[OWASP-TESTING] Phase II, outline

Daniel Daniel at deeper.co.za
Wed Aug 4 03:19:18 EDT 2004


Exactly my thoughts!

I am working on getting out a revised outline by this weekend. Sorry for
the delay but the real world job has a load of deadlines i need to get
done (or ill have a load of free time on my hands *wink)



> Hi there,
>
> I like the idea of the new proposed outline, it looks easier to mantain
> and we can start writing some sections while we continue to discuss what
> parts we want on the appendixes.
>
> About J2EE or other languages, I would try to stay away from any
> particular language whilst doing the testing description for
> vulnerabilities that can be "implemented" in any language, even if we
> are tempted to give out an example it should be pseudocode, without
> limiting ourselves to a particular language.
>
> Having said that I would allow for language specific sections such as
> "Testing for vulnerabilities in applications written in XXX" and "...
> applications running on such and such platforms (e.g. J2EE, .NET...)"
>
> Can we decide on a basic outline so that we can start working on some
> contents? I have some spare time on August and would like to put some
> work into it.
>
> Cheers,
>
> Lluis
> .
>
> Mark Curphey wrote:
>> Dan,
>>
>> A couple of ideas that might be worth thinking about are;
>>
>> 1. Provide generic methodologies for code review, pen testing , manual
>> review etc as outlined in the Part 1 (Nish and Hari started this with
>> their
>> sections). These would basically outline "here is how to do a web app
>> pen
>> test- first profile site, then look for potential issues, then exploit
>> them
>> etc...obviously much more detailed and just a pseudo example). We
>> already
>> have a good start with this in Nish, Hari and other work that can be
>> re-purposed.
>> 2. Organize the actual implementation of these methodologies around the
>> SDLC
>> tasks we proposed in Part 1.  This ensures we cover how to test
>> requirements
>> and design and don't just produce a pen test methodology and low level
>> guide
>> for pen testing. I that that would be fine but we should call it out as
>> that
>> as an compliment to the pen test check list if that is what we really
>> want
>> to do ?
>> 3. Merging Part 1 into Part 2 to get one big testing guide. At that
>> point
>> Part 1 would no longer be stand-alone.
>>
>> One of the things we found in the OWASP Guide 2.0 re-write was it became
>> much easier to call out the language specific stuff such as J2EE and C#
>> into
>> an appendix.
>>
>> Maybe we could do that here, ie Appendix A - Finding Specific Vulns by
>> Code
>> Review, Appendix B - Finding Specific Vulns by Pen testing, Finding
>> Specifi
>> Vulns by Design Review
>>
>> The advantage of this is an appendix doesn't have to be complete and
>> judging
>> by the length of time it took to get to Part 1, it would be far easier
>> to
>> get the core of the doc (the methodologies themselves) completed and
>> then
>> update Apendixes frequently. By gut estimate is the size of Part 2 will
>> b 20
>> times the size of part 1, or 56 years ;-)
>>
>> The overall structure would look like
>>
>> Introduction
>> Principles of Testing
>> Testing Techniques Explained (overview)
>> OWASP Testing Framework
>> Methodologies
>> 	Manual Inspections
>> 	Penetration Testing
>> 	Code Review
>> 	Threat Modeling
>>
>> Appendix A - Finding Specific Issues using Manual Inspection
>> 	Design Reviews
>> 	Policy Reviews
>> 	Threat Modeling
>> 	Requirements Analysis
>>
>> Appendix B - Finding Specific Vulnerabilities using Penetration Testing
>> 	SQL Injection
>> 	XSS
>> 	Buffer Overflows
>> 	Weak Passwords
>> 	Session Management
>> Appendix C - Finding Specific Vulnerabilities using Source Code Review
>> 	SQL Injection
>> 	Weak Key Generation
>>
>> Apendix D - Testing Tools
>> Appendix X etc
>>
>> Some how this needs to be tied to using these techniques at the right
>> stages
>> of the SDLC so people stop pen testing before deployment. Maybe the
>> framework itself is OK for that.
>>
>> Thoughts ?
>>
>> -----Original Message-----
>> From: owasp-testing-admin at lists.sourceforge.net
>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
>> Sent: Thursday, July 29, 2004 6:50 AM
>> To: owasp
>> Subject: [OWASP-TESTING] Phase II, outline
>>
>> Attached is the outline so far, can we all start looking at the
>> structure
>> and deciding the direction?
>>
>> I think we need to concentrate on making sure the various languages are
>> covered. I had a good chat with a friend over at another large
>> investment
>> bank and he wanted to know what we were doing with J2EE stuff, hence
>> this
>> has now been added.
>>
>> Once everyone is happy with what is in the outline, i'll draw up a
>> better
>> format and then we can start assigning sections for people to get on
>> with.
>>
>> There are a large amount of people on this list now and yet only a few
>> regulars still seem to offer comments. I will be removing the inactive
>> ones
>> in the next couple of weeks (hey it's only fair to contribute and not
>> use it
>> as a private guide before the rest of the world get it..)
>>
>>
>> Thanks to everyone who has contributed so far
>>
>> Daniel
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by BEA Weblogic Workshop
>> FREE Java Enterprise J2EE developer tools!
>> Get your free copy of BEA WebLogic Workshop 8.1 today.
>> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>






More information about the Owasp-testing mailing list