[OWASP-TESTING] RE: [OWASP-TESTING] Testing Sign Up

Glyn glyng at moiler.com
Sun Feb 22 19:08:41 EST 2004


I agree, although it will potentially make Part 1 a bit 'light'.  

Perhaps as part of the 'reasons for testing' we can mention the OWASP Top
Ten and introduce a bit of SPIN to the process - this is what'll happen if
you *don't* develop securely.  These can then again be mentioned in 'testing
techniques' to illustrate where they would have been picked up.  E.g. 'input
validation strategies would be assessed during the design review, prototype
testing, code review and deployment black-box testing'.

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> Of Mark Curphey
> Sent: 22 February 2004 22:22
> To: Nishchal Bhalla; cdavis at fnni.com; 
> mark.curphey at foundstone.com; owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] RE: [OWASP-TESTING] Testing Sign Up
> 
> Hi Nish
> 
> Good catch. Actually it's really down to us. What does the 
> group think ? 
> 
> My personal thoughts were that we keep this Part 1 of the 
> testing guide at a relatively high level i.e. describe the 
> types of testing but neccesariliy a methodology for executing 
> each technique. Part of the rationale was that I think what 
> we are going to end up with in the testing framework (last 
> Chapter of Part 1) which is a description of a high level 
> process that can be used to build a testing framework in a 
> development organization. It is likely to recomend using all 
> the techniques at various stages where most appropriate i.e. 
> initial manual inspection of design and documentation 
> artificats through to code review of design implementation 
> and eventually both manual inspection and black box testing 
> of deployment. 
> 
> I can see value in describing how to under take a black box / 
> white box test here or in part 2 to be honest. That said if 
> we stick to the manta that part 1 of the guide is the 
> 
> What, When, Where, Why  and Part 2 is the How, then I guess a 
> more natural flow for the reader maybe to open Part 2 with 
> that content. 
> 
> What do yout think ?  
> 
> ---- Nishchal Bhalla <nishchalbhalla at yahoo.ca> wrote:
> > I can propose to work on this but mark can we go into a 
> little more detail on how much and what all is to be covered 
> are we going to do methodology for black box testing / white 
> bbox testing etc with examples ?
> >  
> > Chapter 5 -
> > 
> >            Interviews and Manual Inspection. 
> > 
> >            Code Review (white box testing) 
> >                 Penetration Testing (black box testing)
> > 
> >             Why Web Application Security Scanners Are 
> (Normally) Not Good Enough.
> > 
> > 
> >  
> > 
> > Nish.
> > 
> > 
> > Davis, Carl <cdavis at fnni.com> wrote:
> > I would like to sign-up to assist with and or participate 
> in the following:
> >  
> > Chapter 2 | Regulatory Requirements
> > (would also be willing to assist with other sections in 
> this chapter)
> >  
> > Chapter 4 | Ten Principles... (debate) (Plan to actively 
> participate 
> > in this debate...development of list)
> >  
> > Chapter 5 | Examples Of Security Vulnerabilities Where 
> Scanners Will 
> > Fail (would also be willing to assist with other sections in this 
> > chapter)
> >  
> >      - Carl
> > -----Original Message-----
> > From: Mark Curphey [mailto:mark.curphey at foundstone.com]
> > Sent: Sat 2/21/2004 1:06 AM
> > To: owasp-testing at lists.sourceforge.net
> > Cc: 
> > Subject: [OWASP-TESTING] Testing Sign Up
> > 
> > 
> > 
> > OK so looks like we are all happy with the basic outline we 
> have today 
> > for Part 1, so I am afraid to say its time to sign up to complete a 
> > section before the end of next week as we discussed. By the 
> way end of 
> > next week should mean 6pm Friday 27th Feb Pacific time I 
> think. I know 
> > its RSA etc but ....
> > 
> > Please please don't sign up to do anything if you are going to not 
> > pull out all the stops to meet the deadline, but please 
> please please 
> > do sign up for something !
> > 
> > I suggest we have a few people working on each section, if we have 
> > more that 6 volunteers. Divide and conquer baby !
> > 
> > This is what I think each chapter in Part 1 needs to achieve. And 
> > remember Part 1 is the What, Why, When, Where and Part 2 
> will be the 
> > How.
> > 
> > 1. Introduction
> > This chapter should set the scene of web applications, 
> OWASP and how 
> > people can use this guide
> > 
> > 2. Reasons for Testing
> > This chapter should outline the end goal of building secure 
> software 
> > and explain how testing should be performed against requirements or 
> > standards, best practices etc and what you can aim to 
> achieve through 
> > testing.
> > 
> > 3. Scope of Testing
> > This chapter should set the scene that testing web applications (or 
> > web software as I am coming to call it myself) covers testing 
> > requirements, designs, process and implementations i.e. 
> isn't about scanning.
> > 
> > 4. Principles
> > This chapter will be a set of high level principles such as "Test 
> > Early and Often". I think this would be good to debate over 
> the list 
> > this week.
> > 
> > 5. Testing Techniques
> > This chapter should provide an overview of the types of testing 
> > techniques that exist including unit testing and code coverage / 
> > review, pen testing, threat modeling requirements and 
> design testing 
> > etc. I think it should explain where each maybe appropriate 
> in an SDLC 
> > and the advantages and disadvantages of each.
> > 
> > 6. Testing Framework Explained
> > This chapter should outline a proposed framework for 
> testing that will 
> > incorporate the techniques described at various places in 
> the SDLC. It 
> > will be more of a suggested way to create a testing process in an 
> > organization.
> > 
> > I will sign up to do Chapter 1 on my own (as its easy) and 
> Chapter 5. 
> > 
> > Anyone else have any specific interests ? 
> > 
> > 
> > 
> > 
> > 
> > 
> > Mark Curphey
> > Consulting Director
> > Foundstone, Inc. 
> > Strategic Security
> > 
> > 949.297.5600 x2070 Tel
> > 781.738.0857 Cell
> > 949.297.5575 Fax
> > 
> > http://www.foundstone.com
> > 
> > This email may contain confidential and privileged 
> information for the 
> > sole use of the intended recipient. Any review or distribution by 
> > others is strictly prohibited. If you are not the intended 
> recipient, 
> > please contact the sender and delete all copies of this 
> message. Thank you.
> > 
> > 
> > -------------------------------------------------------
> > SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
> > Build and deploy apps & Web services for Linux with a free DVD 
> > software kit from IBM. Click Now!
> > http://ads.osdn.com/?ad_id56&alloc_id438&op=click
> > _______________________________________________
> > owasp-testing mailing list
> > owasp-testing at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > 
> > 
> > 
> > 
> > ---------------------------------
> > Post your free ad now! Yahoo! Canada Personals
> > 
> 
> 
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with a free 
> DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing





More information about the Owasp-testing mailing list