Davis, Carl cdavis at fnni.com
Sat Feb 21 06:36:53 EST 2004

I would like to sign-up to assist with and or participate in the following:

Chapter 2 | Regulatory Requirements
(would also be willing to assist with other sections in this chapter) 
Chapter 4 | Ten Principles... (debate)
(Plan to actively participate in this debate...development of list)
Chapter 5 | Examples Of Security Vulnerabilities Where Scanners Will Fail
(would also be willing to assist with other sections in this chapter)

     - Carl

-----Original Message----- 
From: Mark Curphey [mailto:mark.curphey at foundstone.com] 
Sent: Sat 2/21/2004 1:06 AM 
To: owasp-testing at lists.sourceforge.net 
Subject: [OWASP-TESTING] Testing Sign Up

OK so looks like we are all happy with the basic outline we have today 
for Part 1, so I am afraid to say its time to sign up to complete a 
section before the end of next week as we discussed. By the way end of 
next week should mean 6pm Friday 27th Feb Pacific time I think. I know 
its RSA etc but .... 

Please please don't sign up to do anything if you are going to not pull 
out all the stops to meet the deadline, but please please please do sign 
up for something ! 

I suggest we have a few people working on each section, if we have more 
that 6 volunteers. Divide and conquer baby ! 

This is what I think each chapter in Part 1 needs to achieve. And 
remember Part 1 is the What, Why, When, Where and Part 2 will be the 

1. Introduction 
This chapter should set the scene of web applications, OWASP and how 
people can use this guide 

2. Reasons for Testing 
This chapter should outline the end goal of building secure software and 
explain how testing should be performed against requirements or 
standards, best practices etc and what you can aim to achieve through 

3. Scope of Testing 
This chapter should set the scene that testing web applications (or web 
software as I am coming to call it myself) covers testing requirements, 
designs, process and implementations i.e. isn't about scanning. 

4. Principles 
This chapter will be a set of high level principles such as "Test Early 
and Often". I think this would be good to debate over the list this 

5. Testing Techniques 
This chapter should provide an overview of the types of testing 
techniques that exist including unit testing and code coverage / review, 
pen testing, threat modeling requirements and design testing etc. I 
think it should explain where each maybe appropriate in an SDLC and the 
advantages and disadvantages of each. 

6. Testing Framework Explained 
This chapter should outline a proposed framework for testing that will 
incorporate the techniques described at various places in the SDLC. It 
will be more of a suggested way to create a testing process in an 

I will sign up to do Chapter 1 on my own (as its easy) and Chapter 5. 

Anyone else have any specific interests ? 

Mark Curphey 
Consulting Director 
Foundstone, Inc. 
Strategic Security 

949.297.5600 x2070 Tel 
781.738.0857 Cell 
949.297.5575 Fax 

http://www.foundstone.com <http://www.foundstone.com>  

This email may contain confidential and privileged information for the 
sole use of the intended recipient. Any review or distribution by others 
is strictly prohibited. If you are not the intended recipient, please 
contact the sender and delete all copies of this message. Thank you. 

SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
Build and deploy apps & Web services for Linux with 
a free DVD software kit from IBM. Click Now! 
http://ads.osdn.com/?ad_id <http://ads.osdn.com/?ad_id>
owasp-testing mailing list 
owasp-testing at lists.sourceforge.net 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040221/5183c150/attachment.html 

More information about the Owasp-testing mailing list