[OWASP-TESTING] Draft 0.6
daniel at deeper.co.za
daniel at deeper.co.za
Wed May 5 11:33:01 EDT 2004
as i said im looking at it from the bank's point of view here at the mo, so can help if
needed
ill write something up between webinspect/scando and post it if anyone is interested (was
thinking of using WebGoat as
the target + some internal apps here)
> If Cerias won't do the benchmark I will build it myself in August /
> Sept. I have been thinking about it a lot and have a good idea on what
> it will look like. There is also a potential private sponsor for this.
>
> -----Original Message-----
> From: daniel at deeper.co.za [mailto:daniel at deeper.co.za]
> Sent: Wednesday, May 05, 2004 11:05 AM
> To: owasp-testing at lists.sourceforge.net
> Subject: RE: [OWASP-TESTING] Draft 0.6
>
> thing is, we all know how bad they are, but the marketing droids are
> bloody good at the
> whole process of big'ing them up
>
> If we did include a detailed section, it would really help people cut
> through the FUD and
> get the real lowdown
>
>
>
> > Also on tools - I think SoftICE and the other reverse engineering
> tools,
> > such as jode, rate a mention.
> >
> > Does anyone have a session cryptography analyzer? I tend to just grab
> 10,000
> > session IDs and work with it in Excel, plotting graphs against time
> (good
> > for monotonically increasing session handlers) and working out if
> there's a
> > statistical correlation (such as a bunching or mean), but I always
> felt this
> > takes far too long.
> >
> > My personal opinion is a final opinion should wait until the benchmark
> > process is completed... Saying that, I use them only to find the low
> hanging
> > fruit, as they simply don't get most of the juicy stuff.
> >
> > Thanks,
> > Andrew
> >
> > -----Original Message-----
> > From: owasp-testing-admin at lists.sourceforge.net
> > [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of
> > daniel at deeper.co.za
> > Sent: Thursday, 6 May 2004 12:53 AM
> > To: owasp-testing at lists.sourceforge.net
> > Subject: RE: [OWASP-TESTING] Draft 0.6
> >
> > Looking good :0)
> >
> > A couple of Q's:
> >
> > Where does testing at owasp.org goto?
> > Credits, would it be easier to dump everyone's name somewhere as i can
> see
> > it getting
> > messy when future editions come
> > out (or am i being mad?)
> >
> > The source code review section is looking much healthier
> >
> > The web application scanners thing is a good addition, ive also
> started a
> > review process
> > for the Bank im at with regards
> > to how useful/crap they are. Should we make this section more detailed
> or
> > wait until the
> > OWASP benchmark process gets
> > released?
> >
> >
> >
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
>
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id149&alloc_id66&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
https://lists.sourceforge.net/lists/listinfo/owasp-testing
More information about the Owasp-testing
mailing list