[OWASP-TESTING] OWASP Testing Part 1 - Lets Go !

Mark Curphey mark.curphey at foundstone.com
Thu Feb 19 08:57:13 EST 2004


About 20 in total.... 

Divide and conquer baby !


-----Original Message-----
From: daniel at deeper.co.za [mailto:daniel at deeper.co.za] 
Sent: Thursday, February 19, 2004 8:13 AM
To: owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] OWASP Testing Part 1 - Lets Go !

Brilliant!

finally we are gonna get a 1.0 release. 
how many of us are there?

Daniel

> OK guys
> 
> I have taken the liberty of adding some people I trust and respect to 
> this list and a
few
that asked to join over the last month or so.  You can lurk or chime in
if you feel appropriate (after all I press ganged you). You could also
contribute (pretty please)!
> 
> With next weeks announcement of the Web Security Consortium at RSA 
> which seems to be
made
up of scanning vendors, I think it has never been more important to get
the OWASP Testing Guide 1.0 out into the public. At this point you can
only imagine that any guides they produce will prescribe scanning, more
scanning and a side of scanning. We all know from bitter experience (and
testing using WebGoat) that those tools usually find about 20% of issues
and are not a way to strategically deal with the web security issues. 
> 
> Testing security of applications must be about testing the development

> process, and
implementation and not just pen testing which is after the fact, "hit
and miss" and costly. It has to focus on the big picture. I know that
the majority of organizations in the US I speak to are trying to move
away from the pen test mentality having seen the futility and I hope the
OWASP Testing Guide can help layout the foundation for an enterprise
testing framework for everyone.  
> 
> So I am asking for you to all rally around and get Part 1 of testing 
> completed and out
within the next month and then start working on Part 2.
> 
> A while back we decided it was easier to split testing into 2 parts. 
> 
> Part 1 - The Why, What, Where and When Part 2 - The How
> 
> The idea is that Part 1 sets the scene for the scope of testing, 
> explains the pros and
cons of each technique, how to build a testing framework in an
organization and the types of testing that are appropriate. 
> 
> Part 2 then follows up with detailed advice on how to test for 
> specific issues using
these
techniques (i.e. not just pen testing, do X and you'll then see Y)
including how to look for design issues and issues in code and
implementation (black box).
> 
> I will send on my current working Part 1 draft in a few minutes which 
> is rough at this
stage. Here is what I am proposing of an aggressive timeline. 
> 
> Week 1 (rest of this week) - Agree the table of contents and document 
> flow Week 2 - Assign chapters to people to write next week (yes next 
> week) Week 3 - Review and format the content Week 4 - final review and

> release
> 
> We can then work on a schedule for Part 2
> 
> 
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with a free DVD 
> software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with a free DVD software
kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing




More information about the Owasp-testing mailing list