[OWASP-TESTING] Phase II, outline
llmora at sentryware.com
Tue Aug 3 21:03:04 EDT 2004
I like the idea of the new proposed outline, it looks easier to mantain
and we can start writing some sections while we continue to discuss what
parts we want on the appendixes.
About J2EE or other languages, I would try to stay away from any
particular language whilst doing the testing description for
vulnerabilities that can be "implemented" in any language, even if we
are tempted to give out an example it should be pseudocode, without
limiting ourselves to a particular language.
Having said that I would allow for language specific sections such as
"Testing for vulnerabilities in applications written in XXX" and "...
applications running on such and such platforms (e.g. J2EE, .NET...)"
Can we decide on a basic outline so that we can start working on some
contents? I have some spare time on August and would like to put some
work into it.
Mark Curphey wrote:
> A couple of ideas that might be worth thinking about are;
> 1. Provide generic methodologies for code review, pen testing , manual
> review etc as outlined in the Part 1 (Nish and Hari started this with their
> sections). These would basically outline "here is how to do a web app pen
> test- first profile site, then look for potential issues, then exploit them
> etc...obviously much more detailed and just a pseudo example). We already
> have a good start with this in Nish, Hari and other work that can be
> 2. Organize the actual implementation of these methodologies around the SDLC
> tasks we proposed in Part 1. This ensures we cover how to test requirements
> and design and don't just produce a pen test methodology and low level guide
> for pen testing. I that that would be fine but we should call it out as that
> as an compliment to the pen test check list if that is what we really want
> to do ?
> 3. Merging Part 1 into Part 2 to get one big testing guide. At that point
> Part 1 would no longer be stand-alone.
> One of the things we found in the OWASP Guide 2.0 re-write was it became
> much easier to call out the language specific stuff such as J2EE and C# into
> an appendix.
> Maybe we could do that here, ie Appendix A - Finding Specific Vulns by Code
> Review, Appendix B - Finding Specific Vulns by Pen testing, Finding Specifi
> Vulns by Design Review
> The advantage of this is an appendix doesn't have to be complete and judging
> by the length of time it took to get to Part 1, it would be far easier to
> get the core of the doc (the methodologies themselves) completed and then
> update Apendixes frequently. By gut estimate is the size of Part 2 will b 20
> times the size of part 1, or 56 years ;-)
> The overall structure would look like
> Principles of Testing
> Testing Techniques Explained (overview)
> OWASP Testing Framework
> Manual Inspections
> Penetration Testing
> Code Review
> Threat Modeling
> Appendix A - Finding Specific Issues using Manual Inspection
> Design Reviews
> Policy Reviews
> Threat Modeling
> Requirements Analysis
> Appendix B - Finding Specific Vulnerabilities using Penetration Testing
> SQL Injection
> Buffer Overflows
> Weak Passwords
> Session Management
> Appendix C - Finding Specific Vulnerabilities using Source Code Review
> SQL Injection
> Weak Key Generation
> Apendix D - Testing Tools
> Appendix X etc
> Some how this needs to be tied to using these techniques at the right stages
> of the SDLC so people stop pen testing before deployment. Maybe the
> framework itself is OK for that.
> Thoughts ?
> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
> Sent: Thursday, July 29, 2004 6:50 AM
> To: owasp
> Subject: [OWASP-TESTING] Phase II, outline
> Attached is the outline so far, can we all start looking at the structure
> and deciding the direction?
> I think we need to concentrate on making sure the various languages are
> covered. I had a good chat with a friend over at another large investment
> bank and he wanted to know what we were doing with J2EE stuff, hence this
> has now been added.
> Once everyone is happy with what is in the outline, i'll draw up a better
> format and then we can start assigning sections for people to get on with.
> There are a large amount of people on this list now and yet only a few
> regulars still seem to offer comments. I will be removing the inactive ones
> in the next couple of weeks (hey it's only fair to contribute and not use it
> as a private guide before the rest of the world get it..)
> Thanks to everyone who has contributed so far
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
More information about the Owasp-testing