[OWASP-TESTING] Testing Sign Up

Calderon, Juan Carlos (GE Commercial Finance, NonGE) juan.calderon at ge.com
Mon Feb 23 11:27:19 EST 2004


Hi all, Mark

I supposed it was because it was Friday night I forgot to send my
thoughts before going out of town and have no access to my email, I'll
send them anyway so people in corresponding chapters can take them in
account. I do agree with the outline (mostly)

1. I didn't see any "Security issue tracking" suggested/mentioned in
testing guide. Information gotten from a security testing is precious
and not only useful to fix those issues.  I think we can go a little
further with this by suggesting to use that information so companies can
deploy training plans (or any appropriated action) in the most recurrent
issues to create you own security culture. Information is power have to
be used!

2. I suggest peer-to-peer reviews as other alternative technique, due to
"programming immersion" we often omit security issues other can see
later.

I want to participate in chapters 3, 4, and 5 if it is not too late for
that.

Regards,
JC

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Mark
Curphey
Sent: Sábado, 21 de Febrero de 2004 01:07 a.m.
To: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] Testing Sign Up


OK so looks like we are all happy with the basic outline we have today
for Part 1, so I am afraid to say its time to sign up to complete a
section before the end of next week as we discussed. By the way end of
next week should mean 6pm Friday 27th Feb Pacific time I think. I know
its RSA etc but ....

Please please don't sign up to do anything if you are going to not pull
out all the stops to meet the deadline, but please please please do sign
up for something !

I suggest we have a few people working on each section, if we have more
that 6 volunteers. Divide and conquer baby !

This is what I think each chapter in Part 1 needs to achieve. And
remember Part 1 is the What, Why, When, Where and Part 2 will be the
How.

1. Introduction
This chapter should set the scene of web applications, OWASP and how
people can use this guide

2. Reasons for Testing
This chapter should outline the end goal of building secure software and
explain how testing should be performed against requirements or
standards, best practices etc and what you can aim to achieve through
testing.

3. Scope of Testing
This chapter should set the scene that testing web applications (or web
software as I am coming to call it myself) covers testing requirements,
designs, process and implementations i.e. isn't about scanning.

4. Principles
This chapter will be a set of high level principles such as "Test Early
and Often". I think this would be good to debate over the list this
week.

5. Testing Techniques
This chapter should provide an overview of the types of testing
techniques that exist including unit testing and code coverage / review,
pen testing, threat modeling requirements and design testing etc. I
think it should explain where each maybe appropriate in an SDLC and the
advantages and disadvantages of each.

6. Testing Framework Explained
This chapter should outline a proposed framework for testing that will
incorporate the techniques described at various places in the SDLC. It
will be more of a suggested way to create a testing process in an
organization. 

I will sign up to do Chapter 1 on my own (as its easy) and Chapter 5. 

Anyone else have any specific interests ?






Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel 
781.738.0857 Cell
949.297.5575 Fax 

http://www.foundstone.com 

This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you. 


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=ick
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2074 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20040223/fcd8ca8e/attachment.bin 


More information about the Owasp-testing mailing list