[OWASP-TESTING] final release, my edits

Mauro Bregolin mauro_bregolin at yahoo.com
Wed Nov 17 10:11:38 EST 2004

Haven't had the time to go through (another) full
review but preferred to send back a few remarks

Apparently, a few of my former comments ended lost
somewhere like Javier's.
Here they are:

- page 11, regarding the statement 'The primary issue
with OCTAVE is its use of likelihood = 1, or “all
risks are equally risky”', I believe it is not
entirely true;  at least, OCTAVE-S (OCTAVE's tailored
version for smaller enterprises) provides the means
for describing the likelihood of future occurrences of
a threat (as well as recording how often it occurred
in the past), i.e. defining probabilities.
  If I remember correctly, in OCTAVE probabilities are
an optional feature.

Action: I have deleted the whole sentence.
I have performed OCTAVE-S -based assessments, and made
use of probabilities.
Didn't invent anything new since these concepts are
built into the methodology and have their place in the
As I wrote before, in the "original" OCTAVE (not the
tailored version for smaller enterprises)
probabilities were left as an optional component;
however I've never used it practically and even don't
know if it underwent
changes in this respect since I read its
Anyone else out there with experience on OCTAVE who
would like to comment?

- page 16 seems to be incomplete...

Now it's page 19 - still pending.
Action: Should be completed by the author.

- page 26 Figure "Typical SDLC Testing Workflow".
Shouldn't it include (in the development, deployment
sections) test activities to validate the artifact
being built against functional and non-functional
requirements? (the real test cases... including
acceptance tests if needed after deployment)

Action: This was actually approved by Daniel but
seemingly not implemented.
I tried to modify the drawing myself but was not able
to pick up the same font used in the original.
Inserted in the doc an updated version anyway.

Additional notes:

- updated the TOC which wasn't in sync
- page 2, it's probably better to update the phase II
estimate with a more reasonable guess (Q2 2005? -
haven't touched the text)
- changed notation on page 28 to express 30 to the
28th power
- URL of 1st whitepaper on page 28 still with a
pending note (not mine)
- changed "Secure in the Java platform" to "Security
in ...", page 29
- dared to add myself to the contributors (though
"author" in my case is decidedly an overstatement;
haven't written "reviewer" since listing only one
sounds bad and would not be correct - I think we
should mention explicitly all the reviewers)

- phase 1A, SDLC still outstanding

Best regards to all


Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: the owasp testing project1 - pre-rel-mbr.doc
Type: application/msword
Size: 437248 bytes
Desc: the owasp testing project1 - pre-rel-mbr.doc
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20041117/d97b3388/attachment.doc 

More information about the Owasp-testing mailing list