[OWASP-TESTING] finally!

Daniel daniel.cuthbert at owasp.org
Mon Apr 18 04:20:30 EDT 2005


I dont want us to get stuck in the audit vs. pentest argument as we need
to decide on the outline of the 2nd phase so we can get started on the
actual content.

The checklist is morphing into a more structured methodology (as talked
about at the recent owasp conference)
I'd love for the testing methodology to be scene as _the_ standard
methodology used when testing web applications (or traditional
applications to a degree)

Ill be working on the hows and when of this methodology alongside the
testing phase and hopefully we can keep the two projects in sync





Javier Fernandez-Sanguino said:
> Mauro Bregolin wrote:
>
>> Jeff,
>>
>> I agree with the posting you refer to. What do you mean exactly with "we
>> should keep the techniques (scanning, manual pentest, static analysis,
>> manual code review) separate from the purpose (audit or test)"?
>>
>> Judging by how people replied to my original post, it appears there's
>> not a
>> unified consensus right now.
>> Perhaps it is worth trying to synchronize everybody on this matter
>> before
>> things get started?
>
> Quite sincerely, I don't believe that talking semantics is useful at
> this stage. The previous version of the document, as well as the
> pentest checklist, already advanced what this document should be
> about. I think it would be best if we wrote content filling up the
> holes in the different chapters than discuss what each one's views on
> audit vs. testing are.
>
> As for your mention on discovering information of the web app
> structure as you go along, please review what the OWASP checklist we
> wrote a while back says about this. That same content can be folded
> back in the OWASP Testing phase II.
>
> Regards
>
> Javier
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>


Daniel




More information about the Owasp-testing mailing list