[OWASP-TESTING] OWASP Testing Project Part 1.doc

Davis, Carl cdavis at fnni.com
Tue Mar 30 09:38:07 EST 2004

Okay...I'm back alive & well.  My recent travels have taken me to Atlanta
(for the recent WebInspect SPI course - can possibly add some content
regarding pros/cons of scanners if there is still room and after the
Principals are done) and then half-way around the globe for an engagement
where I ran into quite a few time-consuming issues.  Anywho, I have been
actively working on the 'Principals' all the while and will send out a draft
of what I have this evening (rain or shine).  I apologize for leaving
everyone hanging.
- Carl

-----Original Message-----
From: Mark Curphey [mailto:mark.curphey at foundstone.com]
Sent: Tuesday, March 30, 2004 7:50 AM
To: Jeff Williams; owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] OWASP Testing Project Part 1.doc

I like that. Originally it was in the previous chapter where re-reading I
now think it belongs. Let me finish it tonight and re-arrange. 
Principles needs to be upfront as well and finished. Carl David where art
thou ?

Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel
781.738.0857 Cell
949.297.5575 Fax

http://www.foundstone.com <http://www.foundstone.com/> 

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this message. Thank you. 



From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 
Sent: Tuesday, March 30, 2004 12:45 AM
To: owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] OWASP Testing Project Part 1.doc

Great progress. I have a few structural comments to offer for what they're
As I read the threat modelling section, it occurred to me that it is a bit
different that the "testing techniques' that it is listed as a peer with.
It seems to me that all the testing techniques rely on some understanding of
the security requirements, which in turn are hopefully based on a decent
understanding of the risk. Do you think it would be useful to pull out the
parts of that section that are most useful during requirements gathering,
and change the rest into some sort of design/architecture review?.
I found Chapter 5 - Principles of Testing to be a bit too far down in the
document for me.  I like to get the principles out early and then develop
them throughout.  That might just be a style issue though.
-- Jeff 

----- Original Message ----- 
From: Mark Curphey <mailto:mark.curphey at foundstone.com>  
To: owasp-testing at lists.sourceforge.net
<mailto:owasp-testing at lists.sourceforge.net>  
Sent: Monday, March 29, 2004 11:43 PM
Subject: [OWASP-TESTING] OWASP Testing Project Part 1.doc

Updated with a half completed section on threat modeling. I will
complete tomorrow and plough on with the other sections. 

 <<OWASP Testing Project Part 1.doc>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040330/14a0eff7/attachment.html 

More information about the Owasp-testing mailing list