[OWASP-TESTING] finally!

Jeff Williams jeff.williams at aspectsecurity.com
Mon Apr 18 08:50:00 EDT 2005


> I agree with the posting you refer to. What do you mean exactly with "we
> should keep the techniques (scanning, manual pentest, static analysis,
> manual code review) separate from the purpose (audit or test)"?

When you use the word "audit" many people will think of a process by 
corporate entities to ensure compliance with some standard.  But several 
people in this discussion are using the word "audit" to mean code analysis.

I think our guide should focus on the pros and cons of the *techniques* and 
not worry about how people might use them (the purpose).  If people want to 
use our guide as part of a formal ISO17799 audit, great.

Can we agree (for our purposes here) that even if they're doing pure code 
review, they're using "test" techniques that are part of our "testing" 
guide.

--Jeff

>
> -----Original Message-----
> From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com]
> Sent: sabato 16 aprile 2005 15.45
> To: Harinath Pudipeddi; 'Keary, Eoin'; 'Mauro Bregolin'; 'Daniel 
> Cuthbert';
> owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] finally!
>
> I think we should keep the techniques (scanning, manual pentest, static
> analysis, manual code review) separate from the purpose (audit or test).
> There's some more on this in this thread on webappsec from a while back.
>
> http://seclists.org/lists/webappsec/2005/Jan-Mar/0360.html
>
> --Jeff
>
> ----- Original Message ----- 
> From: "Harinath Pudipeddi" <harinath.pudipeddi at softrel.org>
> To: "'Keary, Eoin'" <eoin.keary at ie.fid-intl.com>; "'Mauro Bregolin'"
> <mauro.bregolin at gmail.com>; "'Daniel Cuthbert'" 
> <daniel.cuthbert at owasp.org>;
>
> <owasp-testing at lists.sourceforge.net>
> Sent: Saturday, April 16, 2005 12:33 AM
> Subject: RE: [OWASP-TESTING] finally!
>
>
>> Hello Eoin,
>>
>> I differ to agree with your first paragraph on Testing and Audit. Code
>> Audit and White Box are two different approaches to ensure Quality and
>> Stability of code. If you are seeing White box testing as audit for
>> code, then you are missing key ingredients in making your code "Error
>> Free". We have many white box testing tools in the market today. Also,
>> the approach for White box testing is quite different than auditing.
>>
>> Hari
>>
>> -----Original Message-----
>> From: owasp-testing-admin at lists.sourceforge.net
>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Keary,
>> Eoin
>> Sent: Friday, April 15, 2005 7:28 PM
>> To: 'Mauro Bregolin'; Daniel Cuthbert;
>> owasp-testing at lists.sourceforge.net
>> Subject: SPAM-LOW: RE: [OWASP-TESTING] finally!
>>
>> Personally we view whitebox as audit and blackbox as testing.
>> Audit we see, say, the source code and review if it conforms to internal
>> policy and best practice.
>> Testing is from a user perspective, what the user sees. No code exposed
>> just
>> inputs and corresponding outputs.
>>
>> Regarding port scanning and footprinting these are initial phases of a
>> pen
>> test, the assessment phase. And it seems correct to cover assessment
>> tasks
>> in their own section.
>> Information leakage is also a part of the assessment phase but is
>> closely
>> related to the attack phase as a slight adjustment to the attack vector
>> can
>> lead to an exploit.
>>
>> Regarding patching and versions of appserver this is related to the
>> "secure
>> code environment": this includes configuration and deployment,
>> versioning,
>> administration policy and redundancy/failover.
>>
>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real users.
>> Discover which products truly live up to the hype. Start reading now.
>> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 





More information about the Owasp-testing mailing list