[OWASP-TESTING] RE: [OWASP-TESTING] OWASP Testing Project Part 1.doc

Mark Curphey mark at curphey.com
Tue Mar 30 21:43:54 EST 2004


<DIV>Works for me. Feel free to update the lastest dradt. I won't be touching it for the next 18 hours.<BR><B><BR>
<BLOCKQUOTE class=xoEncapsulatedBody style="PADDING-LEFT: 0px; MARGIN-LEFT: 5px">Davis, Carl &lt;cdavis at fnni.com&gt; wrote:</BLOCKQUOTE></B>
<BLOCKQUOTE class=xoEncapsulatedBody style="PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: blue 2px solid">
<DIV>Gentlemen,</DIV>
<DIV>&nbsp;</DIV>
<DIV>By my count (latest draft sent out)&nbsp;we currently have a total of 11 Principles.&nbsp; I would like to suggest chucking "The Devil is in the Details" heading and redistributing the current sub-bullets to other 'Principals' as follows if there are no objections:</DIV>
<DIV>&nbsp;</DIV>
<DIV>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>Weed out false positives &gt; <EM>Use the Right Tools</EM></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>Thoroughly explore logic in an attempt to expose flaws &gt; <EM>Use The Source Code When Possible</EM></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>Look for discrete vulnerabilities &gt; <EM>Use The Source Code When Possible</EM></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN>Become intimate with the application &gt; <EM>Know Thy Target<?xml:namespace prefix = o /><o:p></o:p></EM></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>Evaluate every aspect &gt; <EM>Know Thy Target</EM></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><EM></EM></SPAN>&nbsp;</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><EM></EM></SPAN>&nbsp;</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><EM><o:p>Below is the current list of Principals:</o:p></EM></SPAN></P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><EM><o:p></o:p></EM></SPAN>&nbsp;</P><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><o:p>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>There is No Silver Bullet</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Think Strategically, Not Tactically</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>The SDLC is King</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Test Early and Test Often</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Understand the Scope</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Mindset<SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1 dotted"> </SPAN></SPAN></SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Know Thy Target</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Use the Right Tools</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>The Devil is in the Details</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Use The Source Code When Possible</SPAN></P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">&nbsp;&nbsp;&nbsp; Develop Metrics<SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1">&nbsp;</SPAN></SPAN></SPAN></SPAN></P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1"></SPAN></SPAN></SPAN></SPAN>&nbsp;</P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1"><EM></EM></SPAN></SPAN></SPAN></SPAN>&nbsp;</P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1"><EM>Proposed List:</EM></SPAN></SPAN></SPAN></SPAN></P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1"><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><o:p>&nbsp;</P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>There is No Silver Bullet</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Think Strategically, Not Tactically</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>The SDLC is King</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Test Early and Test Often</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Understand the Scope</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Mindset<SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1 dotted"> </SPAN></SPAN></SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Know Thy Target</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Use the Right Tools</SPAN></P>
<P class=MsoToc2 style="MARGIN: 0in 0in 0pt 12pt; tab-stops: right dotted 431.5pt"><SPAN class=MsoHyperlink>Use The Source Code When Possible</SPAN></P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">&nbsp;&nbsp;&nbsp; Develop Metrics<SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1">&nbsp;</SPAN></SPAN></SPAN></SPAN></P></o:p></SPAN></SPAN></SPAN></SPAN></SPAN>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1"><EM></EM></SPAN></SPAN></SPAN></SPAN>&nbsp;</P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1"><EM></EM></SPAN></SPAN></SPAN></SPAN>&nbsp;</P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1">- Carl</SPAN></SPAN></SPAN></SPAN></P>
<P class=MsoNormal dir=ltr style="MARGIN: 0in 0in 0pt"><SPAN class=MsoHyperlink><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><SPAN style="DISPLAY: none; COLOR: windowtext; TEXT-DECORATION: none; mso-hide: screen; text-underline: none"><SPAN style="mso-tab-count: 1"><EM></EM></SPAN></SPAN></SPAN></SPAN></o:p></SPAN>&nbsp;</P>
<P class=MsoNormal style="MARGIN: 0in 0in 0pt"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN></P></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><FONT size=2>-----Original Message----- <BR><B>From:</B> Mark Curphey [mailto:mark.curphey at foundstone.com] <BR><B>Sent:</B> Tue 3/30/2004 8:56 AM <BR><B>To:</B> owasp-testing at lists.sourceforge.net <BR><B>Cc:</B> <BR><B>Subject:</B> [OWASP-TESTING] OWASP Testing Project Part 1.doc<BR><BR></FONT></DIV>
<P><FONT size=2></FONT><BR><FONT size=2>This should flow better as per Jeff's comments. I will complete the</FONT> <BR><FONT size=2>Threat Modeling section later today.</FONT> </P>
<P><FONT size=2>Mark</FONT> <BR><FONT size=2>&nbsp;&lt;&lt;OWASP Testing Project Part 1.doc&gt;&gt; </FONT></P></BLOCKQUOTE></BLOCKQUOTE></DIV>




More information about the Owasp-testing mailing list