[OWASP-TESTING] Contribution to OWASP testing: Configuration Management (infrastructure and application)

Javier Fernandez-Sanguino jfernandez at germinus.com
Mon Aug 1 05:15:44 EDT 2005

Hash: SHA1

Hi everyone,

Attached is my contribution to the OWASP testing manual (as you all
know, today is the deadlines for assigned contributions). I'm not all
too happy with it as, when writing it, I was not able to find really
good tests for each of the sections and the section is more biased
towards "review" (or audit) than "testing".

I will wait to see the other contributions to this part before I go
ahead and write a few of the mini-sections that remain from what I
asked to be assigned (File-system permissions, Process permissions,
and HTML and hidden form fields) since, again, the only way I can make
myself to write about this is from an auditors perspective.

Maybe by reading other's work and seeing how they tackle other similar
topics I might "see the light" on how I should cover these, and also
what kind of technical tests (not reviews) I should introduce.



PS: I didn't want these part to be a detailed configuration guide on
setting up or reviewing Apache or IIS configuration, as there is
already good content out there. If you believe it is too generic
please say so and I will try to reuse some (unpublished) I wrote on
that topic in the past.

Version: PGP 8.0.3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP-Testing-contrib-jfs.doc
Type: application/msword
Size: 74752 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20050801/1c2b0395/attachment.doc 

More information about the Owasp-testing mailing list