[OWASP-TESTING] Testing Sign Up

Mark Curphey mark.curphey at foundstone.com
Sat Feb 21 02:06:51 EST 2004

OK so looks like we are all happy with the basic outline we have today
for Part 1, so I am afraid to say its time to sign up to complete a
section before the end of next week as we discussed. By the way end of
next week should mean 6pm Friday 27th Feb Pacific time I think. I know
its RSA etc but ....

Please please don't sign up to do anything if you are going to not pull
out all the stops to meet the deadline, but please please please do sign
up for something !

I suggest we have a few people working on each section, if we have more
that 6 volunteers. Divide and conquer baby !

This is what I think each chapter in Part 1 needs to achieve. And
remember Part 1 is the What, Why, When, Where and Part 2 will be the

1. Introduction
This chapter should set the scene of web applications, OWASP and how
people can use this guide

2. Reasons for Testing
This chapter should outline the end goal of building secure software and
explain how testing should be performed against requirements or
standards, best practices etc and what you can aim to achieve through

3. Scope of Testing
This chapter should set the scene that testing web applications (or web
software as I am coming to call it myself) covers testing requirements,
designs, process and implementations i.e. isn't about scanning.

4. Principles
This chapter will be a set of high level principles such as "Test Early
and Often". I think this would be good to debate over the list this

5. Testing Techniques
This chapter should provide an overview of the types of testing
techniques that exist including unit testing and code coverage / review,
pen testing, threat modeling requirements and design testing etc. I
think it should explain where each maybe appropriate in an SDLC and the
advantages and disadvantages of each.

6. Testing Framework Explained
This chapter should outline a proposed framework for testing that will
incorporate the techniques described at various places in the SDLC. It
will be more of a suggested way to create a testing process in an

I will sign up to do Chapter 1 on my own (as its easy) and Chapter 5. 

Anyone else have any specific interests ?

Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel 
781.738.0857 Cell
949.297.5575 Fax 


This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you. 

More information about the Owasp-testing mailing list