[OWASP-TESTING] Final pentest checklist

Andrew van der Stock vanderaj at greebo.net
Mon Jul 5 08:48:35 EDT 2004

I'll do it again with these changes :)


-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Mads
Sent: Monday, 5 July 2004 10:41 PM
To: Daniel at deeper.co.za
Cc: owasp
Subject: Re: [OWASP-TESTING] Final pentest checklist


Just a quick comment, I hope it's not too late.

The NIST 800-30 document is at (version 2002) 

If you want the January 2004 draft, its 

(This link will probably expire soon since the deadline for sending 
comments expired in March 20, 2004)

And could you include the title of the NIST document in the footnote 
where you put the link?
The title is "Risk Management Guide for Information Technology Systems"


I caught an error in the User Authentication part.
The item number 10 has errors, Ref. number should be, "OWASP-AUTHN-0010" 
and the objective should be "Ensure that passwords are not _blank_" not 
_black_ :o)


In configuration management I think the objective for "OWASP-CM-003" 
should be changed to, "Ensure that all vendor patches for known 
vulnerabilities are applied."


In the data protection part, OWASP-DP-004, add to objective, "vulnerable 
to the Man-In-The-Middle attack"

Mads Rasmussen, M.Sc.
Open Communications Security
+55 11 3345 2525

This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
owasp-testing mailing list
owasp-testing at lists.sourceforge.net

More information about the Owasp-testing mailing list