[OWASP-TESTING] Phase II, outline
Daniel at deeper.co.za
Wed Aug 4 03:19:18 EDT 2004
Exactly my thoughts!
I am working on getting out a revised outline by this weekend. Sorry for
the delay but the real world job has a load of deadlines i need to get
done (or ill have a load of free time on my hands *wink)
> Hi there,
> I like the idea of the new proposed outline, it looks easier to mantain
> and we can start writing some sections while we continue to discuss what
> parts we want on the appendixes.
> About J2EE or other languages, I would try to stay away from any
> particular language whilst doing the testing description for
> vulnerabilities that can be "implemented" in any language, even if we
> are tempted to give out an example it should be pseudocode, without
> limiting ourselves to a particular language.
> Having said that I would allow for language specific sections such as
> "Testing for vulnerabilities in applications written in XXX" and "...
> applications running on such and such platforms (e.g. J2EE, .NET...)"
> Can we decide on a basic outline so that we can start working on some
> contents? I have some spare time on August and would like to put some
> work into it.
> Mark Curphey wrote:
>> A couple of ideas that might be worth thinking about are;
>> 1. Provide generic methodologies for code review, pen testing , manual
>> review etc as outlined in the Part 1 (Nish and Hari started this with
>> sections). These would basically outline "here is how to do a web app
>> test- first profile site, then look for potential issues, then exploit
>> etc...obviously much more detailed and just a pseudo example). We
>> have a good start with this in Nish, Hari and other work that can be
>> 2. Organize the actual implementation of these methodologies around the
>> tasks we proposed in Part 1. This ensures we cover how to test
>> and design and don't just produce a pen test methodology and low level
>> for pen testing. I that that would be fine but we should call it out as
>> as an compliment to the pen test check list if that is what we really
>> to do ?
>> 3. Merging Part 1 into Part 2 to get one big testing guide. At that
>> Part 1 would no longer be stand-alone.
>> One of the things we found in the OWASP Guide 2.0 re-write was it became
>> much easier to call out the language specific stuff such as J2EE and C#
>> an appendix.
>> Maybe we could do that here, ie Appendix A - Finding Specific Vulns by
>> Review, Appendix B - Finding Specific Vulns by Pen testing, Finding
>> Vulns by Design Review
>> The advantage of this is an appendix doesn't have to be complete and
>> by the length of time it took to get to Part 1, it would be far easier
>> get the core of the doc (the methodologies themselves) completed and
>> update Apendixes frequently. By gut estimate is the size of Part 2 will
>> b 20
>> times the size of part 1, or 56 years ;-)
>> The overall structure would look like
>> Principles of Testing
>> Testing Techniques Explained (overview)
>> OWASP Testing Framework
>> Manual Inspections
>> Penetration Testing
>> Code Review
>> Threat Modeling
>> Appendix A - Finding Specific Issues using Manual Inspection
>> Design Reviews
>> Policy Reviews
>> Threat Modeling
>> Requirements Analysis
>> Appendix B - Finding Specific Vulnerabilities using Penetration Testing
>> SQL Injection
>> Buffer Overflows
>> Weak Passwords
>> Session Management
>> Appendix C - Finding Specific Vulnerabilities using Source Code Review
>> SQL Injection
>> Weak Key Generation
>> Apendix D - Testing Tools
>> Appendix X etc
>> Some how this needs to be tied to using these techniques at the right
>> of the SDLC so people stop pen testing before deployment. Maybe the
>> framework itself is OK for that.
>> Thoughts ?
>> -----Original Message-----
>> From: owasp-testing-admin at lists.sourceforge.net
>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
>> Sent: Thursday, July 29, 2004 6:50 AM
>> To: owasp
>> Subject: [OWASP-TESTING] Phase II, outline
>> Attached is the outline so far, can we all start looking at the
>> and deciding the direction?
>> I think we need to concentrate on making sure the various languages are
>> covered. I had a good chat with a friend over at another large
>> bank and he wanted to know what we were doing with J2EE stuff, hence
>> has now been added.
>> Once everyone is happy with what is in the outline, i'll draw up a
>> format and then we can start assigning sections for people to get on
>> There are a large amount of people on this list now and yet only a few
>> regulars still seem to offer comments. I will be removing the inactive
>> in the next couple of weeks (hey it's only fair to contribute and not
>> use it
>> as a private guide before the rest of the world get it..)
>> Thanks to everyone who has contributed so far
>> This SF.Net email is sponsored by BEA Weblogic Workshop
>> FREE Java Enterprise J2EE developer tools!
>> Get your free copy of BEA WebLogic Workshop 8.1 today.
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
More information about the Owasp-testing