[OWASP-TESTING] OWASP Testing Version 0 1 (2).doc

Mark Curphey mark.curphey at foundstone.com
Thu Feb 19 09:41:12 EST 2004

Great news. Focused as am I. I think actually Part 1 is maybe a higher
more strategic level than that. 

Its more about explaining why you need to think about testing throughout
the SDLC and not just at the end or when a site is built; its about
explaining that by testing a design for security you can typically save
100 times the cost of fixing an error in production that could have been
corrected at the design stage. Its about exposing the advantages and
disadvantages of all testing techniques i.e why code review is hard to
do but effective, why black box testing is cheap (and widely used) but
often ineffective (well strategically, it's obviously often effective

And I think its about presenting an enterprise testing framework that a
medium to large company can build into their SDLC to ensure the right
type of testing is done and the right times to deal with the problem

Of course this is not set in stone (this is your project as much as it
is mine) but these are my thoughts. 

Part 2 (which is likely to be a lot more text than Part 1) would be the
mechanics of testing for specific issues such as the great session ID
stuff you created.

Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel 
781.738.0857 Cell
949.297.5575 Fax 


This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you. 
-----Original Message-----
From: Glyn [mailto:glyng at moiler.com] 
Sent: Thursday, February 19, 2004 9:16 AM
To: Mark Curphey; owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] OWASP Testing Version 0 1 (2).doc

I'm neck deep in application security assessments as we speak &
formalising our own methodologies on the fly, so am happy to participate
in either 5 or 6.

Am I correct in thinking that for part 1 we are talking about the broad
testing areas, motivations and strategies (e.g. input/output, session
management) rather than detailed testing strategies (like the session
stuff I sent over last month)?


-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Mark
Sent: 19 February 2004 23:57
To: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] OWASP Testing Version 0 1 (2).doc

OK this is a very early working draft. I was intending to spend a week
of evening and get this finished in Feb but more eyes and more inout the

I think rather than delve into edits, lets organize into a few small
working groups on each chapter. We can then do peer reviews etc and work

I think the Chapters are almost there; we have 6 (remember this is only

1. Introduction
2. Reasons for Testing
3. Scope of Testing
4. Principles
5. Testing Techniques
6. Testing Frameowrk Explained

Is this a good flow ? Should there be other stuff ?

 <<OWASP Testing Version 0 1 (2).doc>> 

SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with a free DVD software
kit from IBM. Click Now!
owasp-testing mailing list
owasp-testing at lists.sourceforge.net

More information about the Owasp-testing mailing list