[OWASP-GUIDE] RE: [OWASP-TESTING] Adopt some sections from the Guide?

Andrew van der Stock vanderaj at greebo.net
Sat Feb 5 02:15:11 EST 2005


My thoughts is that a DoS section is not going to be dropped from it
entirely (as it's a key availability requirement), but the longer discussion
of it should survive. 

The tests for DoS are relatively simple: are there any unauthenticated
requests which consume a lot of resources (CPU, memory, disk, network) for
minimal input.

The resolution for DoS are also relatively simple, but in my experience,
it's very hard for the business to understand why their web designers
shouldn't put that 500 kb flash navigation aid up as it's just soooo cool...
until a DoS attack hits.

Thanks,
Andrew

> -----Original Message-----
> From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
> Sent: Saturday, 5 February 2005 7:05 AM
> To: Daniel; Andrew van der Stock
> Cc: 'Owasp-Testing'
> Subject: Re: [OWASP-TESTING] Adopt some sections from the Guide?
> 
> I'm curious about the rationale for dropping DOS from the Guide.  If you
> should test for susceptibility to DOS, shouldn't there be something in the
> Guide about protecting your app against them?  There are lots of different
> approaches to making sure an attacker can't run your webapp into the
> ground.
> I'm not sure what's in there now (I'll look), but I bet we could come up
> with an interesting Guide section.  Yes?






More information about the Owasp-guide mailing list