[OWASP-TESTING] OWASP Testing Part 1 - Lets Go !
cdavis at fnni.com
Thu Feb 19 17:14:00 EST 2004
Sounds great...I'm raring and ready to dig in!
From: Mark Curphey [mailto:mark at curphey.com]
Sent: Thursday, February 19, 2004 7:13 AM
To: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] OWASP Testing Part 1 - Lets Go !
I have taken the liberty of adding some people I trust and respect to this
list and a few that asked to join over the last month or so. You can lurk
or chime in if you feel appropriate (after all I press ganged you). You
could also contribute (pretty please)!
With next weeks announcement of the Web Security Consortium at RSA which
seems to be made up of scanning vendors, I think it has never been more
important to get the OWASP Testing Guide 1.0 out into the public. At this
point you can only imagine that any guides they produce will prescribe
scanning, more scanning and a side of scanning. We all know from bitter
experience (and testing using WebGoat) that those tools usually find about
20% of issues and are not a way to strategically deal with the web security
Testing security of applications must be about testing the development
process, and implementation and not just pen testing which is after the
fact, "hit and miss" and costly. It has to focus on the big picture. I know
that the majority of organizations in the US I speak to are trying to move
away from the pen test mentality having seen the futility and I hope the
OWASP Testing Guide can help layout the foundation for an enterprise testing
framework for everyone.
So I am asking for you to all rally around and get Part 1 of testing
completed and out within the next month and then start working on Part 2.
A while back we decided it was easier to split testing into 2 parts.
Part 1 - The Why, What, Where and When
Part 2 - The How
The idea is that Part 1 sets the scene for the scope of testing, explains
the pros and cons of each technique, how to build a testing framework in an
organization and the types of testing that are appropriate.
Part 2 then follows up with detailed advice on how to test for specific
issues using these techniques (i.e. not just pen testing, do X and you'll
then see Y) including how to look for design issues and issues in code and
implementation (black box).
I will send on my current working Part 1 draft in a few minutes which is
rough at this stage. Here is what I am proposing of an aggressive timeline.
Week 1 (rest of this week) - Agree the table of contents and document flow
Week 2 - Assign chapters to people to write next week (yes next week)
Week 3 - Review and format the content
Week 4 - final review and release
We can then work on a schedule for Part 2
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing