[OWASP-TESTING] updated: Code Review Section for Testing guide (Draft)

Mark Curphey mark.curphey at foundstone.com
Tue Mar 30 00:00:05 EST 2004


Hi Jaun

Thankis this is great stuff. I still wonder if it is a little too
focused on the How and not the what, why, when, where of source code
review. Anyone else ?

I think we should call this the OWASP Testing Framework. The OWASP Guide
is really the OWASP Guide to Building Secure Web Applications. It is the
staple diet though so I think its hard to change that name. 

Regulations, good catch sir. I'll drop it back in. That said does anyone
know of any regulations that apply ?

What happened to Carl Davis ?


-----Original Message-----
From: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
[mailto:juan.calderon at ge.com] 
Sent: Saturday, March 27, 2004 3:26 PM
To: owasp-testing at lists.sourceforge.net
Subject: [OWASP-TESTING] updated: Code Review Section for Testing guide
(Draft)

Hi all

I'm sending my part of the OWASP testing guide, updated.  I've re-read
OWASP guide and the initial and final Drafts Mark sent us and I found I
was wrong in some points. I sould say I was not happy with my first
draft but now I've changed some things for a "positive" point of view
and taking away the "how" it's taking better shape. I could not work on
some parts like advantages and deliverables part, oh well.

Thanks to Mark, Jeff and Javier for your feedback on last draft sent, it
was on great help.

Additionally I have some thoughts

Mark, I think you omitted regulations in the first section of your "A
Typical SDLC Testing Workflow" graphic.

Also I don't know if "OWASP guide" the one to mitigate OWASP Top Ten
(and more than that) and OWASP Testing guide, won't be confused. Don't
know if I'm "crossing the line" saying this, IMHO probably OWASP Guide
should change it's name to something more descriptive, too late
perhaps?.

Well, that's it

Later,
JC





More information about the Owasp-testing mailing list