[OWASP-TESTING] "positive" approach

Roshen Chandran roshen.chandran at paladion.net
Wed Jul 14 20:02:36 EDT 2004

Calderon, Juan Carlos (GE Commercial Finance, NonGE) wrote:

>IMHO "positive" approaches are better than "negative", 
>please use it while building this guide. for example 
>suggest tests to confirm proper session handling not to 
>look for session hijack problem.

Wouldn't that be difficult when there're more than one right (secure) way to implement a feature? For instance, to mitigate the risk of brute force password guessing, "account lockout" strategies could be implemented in different ways (lock out for a set duration, force the user to type a random word etc.) depending on the need of the business. Wouldn't checking for a vulnerability be better in that case?

Since we are finally checking whether the application is exposed to a risk or not, I think there is always a negative element. I'm not sure whether it's better to take a positive approach checking for the right implementation, or the negative approach checking for a vulnerability to verify the risk.


More information about the Owasp-testing mailing list