[OWASP-TESTING] Final pentest checklist

Mads Rasmussen mads at opencs.com.br
Mon Jul 5 08:40:42 EDT 2004


Daniel,

Just a quick comment, I hope it's not too late.

The NIST 800-30 document is at (version 2002) 
http://csrc.nist.gov/publications/nistpubs/index.html#sp800-30

If you want the January 2004 draft, its 
http://csrc.nist.gov/publications/drafts/SP800-30-RevA-draft.pdf

(This link will probably expire soon since the deadline for sending 
comments expired in March 20, 2004)

And could you include the title of the NIST document in the footnote 
where you put the link?
The title is "Risk Management Guide for Information Technology Systems"

---------

I caught an error in the User Authentication part.
The item number 10 has errors, Ref. number should be, "OWASP-AUTHN-0010" 
and the objective should be "Ensure that passwords are not _blank_" not 
_black_ :o)

----

In configuration management I think the objective for "OWASP-CM-003" 
should be changed to, "Ensure that all vendor patches for known 
vulnerabilities are applied."

-----

In the data protection part, OWASP-DP-004, add to objective, "vulnerable 
to the Man-In-The-Middle attack"

-- 
Mads Rasmussen, M.Sc.
Open Communications Security
www.opencs.com.br
+55 11 3345 2525





More information about the Owasp-testing mailing list