[OWASP-TESTING] Phase II, outline

Syed Mohamed A syedma at microland.net
Mon Aug 16 18:11:02 EDT 2004


Keeping reporting in phase III sounds good. :-)
Regards
Syed

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Daniel
Sent: Wednesday, August 04, 2004 12:53 AM
To: owasp 
Subject: RE: [OWASP-TESTING] Phase II, outline


you know, this is a section i'm still unsure about.
Originally we had reporting in Phase III (or maybe im wrong..) and i still
think that in Phase III there needs to be a section on determining the
risk rating with vulns found and also how to do the report.

Phase II is more of the technical "howto", but im open to comments if
anyone thinks we need reporting in here



> Isn't reporting missing in the outline???
> Regards
> Syed Mohamed A
>
> -----Original Message-----
> From: Daniel [mailto:Daniel at deeper.co.za]
> Sent: Wednesday, August 04, 2004 12:19 AM
> To: owasp
> Subject: Re: [OWASP-TESTING] Phase II, outline
>
> Exactly my thoughts!
>
> I am working on getting out a revised outline by this weekend. Sorry for
> the delay but the real world job has a load of deadlines i need to get
> done (or ill have a load of free time on my hands *wink)
>
>
>
>> Hi there,
>>
>> I like the idea of the new proposed outline, it looks easier to mantain
>> and we can start writing some sections while we continue to discuss what
>> parts we want on the appendixes.
>>
>> About J2EE or other languages, I would try to stay away from any
>> particular language whilst doing the testing description for
>> vulnerabilities that can be "implemented" in any language, even if we
>> are tempted to give out an example it should be pseudocode, without
>> limiting ourselves to a particular language.
>>
>> Having said that I would allow for language specific sections such as
>> "Testing for vulnerabilities in applications written in XXX" and "...
>> applications running on such and such platforms (e.g. J2EE, .NET...)"
>>
>> Can we decide on a basic outline so that we can start working on some
>> contents? I have some spare time on August and would like to put some
>> work into it.
>>
>> Cheers,
>>
>> Lluis
>> .
>>
>> Mark Curphey wrote:
>>> Dan,
>>>
>>> A couple of ideas that might be worth thinking about are;
>>>
>>> 1. Provide generic methodologies for code review, pen testing , manual
>>> review etc as outlined in the Part 1 (Nish and Hari started this with
>>> their
>>> sections). These would basically outline "here is how to do a web app
>>> pen
>>> test- first profile site, then look for potential issues, then exploit
>>> them
>>> etc...obviously much more detailed and just a pseudo example). We
>>> already
>>> have a good start with this in Nish, Hari and other work that can be
>>> re-purposed.
>>> 2. Organize the actual implementation of these methodologies around the
>>> SDLC
>>> tasks we proposed in Part 1.  This ensures we cover how to test
>>> requirements
>>> and design and don't just produce a pen test methodology and low level
>>> guide
>>> for pen testing. I that that would be fine but we should call it out as
>>> that
>>> as an compliment to the pen test check list if that is what we really
>>> want
>>> to do ?
>>> 3. Merging Part 1 into Part 2 to get one big testing guide. At that
>>> point
>>> Part 1 would no longer be stand-alone.
>>>
>>> One of the things we found in the OWASP Guide 2.0 re-write was it
>>> became
>>> much easier to call out the language specific stuff such as J2EE and C#
>>> into
>>> an appendix.
>>>
>>> Maybe we could do that here, ie Appendix A - Finding Specific Vulns by
>>> Code
>>> Review, Appendix B - Finding Specific Vulns by Pen testing, Finding
>>> Specifi
>>> Vulns by Design Review
>>>
>>> The advantage of this is an appendix doesn't have to be complete and
>>> judging
>>> by the length of time it took to get to Part 1, it would be far easier
>>> to
>>> get the core of the doc (the methodologies themselves) completed and
>>> then
>>> update Apendixes frequently. By gut estimate is the size of Part 2 will
>>> b 20
>>> times the size of part 1, or 56 years ;-)
>>>
>>> The overall structure would look like
>>>
>>> Introduction
>>> Principles of Testing
>>> Testing Techniques Explained (overview)
>>> OWASP Testing Framework
>>> Methodologies
>>> 	Manual Inspections
>>> 	Penetration Testing
>>> 	Code Review
>>> 	Threat Modeling
>>>
>>> Appendix A - Finding Specific Issues using Manual Inspection
>>> 	Design Reviews
>>> 	Policy Reviews
>>> 	Threat Modeling
>>> 	Requirements Analysis
>>>
>>> Appendix B - Finding Specific Vulnerabilities using Penetration Testing
>>> 	SQL Injection
>>> 	XSS
>>> 	Buffer Overflows
>>> 	Weak Passwords
>>> 	Session Management
>>> Appendix C - Finding Specific Vulnerabilities using Source Code Review
>>> 	SQL Injection
>>> 	Weak Key Generation
>>>
>>> Apendix D - Testing Tools
>>> Appendix X etc
>>>
>>> Some how this needs to be tied to using these techniques at the right
>>> stages
>>> of the SDLC so people stop pen testing before deployment. Maybe the
>>> framework itself is OK for that.
>>>
>>> Thoughts ?
>>>
>>> -----Original Message-----
>>> From: owasp-testing-admin at lists.sourceforge.net
>>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
>>> Sent: Thursday, July 29, 2004 6:50 AM
>>> To: owasp
>>> Subject: [OWASP-TESTING] Phase II, outline
>>>
>>> Attached is the outline so far, can we all start looking at the
>>> structure
>>> and deciding the direction?
>>>
>>> I think we need to concentrate on making sure the various languages are
>>> covered. I had a good chat with a friend over at another large
>>> investment
>>> bank and he wanted to know what we were doing with J2EE stuff, hence
>>> this
>>> has now been added.
>>>
>>> Once everyone is happy with what is in the outline, i'll draw up a
>>> better
>>> format and then we can start assigning sections for people to get on
>>> with.
>>>
>>> There are a large amount of people on this list now and yet only a few
>>> regulars still seem to offer comments. I will be removing the inactive
>>> ones
>>> in the next couple of weeks (hey it's only fair to contribute and not
>>> use it
>>> as a private guide before the rest of the world get it..)
>>>
>>>
>>> Thanks to everyone who has contributed so far
>>>
>>> Daniel
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> This SF.Net email is sponsored by BEA Weblogic Workshop
>>> FREE Java Enterprise J2EE developer tools!
>>> Get your free copy of BEA WebLogic Workshop 8.1 today.
>>> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>>> _______________________________________________
>>> owasp-testing mailing list
>>> owasp-testing at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
>> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
>> one more big change to announce. We are now OSTG- Open Source Technology
>> Group. Come see the changes on the new OSTG site. www.ostg.com
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>




-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing




More information about the Owasp-testing mailing list