[OWASP-TESTING] "positive" approach
roshen.chandran at paladion.net
Wed Jul 14 20:02:36 EDT 2004
Calderon, Juan Carlos (GE Commercial Finance, NonGE) wrote:
>IMHO "positive" approaches are better than "negative",
>please use it while building this guide. for example
>suggest tests to confirm proper session handling not to
>look for session hijack problem.
Wouldn't that be difficult when there're more than one right (secure) way to implement a feature? For instance, to mitigate the risk of brute force password guessing, "account lockout" strategies could be implemented in different ways (lock out for a set duration, force the user to type a random word etc.) depending on the need of the business. Wouldn't checking for a vulnerability be better in that case?
Since we are finally checking whether the application is exposed to a risk or not, I think there is always a negative element. I'm not sure whether it's better to take a positive approach checking for the right implementation, or the negative approach checking for a vulnerability to verify the risk.
More information about the Owasp-testing