[OWASP-TESTING] RE: [OWASP-TESTING] RE: [OWASP-TESTING] OWASP Testing Project Part 1.doc

Davis, Carl cdavis at fnni.com
Wed Mar 31 01:58:09 EST 2004


Attached is an updated version which includes most of the updates that I
have pertaining to the 'Principals' at this point...which are pretty raw in
some cases.  I have cleared my calendar over the next couple days so that I
can actively work on these and hopefully wrap'em up for the most part if not
completely this week (final draft).  I sincerely welcome any suggestions,
recommendations, etc.  
 
Personally, I'm not very happy with my current 'SDLC is King' writings after
re-reading NIST 800-64 per Mark's suggestion.
 
Chow,
 
 
- Carl
 
 

-----Original Message----- 
From: Mark Curphey [mailto:mark at curphey.com] 
Sent: Tue 3/30/2004 8:45 PM 
To: owasp-testing at lists.sourceforge.net 
Cc: 
Subject: Re: [OWASP-TESTING] RE: [OWASP-TESTING] OWASP Testing Project Part
1.doc


Works for me. Feel free to edit the last draft I sent out. I won't be
touching it for the next 18 hours.



Davis, Carl <cdavis at fnni.com> wrote:

Gentlemen,
 
By my count (latest draft sent out) we currently have a total of 11
Principles.  I would like to suggest chucking "The Devil is in the Details"
heading and redistributing the current sub-bullets to other 'Principals' as
follows if there are no objections:
 

            -            Weed out false positives > Use the Right Tools

            -            Thoroughly explore logic in an attempt to expose
flaws > Use The Source Code When Possible

            -            Look for discrete vulnerabilities > Use The Source
Code When Possible

            -            Become intimate with the application > Know Thy
Target

            -            Evaluate every aspect > Know Thy Target

 

 

Below is the current list of Principals:

 

There is No Silver Bullet

Think Strategically, Not Tactically

The SDLC is King

Test Early and Test Often

Understand the Scope

Mindset 

Know Thy Target

Use the Right Tools

The Devil is in the Details

Use The Source Code When Possible

    Develop Metrics 

 

 

Proposed List:

 

There is No Silver Bullet

Think Strategically, Not Tactically

The SDLC is King

Test Early and Test Often

Understand the Scope

Mindset 

Know Thy Target

Use the Right Tools

Use The Source Code When Possible

    Develop Metrics 

 

 

- Carl

 

         

-----Original Message----- 
From: Mark Curphey [mailto:mark.curphey at foundstone.com] 
Sent: Tue 3/30/2004 8:56 AM 
To: owasp-testing at lists.sourceforge.net 
Cc: 
Subject: [OWASP-TESTING] OWASP Testing Project Part 1.doc




This should flow better as per Jeff's comments. I will complete the 
Threat Modeling section later today. 

Mark 
 <<OWASP Testing Project Part 1.doc>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20040331/0bc35b24/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Testing Project Part 1.doc
Type: application/msword
Size: 302592 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20040331/0bc35b24/attachment.doc 


More information about the Owasp-testing mailing list