[OWASP-TESTING] finally!

Harinath Pudipeddi harinath.pudipeddi at softrel.org
Sat Apr 16 00:33:57 EDT 2005

Hello Eoin,

I differ to agree with your first paragraph on Testing and Audit. Code
Audit and White Box are two different approaches to ensure Quality and
Stability of code. If you are seeing White box testing as audit for
code, then you are missing key ingredients in making your code "Error
Free". We have many white box testing tools in the market today. Also,
the approach for White box testing is quite different than auditing. 


-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Keary,
Sent: Friday, April 15, 2005 7:28 PM
To: 'Mauro Bregolin'; Daniel Cuthbert;
owasp-testing at lists.sourceforge.net
Subject: SPAM-LOW: RE: [OWASP-TESTING] finally!

Personally we view whitebox as audit and blackbox as testing.
Audit we see, say, the source code and review if it conforms to internal
policy and best practice.
Testing is from a user perspective, what the user sees. No code exposed
inputs and corresponding outputs.

Regarding port scanning and footprinting these are initial phases of a
test, the assessment phase. And it seems correct to cover assessment
in their own section.
Information leakage is also a part of the assessment phase but is
related to the attack phase as a slight adjustment to the attack vector
lead to an exploit.

Regarding patching and versions of appserver this is related to the
code environment": this includes configuration and deployment,
administration policy and redundancy/failover.

More information about the Owasp-testing mailing list