[OWASP-TESTING] Notes on Testing

Iván Arce iarce at core-sdi.com
Mon Dec 9 16:16:55 EST 2002


> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Mark
> Curphey
> Sent: Wednesday, December 04, 2002 4:22 AM
> To: owasp-testing at lists.sourceforge.net
> Subject: [OWASP-TESTING] Notes on Testing
> 
> 
> 26 / 66 - everyone should have dev, qa, pre-prod and prod. I would
> strongly argue that most testing is well before prod. Real data should
> never (NEVER) be used in testing. This section IMHO needs a big rewrite.
> This is all good and well for momandpops.php but....

I fail to understand the rationale for such strong statement, sometimes
it is not even possible to avoid tests with real data (as in an external
black-box pentest against the web app. in its production environment)

> 
> 27 - 66 - decompilers ? This is testing not hacking ;-) I think this
> section should explain how browser proxies work, how automated scanners
> are combos of automated http_user agents and fuzzers etc. It needs to
> outline source code analyzers. There are technical tools and checklist
> tools for the management reviews as well. 
> 

The compilers are infact useful, sometimes VERY usefull.
Your initial comments are very valid if you approach the web app. testing
problem from the perspective of a comprehensive security assessment across
the entire lifecycle of the application, but that is not the only approach 
and what is appropiate largely depends on the objective of the test
and the acceptable cost of performing it. 
In the case of the above comment, if the test is time constrained, with
no access to source code or to the dev. team and no documentation other
than the 'user's guide' and the webapp uses client-side components you
most likely will NEED decompilers and debuggers to do a decent assesment.

cheers,

-ivan

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A






More information about the Owasp-testing mailing list