[OWASP-TESTING] finally!

Javier Fernandez-Sanguino jfernandez at germinus.com
Mon Apr 18 05:13:18 EDT 2005

Mauro Bregolin wrote:

> Jeff,
> I agree with the posting you refer to. What do you mean exactly with "we
> should keep the techniques (scanning, manual pentest, static analysis,
> manual code review) separate from the purpose (audit or test)"?
> Judging by how people replied to my original post, it appears there's not a
> unified consensus right now.
> Perhaps it is worth trying to synchronize everybody on this matter before
> things get started?

Quite sincerely, I don't believe that talking semantics is useful at 
this stage. The previous version of the document, as well as the 
pentest checklist, already advanced what this document should be 
about. I think it would be best if we wrote content filling up the 
holes in the different chapters than discuss what each one's views on 
audit vs. testing are.

As for your mention on discovering information of the web app 
structure as you go along, please review what the OWASP checklist we 
wrote a while back says about this. That same content can be folded 
back in the OWASP Testing phase II.



More information about the Owasp-testing mailing list