[OWASP-TESTING] Testing Sign Up

Mark Curphey mark.curphey at foundstone.com
Sat Feb 28 09:29:35 EST 2004


Hi Carl / all,
 
I think the paragraph idea for format is great. We did with the OWASP
Top Ten so it would kind of flow a bit better.
 
I put an example of it it in a word doc and tracking on for easier
collaboration. Hope that was OK.
 
I added a principle of Metrics, i.e. know what your problems are so you
can systematically improve or focus attention on areas that are most
common. Again just an idea. 
 
Anyone else have any ideas on what the principles should be ?
 
Mark
 
 


  _____  

From: Davis, Carl [mailto:cdavis at fnni.com] 
Sent: Thursday, February 26, 2004 6:55 AM
To: Mark Curphey; daniel at deeper.co.za;
owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] Testing Sign Up


I apologize for not getting this out sooner but work has been busier
then normal.  Anywho,  I have included in this email and attached a
draft (outline format) of the 'Ten Principles for Application Security
Testing' [Chapter 4] for hashing out, comments, suggested changes, etc.
by the group.  My current plan is to briefly speak to each bullet in the
paragraph accompanying each heading; principles, bullets, etc. are by no
means set in stone at this point.
 
On a separate but related note...I volunteered to help out with Chapter
2, the 'Regulatory Requirements' section and noticed that there was a
question mark next to my name for this chapter in a previous email
detailing assignments.  Also, Javier has more recently volunteered to
help out with this chapter as well so, I was wondering how you would
like to handle?  I would not mind still helping out with Regu Reqs but
if Javier is going to cover this section that is fine too.
 
I really look forward to everyone's feedback (good or bad) regarding the
10 Principles.
 
Cheers,
 
- Carl
 
------------
 Ten Principles for Application Security Testing

There is No Silver Bullet
 - One glove (testing approach) does not fit all
 - Design based on requirements and other governing factors i.e.
limitations, costs, etc.

Think Strategically, Not Tactically
 - Build security into the test plan
 - Establish test methods
 - Identify security issues during the design review phase
 - Build in security in-depth (layered approach)
 - Ask questions regarding future requirements/enhancements
 - Future growth

Test Early and Test Often
 - Substantial cost savings 
 - Test in development, QA, and production environments 
     (limited access prior to "going live")
 - Work closely with responsible teams during the development 
     process to remediate or mitigate issues 
 - Establish a Due Care process based on risk level
 - Educate developers about Web App sec issues

Understand the Scope
 - Governing regulatory requirements
 - Level of security required i.e. sensitive, Top Secret 
 - Timeframe (schedule)
 - Interviews with developers, involved teams, and project leads
 - Complexity of project
 - Approval requirements
 - Proof of concept (yes or no)
 - Cost limitations (time to market)
 - Classification of data e.g. GLBA, Cardholder, CA SB1386, etc. 

Mindset
 - Think like a hacker or cracker
 - Customize your approach and or methodology
 - Think outside of the box
 - Try the unexpected; be creative
 
Know Thy Target
 - User & Administrative documentation
 - Architectural diagrams and data flow charts  
 - Technical system and application documentation
 - Disallowed functionality/intentions
 - Understand the threat and known exploits
 - Understand regulatory requirements
 - Thoroughly research application & systems being used
 - Conduct passive & active recon

Use the Right Tools
 - Use a combination automated and manual techniques
 - Frequently update tool & technique inventory
 - Become intimately familiar with technology being used and 
   known/probable security issues
 - Shouldn't bring a knife to a gun fight

Attention to Detail
 - Weed out false positives
 - Thoroughly explore logic in an attempt to expose flaws
 - Look for the less obvious security issues
 - Become intimate with the application
 - Evaluate every aspect

Use Manual Source Code Inspections Whenever Possible
 - Allows for the identification of security holes and 
   vulnerabilities often missed by black or gray box testing
 - Reinforce secure coding practices 
 - Should include User Interface development 

Use the System Development Life Cycle (SDLC)
 - Structured approach that provides guidance regarding the handling 
   of IT Security activities throughout the life of the system or
application
 

	-----Original Message----- 
	From: Mark Curphey [mailto:mark.curphey at foundstone.com] 
	Sent: Tue 2/24/2004 9:21 AM 
	To: daniel at deeper.co.za; owasp-testing at lists.sourceforge.net 
	Cc: 
	Subject: RE: [OWASP-TESTING] Testing Sign Up
	
	

	Dan, you are working with Nish and Hari on 5. I suggest you guys
hook up 
	off line or via the list to co-ordinate etc 

	-----Original Message----- 
	From: daniel at deeper.co.za [mailto:daniel at deeper.co.za] 
	Sent: Tuesday, February 24, 2004 5:04 AM 
	To: owasp-testing at lists.sourceforge.net 
	Subject: Re: [OWASP-TESTING] Testing Sign Up 

	is there an updated list of who is doing what, as not to
duplicate any 
	effort? 



	> Mark Curphey wrote: 
	> 
	> > OK so looks like we are all happy with the basic outline we
have 
	> > today for Part 1, so I am afraid to say its time to sign up
to 
	> > complete a section before the end of next week as we
discussed. By 
	> > the way end of next week should mean 6pm Friday 27th Feb
Pacific 
	> > time I think. I know its RSA etc but .... 
	> 
	> Sorry for not answering previously, I'm quite busy with work
et al. 
	> 
	> > 2. Reasons for Testing 
	> > This chapter should outline the end goal of building secure
software 

	> > and explain how testing should be performed against
requirements or 
	> > standards, best practices etc and what you can aim to
achieve 
	> > through testing. 
	>  > 
	> (...) 
	>  > Anyone else have any specific interests ? 
	> 
	> 
	> I want to help with sections 2 (Reasons for Testing) and
section 5 
	> (Testing Techniques) 
	> 
	> I also think can gather reviewers for all sections from my
company-s 
	> development department. If others are ok, I would like to pass
the 
	> document around so I can gather more input/reviewing. 
	> 
	> Regards 
	> 
	> Javier 
	> 
	> 
	> 
	> ------------------------------------------------------- 
	> SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
	> Build and deploy apps & Web services for Linux with a free DVD

	> software kit from IBM. Click Now! 
	> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click 
	> _______________________________________________ 
	> owasp-testing mailing list 
	> owasp-testing at lists.sourceforge.net 
	> https://lists.sourceforge.net/lists/listinfo/owasp-testing 




	------------------------------------------------------- 
	SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
	Build and deploy apps & Web services for Linux with a free DVD
software 
	kit from IBM. Click Now! 
	http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click 
	_______________________________________________ 
	owasp-testing mailing list 
	owasp-testing at lists.sourceforge.net 
	https://lists.sourceforge.net/lists/listinfo/owasp-testing 


	------------------------------------------------------- 
	SF.Net is sponsored by: Speed Start Your Linux Apps Now. 
	Build and deploy apps & Web services for Linux with 
	a free DVD software kit from IBM. Click Now! 
	http://ads.osdn.com/?ad_id56&alloc_id438&op=click 
	_______________________________________________ 
	owasp-testing mailing list 
	owasp-testing at lists.sourceforge.net 
	https://lists.sourceforge.net/lists/listinfo/owasp-testing 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040228/c341ab1a/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: principles.doc
Type: application/msword
Size: 48128 bytes
Desc: principles.doc
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20040228/c341ab1a/attachment.doc 


More information about the Owasp-testing mailing list