[OWASP-TESTING] Testing Sign Up

Mark Curphey mark.curphey at foundstone.com
Mon Feb 23 13:51:34 EST 2004

Superb. Comments inline.

-----Original Message-----
From: Calderon, Juan Carlos (GE Commercial Finance, NonGE) [mailto:juan.calderon at ge.com] 
Sent: Monday, February 23, 2004 11:27 AM
To: Mark Curphey; owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] Testing Sign Up

Hi all, Mark

I supposed it was because it was Friday night I forgot to send my thoughts before going out of town and have no access to my email, I'll send them anyway so people in corresponding chapters can take them in account. I do agree with the outline (mostly)

1. I didn't see any "Security issue tracking" suggested/mentioned in testing guide. Information gotten from a security testing is precious and not only useful to fix those issues.  I think we can go a little further with this by suggesting to use that information so companies can deploy training plans (or any appropriated action) in the most recurrent issues to create you own security culture. Information is power have to be used!

Excellent point. All part of an enterprise program. Noted with thanks.

2. I suggest peer-to-peer reviews as other alternative technique, due to "programming immersion" we often omit security issues other can see later.

Good point. 

I want to participate in chapters 3, 4, and 5 if it is not too late for that.

OK then I am on 3, Carl Davis on 4 and Nish / Harinath on 5. Please contact them on list or off list to work out logistics. 



-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Mark Curphey
Sent: Sábado, 21 de Febrero de 2004 01:07 a.m.
To: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] Testing Sign Up

OK so looks like we are all happy with the basic outline we have today for Part 1, so I am afraid to say its time to sign up to complete a section before the end of next week as we discussed. By the way end of next week should mean 6pm Friday 27th Feb Pacific time I think. I know its RSA etc but ....

Please please don't sign up to do anything if you are going to not pull out all the stops to meet the deadline, but please please please do sign up for something !

I suggest we have a few people working on each section, if we have more that 6 volunteers. Divide and conquer baby !

This is what I think each chapter in Part 1 needs to achieve. And remember Part 1 is the What, Why, When, Where and Part 2 will be the How.

1. Introduction
This chapter should set the scene of web applications, OWASP and how people can use this guide

2. Reasons for Testing
This chapter should outline the end goal of building secure software and explain how testing should be performed against requirements or standards, best practices etc and what you can aim to achieve through testing.

3. Scope of Testing
This chapter should set the scene that testing web applications (or web software as I am coming to call it myself) covers testing requirements, designs, process and implementations i.e. isn't about scanning.

4. Principles
This chapter will be a set of high level principles such as "Test Early and Often". I think this would be good to debate over the list this week.

5. Testing Techniques
This chapter should provide an overview of the types of testing techniques that exist including unit testing and code coverage / review, pen testing, threat modeling requirements and design testing etc. I think it should explain where each maybe appropriate in an SDLC and the advantages and disadvantages of each.

6. Testing Framework Explained
This chapter should outline a proposed framework for testing that will incorporate the techniques described at various places in the SDLC. It will be more of a suggested way to create a testing process in an organization. 

I will sign up to do Chapter 1 on my own (as its easy) and Chapter 5. 

Anyone else have any specific interests ?

Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel
781.738.0857 Cell
949.297.5575 Fax 


This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this message. Thank you. 

SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now!
owasp-testing mailing list
owasp-testing at lists.sourceforge.net

More information about the Owasp-testing mailing list