > > Cheers,
> > > > > G
> > > > > 
> > > > > > -----Original Message-----
> > > > > > From: owasp-testing-admin at lists.sourceforge.net
> > > > > > [mailto:owasp-testing-admin at lists.sourceforge.net] 
> On Behalf 
> > > > > > Of David Endler
> > > > > > Sent: 04 April 2003 22:05
> > > > > > To: 'owasp-testing at lists.sourceforge.net'
> > > > > > Subject: [OWASP-TESTING] Section 1 - done
> > > > > > 
> > > > > > 
> > > > > > Attached is Section 1, edited and incorporating many of your
> > > > > > suggestions.  I feel the beginning section of "What 
> is a web 
> > > > > > application" still needs a little work, or needs to 
> > be deleted
> > > > > > altogether and referenced to the Guide instead.  Once
> > > Ivan Arce,
> > > > > > our project advisor, blessses this draft, we will post
> > > it and move
> > > > > > on to the next section!  Basing the quality of the 
> doc on the
> > > > > > first section alone, I feel we are going to produce 
> > > something very
> > > > > > powerful at the end of our efforts.
> > > > > > Thanks again to everyone contributing thus far.
> > > > > > 
> > > > > >  <<TestingSection1.zip>>
> > > > > > -dave
> > > > > > 
> > > > > > David Endler, CISSP
> > > > > > Director, Technical Intelligence
> > > > > > iDEFENSE, Inc.
> > > > > > 1875 Campus Commons Drive
> > > > > > Suite 210
> > > > > > Reston, VA 20191
> > > > > > voice: 703.480.5632
> > > > > > fax: 703.390.9456
> > > > > > 
> > > > > > dendler at idefense.com
> > > > > > www.idefense.com
> > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: ValueWeb:
> > > Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> > > No other company gives more support or power for your 
> > > dedicated server 
> > > http://click.atdmt.com/AFF/go/sdnxxaff00300020> aff/direct/01/
> > > 
> > > 
> > > _______________________________________________
> > > owasp-testing mailing list owasp-testing at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf 
> > _______________________________________________
> > owasp-testing mailing list owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 





More information about the Owasp-testing mailing list