[OWASP-TESTING] OWASP Testing Part 1 - Lets Go !

Glyn glyng at moiler.com
Thu Feb 19 08:57:42 EST 2004

Sounds good to me. 

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Mark Curphey
Sent: 19 February 2004 23:13
To: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] OWASP Testing Part 1 - Lets Go !

OK guys

I have taken the liberty of adding some people I trust and respect to this
list and a few that asked to join over the last month or so.  You can lurk
or chime in if you feel appropriate (after all I press ganged you). You
could also contribute (pretty please)!

With next weeks announcement of the Web Security Consortium at RSA which
seems to be made up of scanning vendors, I think it has never been more
important to get the OWASP Testing Guide 1.0 out into the public. At this
point you can only imagine that any guides they produce will prescribe
scanning, more scanning and a side of scanning. We all know from bitter
experience (and testing using WebGoat) that those tools usually find about
20% of issues and are not a way to strategically deal with the web security

Testing security of applications must be about testing the development
process, and implementation and not just pen testing which is after the
fact, "hit and miss" and costly. It has to focus on the big picture. I know
that the majority of organizations in the US I speak to are trying to move
away from the pen test mentality having seen the futility and I hope the
OWASP Testing Guide can help layout the foundation for an enterprise testing
framework for everyone.  

So I am asking for you to all rally around and get Part 1 of testing
completed and out within the next month and then start working on Part 2.

A while back we decided it was easier to split testing into 2 parts. 

Part 1 - The Why, What, Where and When
Part 2 - The How

The idea is that Part 1 sets the scene for the scope of testing, explains
the pros and cons of each technique, how to build a testing framework in an
organization and the types of testing that are appropriate. 

Part 2 then follows up with detailed advice on how to test for specific
issues using these techniques (i.e. not just pen testing, do X and you'll
then see Y) including how to look for design issues and issues in code and
implementation (black box).

I will send on my current working Part 1 draft in a few minutes which is
rough at this stage. Here is what I am proposing of an aggressive timeline. 

Week 1 (rest of this week) - Agree the table of contents and document flow
Week 2 - Assign chapters to people to write next week (yes next week)
Week 3 - Review and format the content
Week 4 - final review and release

We can then work on a schedule for Part 2

SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
owasp-testing mailing list
owasp-testing at lists.sourceforge.net

More information about the Owasp-testing mailing list