[OWASP-TESTING] OWASP Testing Project V1.0 - Chapter 3 - The Testing Framework Explained.doc

Jeff Williams jeff.williams at aspectsecurity.com
Sat Feb 28 21:20:16 EST 2004


Mark,

I think this is great and will be very useful to the larger software
development shops. What would you think about extending this a bit earlier
in the lifecycle to *requirements definition*?  The problem I've experienced
is that the testers would test the security requirements if there were any,
but they're all just "best practices" or "tech memos" or something. They
don't get formalized as requirements, so they never get tested.

Also, what are your thoughts about the requirements themselves? Do you
think"negative use cases" are a good idea, or do you stick with more
traditional "shalls". What type of requirement do you recommend to make sure
that the proper type of security testing actually gets done?

--Jeff

Jeff Williams
Aspect Security
http://www.aspectsecurity.com


----- Original Message ----- 
From: Mark Curphey
To: owasp-testing at lists.sourceforge.net
Sent: Saturday, February 28, 2004 10:31 AM
Subject: [OWASP-TESTING] OWASP Testing Project V1.0 - Chapter 3 - The
Testing Framework Explained.doc


I was thinking of something like this for the Framework Chapter itself.
What do you think ?

Essentially presenting a generic SDLC and highlighting activities that
could / should be carried out at each stage in the dev process.

Does this make sense?

If so I will fill in the text tonight....

Damn now its out that I am late as well ;-)
 <<OWASP Testing Project V1.0 - Chapter 3 - The Testing Framework
Explained.doc>>





More information about the Owasp-testing mailing list