[OWASP-TESTING] Final pentest checklist

Daniel Daniel at deeper.co.za
Mon Jul 5 07:51:03 EDT 2004


>
> Daniel,
>
Caught in time :0)

I'm going to use the 2002 version as the Jan 2004 is still draft and i
feel uneasy using a draft version as a reference.


> Just a quick comment, I hope it's not too late.
>
> The NIST 800-30 document is at (version 2002)
> http://csrc.nist.gov/publications/nistpubs/index.html#sp800-30
>
> If you want the January 2004 draft, its
> http://csrc.nist.gov/publications/drafts/SP800-30-RevA-draft.pdf
>
> (This link will probably expire soon since the deadline for sending
> comments expired in March 20, 2004)
>
> And could you include the title of the NIST document in the footnote
> where you put the link?
> The title is "Risk Management Guide for Information Technology Systems"
>
> ---------
>
> I caught an error in the User Authentication part.
> The item number 10 has errors, Ref. number should be, "OWASP-AUTHN-0010"
> and the objective should be "Ensure that passwords are not _blank_" not
> _black_ :o)
>
> ----
>
> In configuration management I think the objective for "OWASP-CM-003"
> should be changed to, "Ensure that all vendor patches for known
> vulnerabilities are applied."
>
> -----
>
> In the data protection part, OWASP-DP-004, add to objective, "vulnerable
> to the Man-In-The-Middle attack"
>
> --
> Mads Rasmussen, M.Sc.
> Open Communications Security
> www.opencs.com.br
> +55 11 3345 2525
>
>






More information about the Owasp-testing mailing list