[OWASP-TESTING] finally!

Daniel daniel.cuthbert at owasp.org
Mon Apr 18 04:11:10 EDT 2005

I dont want the guide to have a detailed section on code auditing as there
are, as Harinath mentioned, loads of commercial and free tools which
perform the task.

What would be great is a section that explains how these tools work, maybe
gives some examples of dodgy code and also why this technique can yeild
some important information.

The testing guide, i think, should be aimed more towards the tester who
doesnt always have full access to the source code, hence more of a
blackbox testing guide
Harinath Pudipeddi said:
> Hello Eoin,
> I differ to agree with your first paragraph on Testing and Audit. Code
> Audit and White Box are two different approaches to ensure Quality and
> Stability of code. If you are seeing White box testing as audit for
> code, then you are missing key ingredients in making your code "Error
> Free". We have many white box testing tools in the market today. Also,
> the approach for White box testing is quite different than auditing.
> Hari
> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Keary,
> Eoin
> Sent: Friday, April 15, 2005 7:28 PM
> To: 'Mauro Bregolin'; Daniel Cuthbert;
> owasp-testing at lists.sourceforge.net
> Subject: SPAM-LOW: RE: [OWASP-TESTING] finally!
> Personally we view whitebox as audit and blackbox as testing.
> Audit we see, say, the source code and review if it conforms to internal
> policy and best practice.
> Testing is from a user perspective, what the user sees. No code exposed
> just
> inputs and corresponding outputs.
> Regarding port scanning and footprinting these are initial phases of a
> pen
> test, the assessment phase. And it seems correct to cover assessment
> tasks
> in their own section.
> Information leakage is also a part of the assessment phase but is
> closely
> related to the attack phase as a slight adjustment to the attack vector
> can
> lead to an exploit.
> Regarding patching and versions of appserver this is related to the
> "secure
> code environment": this includes configuration and deployment,
> versioning,
> administration policy and redundancy/failover.


More information about the Owasp-testing mailing list