[OWASP-TESTING] OWASP Testing Project Part 1.doc

Mark Curphey mark.curphey at foundstone.com
Tue Mar 30 09:57:48 EST 2004

4 writing I think.

Me, you, Carl and Juan.

-----Original Message-----
From: daniel at deeper.co.za [mailto:daniel at deeper.co.za] 
Sent: Tuesday, March 30, 2004 9:31 AM
To: owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] OWASP Testing Project Part 1.doc

just as a matter of interest, how many active people are there still?

its seems to me like only about 6 or 7

> Okay...I'm back alive & well.  My recent travels have taken me to 
> Atlanta (for the recent WebInspect SPI course - can possibly add some 
> content regarding pros/cons of scanners if there is still room and 
> after the Principals are done) and then half-way around the globe for 
> an engagement where I ran into quite a few time-consuming issues.  
> Anywho, I have been actively working on the 'Principals' all the while

> and will send out a draft of what I have this evening (rain or shine).

> I apologize for leaving everyone hanging.
> - Carl
> -----Original Message-----
> From: Mark Curphey [mailto:mark.curphey at foundstone.com]
> Sent: Tuesday, March 30, 2004 7:50 AM
> To: Jeff Williams; owasp-testing at lists.sourceforge.net
> Subject: RE: [OWASP-TESTING] OWASP Testing Project Part 1.doc
> I like that. Originally it was in the previous chapter where 
> re-reading I now think it belongs. Let me finish it tonight and
> Principles needs to be upfront as well and finished. Carl David where 
> art thou ?
> Mark Curphey
> Consulting Director
> Foundstone, Inc.
> Strategic Security
> 949.297.5600 x2070 Tel
> 781.738.0857 Cell
> 949.297.5575 Fax
> http://www.foundstone.com <http://www.foundstone.com/>
> This email may contain confidential and privileged information for the

> sole use of the intended recipient. Any review or distribution by 
> others is strictly prohibited. If you are not the intended recipient, 
> please contact the sender and delete all copies of this message. Thank
>   _____
> From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
> Sent: Tuesday, March 30, 2004 12:45 AM
> To: owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] OWASP Testing Project Part 1.doc
> Mark,
> Great progress. I have a few structural comments to offer for what 
> they're worth.
> As I read the threat modelling section, it occurred to me that it is a

> bit different that the "testing techniques' that it is listed as a
peer with.
> It seems to me that all the testing techniques rely on some 
> understanding of the security requirements, which in turn are 
> hopefully based on a decent understanding of the risk. Do you think it

> would be useful to pull out the parts of that section that are most 
> useful during requirements gathering, and change the rest into some
sort of design/architecture review?.
> I found Chapter 5 - Principles of Testing to be a bit too far down in 
> the document for me.  I like to get the principles out early and then 
> develop them throughout.  That might just be a style issue though.
> -- Jeff
> ----- Original Message -----
> From: Mark Curphey <mailto:mark.curphey at foundstone.com>
> To: owasp-testing at lists.sourceforge.net
> <mailto:owasp-testing at lists.sourceforge.net>
> Sent: Monday, March 29, 2004 11:43 PM
> Subject: [OWASP-TESTING] OWASP Testing Project Part 1.doc
> Updated with a half completed section on threat modeling. I will 
> complete tomorrow and plough on with the other sections.
>  <<OWASP Testing Project Part 1.doc>>

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux
tutorial presented by Daniel Robbins, President and CEO of GenToo
technologies. Learn everything from fundamentals to system
owasp-testing mailing list
owasp-testing at lists.sourceforge.net

More information about the Owasp-testing mailing list