Mark Curphey mark.curphey at foundstone.com
Sun Feb 22 19:30:53 EST 2004

BTW Nish, of course if you had some time to write about these techniques
as described, no one would complain ;-)


From: Nishchal Bhalla [mailto:nishchalbhalla at yahoo.ca] 
Sent: Saturday, February 21, 2004 10:45 AM
To: cdavis at fnni.com; Mark Curphey; owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] RE: [OWASP-TESTING] Testing Sign Up

I can propose to work on this but mark can we go into a little more
detail on how much and what all is to be covered are we going to do
methodology for black box testing / white bbox testing etc with examples
Chapter 5 -

           Interviews and Manual Inspection. 

           Code Review (white box testing) 

                Penetration Testing (black box testing) 
            Why Web Application Security Scanners Are (Normally) Not
Good Enough.



Davis, Carl <cdavis at fnni.com> wrote:

	I would like to sign-up to assist with and or participate in the

			Chapter 2 | Regulatory Requirements
			(would also be willing to assist with other
sections in this chapter) 
			Chapter 4 | Ten Principles... (debate)
			(Plan to actively participate in this
debate...development of list)
			Chapter 5 | Examples Of Security Vulnerabilities
Where Scanners Will Fail
			(would also be willing to assist with other
sections in this chapter)

	     - Carl

		-----Original Message----- 
		From: Mark Curphey [mailto:mark.curphey at foundstone.com] 
		Sent: Sat 2/21/2004 1:06 AM 
		To: owasp-testing at lists.sourceforge.net 
		Subject: [OWASP-TESTING] Testing Sign Up

		OK so looks like we are all happy with the basic outline
we have today 
		for Part 1, so I am afraid to say its time to sign up to
complete a 
		section before the end of next week as we discussed. By
the way end of 
		next week should mean 6pm Friday 27th Feb Pacific time I
think. I know 
		its RSA etc but .... 

		Please please don't sign up to do anything if you are
going to not pull 
		out all the stops to meet the deadline, but please
please please do sign 
		up for something ! 

		I suggest we have a few people working on each section,
if we have more 
		that 6 volunteers. Divide and conquer baby ! 

		This is what I think each chapter in Part 1 needs to
achieve. And 
		remember Part 1 is the What, Why, When, Where and Part 2
will be the 

		1. Introduction 
		This chapter should set the scene of web applications,
OWASP and how 
		people can use this guide 

		2. Reasons for Testing 
		This chapter should outline the end goal of building
secure software and 
		explain how testing should be performed against
requirements or 
		standards, best practices etc and what you can aim to
achieve through 

		3. Scope of Testing 
		This chapter should set the scene that testing web
applications (or web 
		software as I am coming to call it myself) covers
testing requirements, 
		designs, process and implementations i.e. isn't about

		4. Principles 
		This chapter will be a set of high level principles such
as "Test Early 
		and Often". I think this would be good to debate over
the list this 

		5. Testing Techniques 
		This chapter should provide an overview of the types of
		techniques that exist including unit testing and code
coverage / review, 
		pen testing, threat modeling requirements and design
testing etc. I 
		think it should explain where each maybe appropriate in
an SDLC and the 
		advantages and disadvantages of each. 

		6. Testing Framework Explained 
		This chapter should outline a proposed framework for
testing that will 
		incorporate the techniques described at various places
in the SDLC. It 
		will be more of a suggested way to create a testing
process in an 

		I will sign up to do Chapter 1 on my own (as its easy)
and Chapter 5. 

		Anyone else have any specific interests ? 

		Mark Curphey 
		Consulting Director 
		Foundstone, Inc. 
		Strategic Security 

		949.297.5600 x2070 Tel 
		781.738.0857 Cell 
		949.297.5575 Fax 

		http://www.foundstone.com <http://www.foundstone.com/>  

		This email may contain confidential and privileged
information for the 
		sole use of the intended recipient. Any review or
distribution by others 
		is strictly prohibited. If you are not the intended
recipient, please 
		contact the sender and delete all copies of this
message. Thank you. 

		SF.Net is sponsored by: Speed Start Your Linux Apps Now.

		Build and deploy apps & Web services for Linux with 
		a free DVD software kit from IBM. Click Now! 
		owasp-testing mailing list 
		owasp-testing at lists.sourceforge.net 


Post your free ad now! Yahoo! Canada Personals

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040222/b7e1ce0f/attachment.html 

More information about the Owasp-testing mailing list