[OWASP-TESTING] Phase II, outline

Mark Curphey mark at curphey.com
Thu Jul 29 11:50:36 EDT 2004


Do you mean things like testing the security manager setup and access
modifiers on methods or more specific things around breaking into servlet
implementations and EJB's etc ?

I think both would make sense, one fits into code review and the other pen
test 

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
Sent: Thursday, July 29, 2004 9:07 AM
To: owasp 
Subject: RE: [OWASP-TESTING] Phase II, outline

I like the idea of the Appendix as i really dont want to repeat the issues
we had with Phase 1.

Is anyone here comfortable with J2EE testing (i have to admit ive not really
looked at it but feel its needed) Ill update the outline with the format
mentioned below and send it out



Tapped away... Mark Curphey
> Dan,
>
> A couple of ideas that might be worth thinking about are;
>
> 1. Provide generic methodologies for code review, pen testing , manual 
> review etc as outlined in the Part 1 (Nish and Hari started this with 
> their sections). These would basically outline "here is how to do a 
> web app pen
> test- first profile site, then look for potential issues, then exploit 
> them etc...obviously much more detailed and just a pseudo example). We 
> already have a good start with this in Nish, Hari and other work that 
> can be re-purposed.
> 2. Organize the actual implementation of these methodologies around 
> the SDLC tasks we proposed in Part 1.  This ensures we cover how to 
> test requirements and design and don't just produce a pen test 
> methodology and low level guide for pen testing. I that that would be 
> fine but we should call it out as that as an compliment to the pen 
> test check list if that is what we really want to do ?
> 3. Merging Part 1 into Part 2 to get one big testing guide. At that 
> point Part 1 would no longer be stand-alone.
>
> One of the things we found in the OWASP Guide 2.0 re-write was it 
> became much easier to call out the language specific stuff such as 
> J2EE and C# into an appendix.
>
> Maybe we could do that here, ie Appendix A - Finding Specific Vulns by 
> Code Review, Appendix B - Finding Specific Vulns by Pen testing, 
> Finding Specifi Vulns by Design Review
>
> The advantage of this is an appendix doesn't have to be complete and 
> judging by the length of time it took to get to Part 1, it would be 
> far easier to get the core of the doc (the methodologies themselves) 
> completed and then update Apendixes frequently. By gut estimate is the 
> size of Part 2 will b 20 times the size of part 1, or 56 years ;-)
>
> The overall structure would look like
>
> Introduction
> Principles of Testing
> Testing Techniques Explained (overview) OWASP Testing Framework 
> Methodologies
> 	Manual Inspections
> 	Penetration Testing
> 	Code Review
> 	Threat Modeling
>
> Appendix A - Finding Specific Issues using Manual Inspection
> 	Design Reviews
> 	Policy Reviews
> 	Threat Modeling
> 	Requirements Analysis
>
> Appendix B - Finding Specific Vulnerabilities using Penetration Testing
> 	SQL Injection
> 	XSS
> 	Buffer Overflows
> 	Weak Passwords
> 	Session Management
> Appendix C - Finding Specific Vulnerabilities using Source Code Review
> 	SQL Injection
> 	Weak Key Generation
>
> Apendix D - Testing Tools
> Appendix X etc
>
> Some how this needs to be tied to using these techniques at the right 
> stages of the SDLC so people stop pen testing before deployment. Maybe 
> the framework itself is OK for that.
>
> Thoughts ?
>
> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
> Sent: Thursday, July 29, 2004 6:50 AM
> To: owasp
> Subject: [OWASP-TESTING] Phase II, outline
>
> Attached is the outline so far, can we all start looking at the 
> structure and deciding the direction?
>
> I think we need to concentrate on making sure the various languages 
> are covered. I had a good chat with a friend over at another large 
> investment bank and he wanted to know what we were doing with J2EE 
> stuff, hence this has now been added.
>
> Once everyone is happy with what is in the outline, i'll draw up a 
> better format and then we can start assigning sections for people to get
on with.
>
> There are a large amount of people on this list now and yet only a few 
> regulars still seem to offer comments. I will be removing the inactive 
> ones in the next couple of weeks (hey it's only fair to contribute and 
> not use it as a private guide before the rest of the world get it..)
>
>
> Thanks to everyone who has contributed so far
>
> Daniel
>
>




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise
J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing





More information about the Owasp-testing mailing list