[OWASP-TESTING] OWASP Testing Part 1 - Lets Go !

daniel at deeper.co.za daniel at deeper.co.za
Thu Feb 19 08:12:55 EST 2004


finally we are gonna get a 1.0 release. 
how many of us are there?


> OK guys
> I have taken the liberty of adding some people I trust and respect to this list and a
that asked to join over the last month or so.  You can lurk or chime in if you feel
appropriate (after all I press ganged you). You could also contribute (pretty please)!
> With next weeks announcement of the Web Security Consortium at RSA which seems to be
up of scanning vendors, I think it has never been more important to get the OWASP Testing
Guide 1.0 out into the public. At this point you can only imagine that any guides they
produce will prescribe scanning, more scanning and a side of scanning. We all know from
bitter experience (and testing using WebGoat) that those tools usually find about 20% of
issues and are not a way to strategically deal with the web security issues. 
> Testing security of applications must be about testing the development process, and
implementation and not just pen testing which is after the fact, "hit and miss" and
costly. It has to focus on the big picture. I know that the majority of organizations in
the US I speak to are trying to move away from the pen test mentality having seen the
futility and I hope the OWASP Testing Guide can help layout the foundation for an
enterprise testing framework for everyone.  
> So I am asking for you to all rally around and get Part 1 of testing completed and out
within the next month and then start working on Part 2.
> A while back we decided it was easier to split testing into 2 parts. 
> Part 1 - The Why, What, Where and When
> Part 2 - The How
> The idea is that Part 1 sets the scene for the scope of testing, explains the pros and
cons of each technique, how to build a testing framework in an organization and the types
of testing that are appropriate. 
> Part 2 then follows up with detailed advice on how to test for specific issues using
techniques (i.e. not just pen testing, do X and you'll then see Y) including how to look
for design issues and issues in code and implementation (black box).
> I will send on my current working Part 1 draft in a few minutes which is rough at this
stage. Here is what I am proposing of an aggressive timeline. 
> Week 1 (rest of this week) - Agree the table of contents and document flow
> Week 2 - Assign chapters to people to write next week (yes next week)
> Week 3 - Review and format the content
> Week 4 - final review and release
> We can then work on a schedule for Part 2
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing

More information about the Owasp-testing mailing list