[OWASP-TESTING] finally!

Harinath Pudipeddi harinath.pudipeddi at softrel.org
Sat Apr 16 00:33:57 EDT 2005


Hello Eoin,

I differ to agree with your first paragraph on Testing and Audit. Code
Audit and White Box are two different approaches to ensure Quality and
Stability of code. If you are seeing White box testing as audit for
code, then you are missing key ingredients in making your code "Error
Free". We have many white box testing tools in the market today. Also,
the approach for White box testing is quite different than auditing. 

Hari

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Keary,
Eoin
Sent: Friday, April 15, 2005 7:28 PM
To: 'Mauro Bregolin'; Daniel Cuthbert;
owasp-testing at lists.sourceforge.net
Subject: SPAM-LOW: RE: [OWASP-TESTING] finally!

Personally we view whitebox as audit and blackbox as testing.
Audit we see, say, the source code and review if it conforms to internal
policy and best practice.
Testing is from a user perspective, what the user sees. No code exposed
just
inputs and corresponding outputs.

Regarding port scanning and footprinting these are initial phases of a
pen
test, the assessment phase. And it seems correct to cover assessment
tasks
in their own section.
Information leakage is also a part of the assessment phase but is
closely
related to the attack phase as a slight adjustment to the attack vector
can
lead to an exploit.

Regarding patching and versions of appserver this is related to the
"secure
code environment": this includes configuration and deployment,
versioning,
administration policy and redundancy/failover.








More information about the Owasp-testing mailing list