[OWASP-TESTING] Phase II, outline

Mark Curphey mark at curphey.com
Thu Jul 29 09:22:08 EDT 2004


A couple of ideas that might be worth thinking about are;

1. Provide generic methodologies for code review, pen testing , manual
review etc as outlined in the Part 1 (Nish and Hari started this with their
sections). These would basically outline "here is how to do a web app pen
test- first profile site, then look for potential issues, then exploit them
etc...obviously much more detailed and just a pseudo example). We already
have a good start with this in Nish, Hari and other work that can be
2. Organize the actual implementation of these methodologies around the SDLC
tasks we proposed in Part 1.  This ensures we cover how to test requirements
and design and don't just produce a pen test methodology and low level guide
for pen testing. I that that would be fine but we should call it out as that
as an compliment to the pen test check list if that is what we really want
to do ?
3. Merging Part 1 into Part 2 to get one big testing guide. At that point
Part 1 would no longer be stand-alone.

One of the things we found in the OWASP Guide 2.0 re-write was it became
much easier to call out the language specific stuff such as J2EE and C# into
an appendix.

Maybe we could do that here, ie Appendix A - Finding Specific Vulns by Code
Review, Appendix B - Finding Specific Vulns by Pen testing, Finding Specifi
Vulns by Design Review

The advantage of this is an appendix doesn't have to be complete and judging
by the length of time it took to get to Part 1, it would be far easier to
get the core of the doc (the methodologies themselves) completed and then
update Apendixes frequently. By gut estimate is the size of Part 2 will b 20
times the size of part 1, or 56 years ;-)

The overall structure would look like

Principles of Testing
Testing Techniques Explained (overview)
OWASP Testing Framework
	Manual Inspections
	Penetration Testing
	Code Review
	Threat Modeling

Appendix A - Finding Specific Issues using Manual Inspection
	Design Reviews
	Policy Reviews
	Threat Modeling
	Requirements Analysis

Appendix B - Finding Specific Vulnerabilities using Penetration Testing
	SQL Injection
	Buffer Overflows
	Weak Passwords
	Session Management
Appendix C - Finding Specific Vulnerabilities using Source Code Review
	SQL Injection
	Weak Key Generation
Apendix D - Testing Tools
Appendix X etc

Some how this needs to be tied to using these techniques at the right stages
of the SDLC so people stop pen testing before deployment. Maybe the
framework itself is OK for that.

Thoughts ? 

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
Sent: Thursday, July 29, 2004 6:50 AM
To: owasp 
Subject: [OWASP-TESTING] Phase II, outline

Attached is the outline so far, can we all start looking at the structure
and deciding the direction?

I think we need to concentrate on making sure the various languages are
covered. I had a good chat with a friend over at another large investment
bank and he wanted to know what we were doing with J2EE stuff, hence this
has now been added.

Once everyone is happy with what is in the outline, i'll draw up a better
format and then we can start assigning sections for people to get on with.

There are a large amount of people on this list now and yet only a few
regulars still seem to offer comments. I will be removing the inactive ones
in the next couple of weeks (hey it's only fair to contribute and not use it
as a private guide before the rest of the world get it..)

Thanks to everyone who has contributed so far


More information about the Owasp-testing mailing list