[OWASP-TESTING] RE: [OWASP-TESTING] Testing Sign Up

Davis, Carl cdavis at fnni.com
Sat Feb 28 09:59:43 EST 2004


Kewl...I like it. Thanxs.
 
- Carl
 
-----Original Message----- 
From: Mark Curphey [mailto:mark.curphey at foundstone.com] 
Sent: Sat 2/28/2004 8:29 AM 
To: Davis, Carl; daniel at deeper.co.za; owasp-testing at lists.sourceforge.net 
Cc: 
Subject: RE: [OWASP-TESTING] Testing Sign Up



Hi Carl / all,
 
I think the paragraph idea for format is great. We did with the OWASP Top
Ten so it would kind of flow a bit better.
 
I put an example of it it in a word doc and tracking on for easier
collaboration. Hope that was OK.
 
I added a principle of Metrics, i.e. know what your problems are so you can
systematically improve or focus attention on areas that are most common.
Again just an idea. 
 
Anyone else have any ideas on what the principles should be ?
 
Mark
 
 


  _____  

From: Davis, Carl [mailto:cdavis at fnni.com] 
Sent: Thursday, February 26, 2004 6:55 AM
To: Mark Curphey; daniel at deeper.co.za; owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] Testing Sign Up


I apologize for not getting this out sooner but work has been busier then
normal.  Anywho,  I have included in this email and attached a draft
(outline format) of the 'Ten Principles for Application Security Testing'
[Chapter 4] for hashing out, comments, suggested changes, etc. by the group.
My current plan is to briefly speak to each bullet in the paragraph
accompanying each heading; principles, bullets, etc. are by no means set in
stone at this point.
 
On a separate but related note...I volunteered to help out with Chapter 2,
the 'Regulatory Requirements' section and noticed that there was a question
mark next to my name for this chapter in a previous email detailing
assignments.  Also, Javier has more recently volunteered to help out with
this chapter as well so, I was wondering how you would like to handle?  I
would not mind still helping out with Regu Reqs but if Javier is going to
cover this section that is fine too.
 
I really look forward to everyone's feedback (good or bad) regarding the 10
Principles.
 
Cheers,
 
- Carl
 
------------
 Ten Principles for Application Security Testing


There is No Silver Bullet
 - One glove (testing approach) does not fit all
 - Design based on requirements and other governing factors i.e.
limitations, costs, etc.

Think Strategically, Not Tactically
 - Build security into the test plan
 - Establish test methods
 - Identify security issues during the design review phase
 - Build in security in-depth (layered approach)
 - Ask questions regarding future requirements/enhancements
 - Future growth

Test Early and Test Often
 - Substantial cost savings 
 - Test in development, QA, and production environments 
     (limited access prior to "going live")
 - Work closely with responsible teams during the development 
     process to remediate or mitigate issues 
 - Establish a Due Care process based on risk level
 - Educate developers about Web App sec issues

Understand the Scope
 - Governing regulatory requirements
 - Level of security required i.e. sensitive, Top Secret 
 - Timeframe (schedule)
 - Interviews with developers, involved teams, and project leads
 - Complexity of project
 - Approval requirements
 - Proof of concept (yes or no)
 - Cost limitations (time to market)
 - Classification of data e.g. GLBA, Cardholder, CA SB1386, etc. 

Mindset
 - Think like a hacker or cracker
 - Customize your approach and or methodology
 - Think outside of the box
 - Try the unexpected; be creative
 
Know Thy Target
 - User & Administrative documentation
 - Architectural diagrams and data flow charts  
 - Technical system and application documentation
 - Disallowed functionality/intentions
 - Understand the threat and known exploits
 - Understand regulatory requirements
 - Thoroughly research application & systems being used
 - Conduct passive & active recon

Use the Right Tools
 - Use a combination automated and manual techniques
 - Frequently update tool & technique inventory
 - Become intimately familiar with technology being used and 
   known/probable security issues
 - Shouldn't bring a knife to a gun fight

Attention to Detail
 - Weed out false positives
 - Thoroughly explore logic in an attempt to expose flaws
 - Look for the less obvious security issues
 - Become intimate with the application
 - Evaluate every aspect

Use Manual Source Code Inspections Whenever Possible
 - Allows for the identification of security holes and 
   vulnerabilities often missed by black or gray box testing
 - Reinforce secure coding practices 
 - Should include User Interface development 

Use the System Development Life Cycle (SDLC)
 - Structured approach that provides guidance regarding the handling 
   of IT Security activities throughout the life of the system or
application
 

-----Original Message----- 
From: Mark Curphey [mailto:mark.curphey at foundstone.com] 
Sent: Tue 2/24/2004 9:21 AM 
To: daniel at deeper.co.za; owasp-testing at lists.sourceforge.net 
Cc: 
Subject: RE: [OWASP-TESTING] Testing Sign Up



Dan, you are working with Nish and Hari on 5. I suggest you guys hook up 
off line or via the list to co-ordinate etc 

-----Original Message----- 
From: daniel at deeper.co.za [mailto:daniel at deeper.co.za
<mailto:daniel at deeper.co.za> ] 
Sent: Tuesday, February 24, 2004 5:04 AM 
To: owasp-testing at lists.sourceforge.net 
Subject: Re: [OWASP-TESTING] Testing Sign Up 

is there an updated list of who is doing what, as not to duplicate any 
effort? 



> Mark Curphey wrote: 
> 
> > OK so looks like we are all happy with the basic outline we have 
> > today for Part 1, so I am afraid to say its time to sign up to 
> > complete a section before the end of next week as we discussed. By 
> > the way end of next week should mean 6pm Friday 27th Feb Pacific 
> > time I think. I know its RSA etc but .... 
> 
> Sorry for not answering previously, I'm quite busy with work et al. 
> 
> > 2. Reasons for Testing 
> > This chapter should outline the end goal of building secure software 

> > and explain how testing should be performed against requirements or 
> > standards, best practices etc and what you can aim to achieve 
> > through testing. 
>  > 
> (...) 
>  > Anyone else have any specific interests ? 
> 
> 
> I want to help with sections 2 (Reasons for Testing) and section 5 
> (Testing Techniques) 
> 
> I also think can gather reviewers for all sections from my company-s 
> development department. If others are ok, I would like to pass the 
> document around so I can gather more input/reviewing. 
> 
> Regards 
> 
> Javier 
> 
> 
> 
> ------------------------------------------------------- 
> SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
> Build and deploy apps & Web services for Linux with a free DVD 
> software kit from IBM. Click Now! 
> http://ads.osdn.com/?ad_id=1356
<http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click>
&alloc_id=3438&op=click 
> _______________________________________________ 
> owasp-testing mailing list 
> owasp-testing at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
<https://lists.sourceforge.net/lists/listinfo/owasp-testing>  




------------------------------------------------------- 
SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
Build and deploy apps & Web services for Linux with a free DVD software 
kit from IBM. Click Now! 
http://ads.osdn.com/?ad_id=1356
<http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click>
&alloc_id=3438&op=click 
_______________________________________________ 
owasp-testing mailing list 
owasp-testing at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/owasp-testing
<https://lists.sourceforge.net/lists/listinfo/owasp-testing>  


------------------------------------------------------- 
SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
Build and deploy apps & Web services for Linux with 
a free DVD software kit from IBM. Click Now! 
http://ads.osdn.com/?ad_id <http://ads.osdn.com/?ad_id>
56&alloc_id438&op=click 
_______________________________________________ 
owasp-testing mailing list 
owasp-testing at lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/owasp-testing
<https://lists.sourceforge.net/lists/listinfo/owasp-testing>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040228/20cf72dc/attachment.html 


More information about the Owasp-testing mailing list