[OWASP-TESTING] FW: OWASP Testing, part 1 - comments

Mauro Bregolin mauro_bregolin at yahoo.com
Tue Oct 19 09:48:18 EDT 2004

A few (marginal) comments below.
Congrats for the good doc.


- page 11, regarding the statement 
  'The primary issue with OCTAVE is its use of
likelihood = 1, or
  “all risks are equally risky”', I believe it is not
entirely true;
  at least, OCTAVE-S (OCTAVE's tailored version for
  smaller enterprises) provides the means for
describing the likelihood of
  future occurrences of a threat (as well as recording
how often it occurred
  in the past), i.e. defining probabilities.
  If I remember correctly, in OCTAVE probabilities are
an optional feature.

- typo on page 12, should be "if you want to know
what’s really going on,
  go straight to the source” instead of "...to
straight to the source".
- typo on page 12, should be "or is supposed to be
happening" instead of
- typo on page 12, should be "Can miss calls to issues
in compiled libraries"
  instead of "can missed..."
- typo on page 16, should be "as" instead of "aw"

- page 16 seems to be incomplete... (isn't it?

- page 26 Figure "Typical SDLC Testing Workflow".
Shouldn't it include
  (in the development, deployment sections)
  test activities to validate the artifact being built
against functional and
  non-functional requirements? (the real test cases...
  acceptance tests if needed after deployment)

Do you Yahoo!?
Declare Yourself - Register online to vote today!

More information about the Owasp-testing mailing list