[Owasp-board] [Owasp-testing] Defect report and questions on OWASP TESTING GUIDE V3.0

Tom Brennan tomb at owasp.org
Sun May 16 12:26:46 UTC 2010


Gentleman, wanted to say THANK YOU and relay that we appreciate your investment of labor to translate the OWASP Testing Guide to reach a wider audience!   

Your efforts certainly enable OWASP to drive the mission forward:

"Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks"

Thank you.

Tom Brennan
Global Board Member
OWASP Foundation
Url: www.owasp.org
Tel: 973-506-9303



On May 16, 2010, at 6:24 AM, Matteo Meucci wrote:

> Hi Tetsuo,
> thanks for your questions.
> 
>>  1) item4 in section 4.5.1: What each comma is for and what each period
>>     is for?  In Japanese, decimal point is represented with period.
>>     Comma in Japanese are usually used as separator of some items or
>>     three digits for large integer.
> 
> Do you refer at the table at page 154?
> 1,2 or 1.2 means: 1 integer and 2 decimal
> 1,2E+3: is exponential notation = 1,2*10^3 = 1200
> May you give us an example please?
> 
>>  2) item9 in section 4.6.3: What do you want to state specifically with
>>     vague usage of "another user"s and "the user"?
> 
> The Guide says: "The tester should try to access such functions as
> another user in order to verify, for example, if it is possible to
> access a function that should not be permitted by the user's
> role/privilege (but might be permitted as another user)."
> We are describing the section "Testing for Privilege escalation". With
> another user we mean to test the application with a set of credetials
> of a user with different privileges. So we can verify what a different
> user with different role/privileges could do with the application.
> 
>>  3) item13 in section 4.7: What means asking to "the business"?
> 
> "If you are a third‐party tester, then you're going to have to use
> your common sense and ask the business if different operations should
> be allowed by the
> application". Yes, we mean to ask to the team or person responsible of
> the application: you need eople who should knows exactly the design of
> the target application. The idea is to test if it is possible to "use"
> the application in a different way from the original design.
> 
>>  4) item16 in section 4.7: What is "~8"?
> 
> ~8h means: approximately 8 hours (a range from 7h 55 min to 8h 5 min
> for example).
> 
>> How are you tracking defects in each document?
> We use the wiki as the updated version, so when we create a new
> version in PDF we can use this version more updated than PDF.
> If you find errors you can report it directly to me and I'll update the wiki.
> 
> Hope this help,
> thanks!
> Mat
> 
> 
> 2010/5/16 Kuge, Tetsuo <tetsuo.kuge at hp.com>:
>> Hello,
>> Here is a list of defects and questions to the authors.
>> I am Tetsuo Kuge, a member of a term to interpret OWASP
>> TESTING GUIDE V3.0 into Japanese.
>> My part is from section 4.5 to 4.8.2.
>> 
>> The attached excel file contains a list of query items
>> including defects and questions.
>> 
>> -  The Page number is based on OWASP_Testing_Guide_V3.pdf
>> 
>> -  The Category, Type and Sub Category are just as my suggestion.
>>   I am hoping to find some practical criteria all over the OWASP
>>   TESTING GUIDE V3.0 but I do not know current status of other
>>   sections for now.
>> 
>> -  There are three questions to be confirmed to the Authors.
>>   1) item4 in section 4.5.1: What each comma is for and what each period
>>      is for?  In Japanese, decimal point is represented with period.
>>      Comma in Japanese are usually used as separator of some items or
>>      three digits for large integer.
>>   2) item9 in section 4.6.3: What do you want to state specifically with
>>      vague usage of "another user"s and "the user"?
>>   3) item13 in section 4.7: What means asking to "the business"?
>>   4) item16 in section 4.7: What is "~8"?
>> 
>> How are you tracking defects in each document?
>> The Typos page looks just for typo.  semantic defects and logical defects seems out of scope for the page.
>> --
>> Regards,
>> Tetsuo.
>> 
>> Full name        Tetsuo Kuge       Hewlett-Packard Japan, Ltd.
>> E-mail  tetsuo.kuge at hp.com
>> 
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> 
>> 
> 
> 
> 
> -- 
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> http://www.owasp.org/index.php/Italy
> OWASP Testing Guide lead
> http://www.owasp.org/index.php/Testing_Guide
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100516/3a989b03/attachment-0002.html>


More information about the Owasp-board mailing list