[OWASP-TESTING] OWASP Testing Project V1.0 - Chapter 3 - The Testing Framework Explained.doc

Mark Curphey.com mark at curphey.com
Mon Mar 1 07:03:43 EST 2004

I hear what you are saying but here is one last thought for my context. I always view dev as code creation and deploy as a multi-step process that includes pre-prod, staging, prod etc. As gary mcgraw points out (i may have misread) its still software (code) until its deployed in some form (local sanbox whatever) before you can pen test it. I am getting hooked on terms and phases as i want to make sure this is intuitive to dev teams and not just us sec folks.
That said i think as long as we cover the virtues of testing types well, the reader will draw thier own conclusion as to which is more apprpriate for them. My fear is many will see it as an either not and pen test as its a more familiar term. I think we need to carefully craft message.

-----Original Message-----
    From: "Jeff Williams"<jeff.williams at aspectsecurity.com>
    Sent: 2/29/04 11:36:14 PM
    To: "mark at curphey.com"<mark at curphey.com>, "Glyn"<glyng at moiler.com>, "'Mark Curphey'"<mark.curphey at foundstone.com>, "owasp-testing at lists.sourceforge.net"<owasp-testing at lists.sourceforge.net>
    Subject: Re: [OWASP-TESTING] OWASP Testing Project V1.0 - Chapter 3 - The Testing Framework Explained.doc
      I think nothing but good can come from getting exactly this dicussion out in
    the open.
    My experience is that most vulnerabilities are found (far) more quickly by
    looking at the source than by any other method.  *BUT* it takes a long time
    to get fast.  You need people who are very good programmers (that for
    whatever reason don't want to write code everyday) AND they need to know a
    lot about security and what the patterns look like in different languages.
    Comparing the approaches is a bit of apples and oranges. Penetration testing
    generally doesn't search everything and has a lot of false alarms.  If we
    did a code review to that level, we could finish in 1/10 of the time. But we
    can be far more complete and accurate by checking the code. I'm not against
    pentesting -- there are many reasons why code is not available.
    There are, of course, some problems that pentesting is faster at -- 
    particularly web and app server configuration issues. But there are also
    many problems that could NEVER be found with pentesting -- logic problems,
    hidden features, dead code, thread safety, and lots more.  This is where we
    find the biggest problems by the way.
    I disagree with recommending code review during development and pentest
    after.  Actually, I think it would be best to do some of each (with internal
    people) throughout the lifecycle. Then maybe a third party review to confirm
    before deployment.

[Message truncated. Tap Edit->Mark for Download to get remaining portion.]

More information about the Owasp-testing mailing list