[OWASP-TESTING] Next stage

Sebastien Deleersnyder sdl at ascure.com
Thu Jun 23 07:23:56 EDT 2005


Eoin,

I agree with you here: what we deliver as report is our analysis. 
Whatever the 'customer' wants to do with it internally is his own
business , but like you say: We have to stick to our guns.
It is however critically important that during a reporting cycle the
results have been validated with the customer - preferably technical -
people before a final report is presented to management. Otherwise you
immediately end up in acceptance problems. 
This does also mean that the reporting has to be very clear on the
results and should be limited to factual things. So refrain from any
subjective standpoints!

Regards,

Seba

-----Original Message-----
From: Eoin Keary [mailto:eoinkeary at hotmail.com] 
Sent: donderdag 23 juni 2005 12:33
To: daniel.cuthbert at owasp.org; Sebastien Deleersnyder
Cc: owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] Next stage

You may not agree with me but here I go (again):

<rant>

Reporting results to a client can fall into one of either two
categories.
1. Acceptance of the findings and risk evaluation level (Low, Medium
High) 2. Non-Acceptance of the findings or Risk eval level.

"sticking to ones Guns" regarding an analyists opinion of the risk and
bad practice may not be what the client wants to hear.
They may wish for you to downgrade the risk level, or they may say
"Trusted users use this application only" in order to lower the
perception of any risk.

This can be difficult and to keep a client happy, who is paying you.
What does one do? (We all would like repeat business.) In my opinion one
should NOT, Never, No Way dilute the results. Being careful on the words
used in the executive summary is of paramount importance to explain the
risk but not be alarmst.
</rant>


>From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>To: Sebastien Deleersnyder <sdl at ascure.com>
>CC: owasp-testing at lists.sourceforge.net
>Subject: Re: [OWASP-TESTING] Next stage
>Date: Thu, 23 Jun 2005 11:09:17 +0100
>
>I am also working on a fairly big section of reporting and after  
>effects of the security test, so would appreciate the help!
>
>
>On 23 Jun 2005, at 09:34, Sebastien Deleersnyder wrote:
>
>>Hi,
>>
>>I would like to:
>>1) put in a section on reporting results (after Analyzing results ?)
>>2) help with the overall review
>>
>>I do not agree with the free-loader remark: one of the reasons I 
>>subscribed to this list is to stay current on progress and report this

>>in the Belgium Chapter meetings (being the Chapter leader).
>>
>>Regards,
>>
>>Seba
>>
>>
>>-----Original Message-----
>>From: owasp-testing-admin at lists.sourceforge.net
>>[mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel

>>Cuthbert
>>Sent: dinsdag 21 juni 2005 11:05
>>To: owasp-testing at lists.sourceforge.net
>>Subject: [OWASP-TESTING] Next stage
>>
>>Morning all,
>>
>>Sorry for the short break in the testing guide progress, the real  
>>world caught up with me.
>>Attached are the documents needed for the next part of the guide, and 
>>they are:
>>
>>Testing Guide II Structure.doc
>>
>>This is the final TOC as we agreed and next to each section, there is 
>>the option to add your name and your e-mail address(i.e you will be 
>>writing this section)
>>
>>template1.htm
>>
>>If you could structure all your submissions using this template  (you 
>>can use any format you like, word/text/xml, as long as i can read it 
>>on a
>>mac!)
>>
>>Guidelines for creating sections:
>>
>>- DO NOT DO A STRAIGHT COPY FROM ANY OTHER SOURCES ON THE WEB!
>>Plagiarism won't be accepted.
>>This testing guide should reflect the experience you all have in 
>>application testing. One of the benefits of OWASP is that the  wealth 
>>of experience from the contributors enables the reader to understand 
>>the section they are reading, as it is presented in a well structured 
>>format, which unlike a large amount of research papers on the web  
>>today, isn't normally the case.
>>
>>- Try and use examples where possible and also let other "non-
security"
>>individuals read what you have written. This ensures that it makes  
>>sense to everyone and not just the hardcore penetration testers out
there.
>>
>>- I understand everyone has a life and work commitments, so please  
>>don't select loads of sections if you know you may not be able to 
>>commit to them in the end run.
>>
>>- Contact me if you have any issues during this next phase
>>
>>
>>I think we should aim to have all the sections written by mid August, 
>>how does this sound for everyone?
>>
>>Obviously if you feel there is a section missing from the TOC, by all 
>>means contact me
>>
>>Look forward to seeing the work coming in
>>
>>Daniel Cuthbert
>>
>>
>>-------------------------------------------------------
>>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies

>>from IBM. Find simple to follow Roadmaps, straightforward articles, 
>>informative Webcasts and more! Get everything you need to get up to 
>>speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>>_______________________________________________
>>owasp-testing mailing list
>>owasp-testing at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>>
>
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies 
>from IBM. Find simple to follow Roadmaps, straightforward articles, 
>informative Webcasts and more! Get everything you need to get up to 
>speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing

_________________________________________________________________
Start dating right now with FREE Match.com membership!
http://match.msn.ie





More information about the Owasp-testing mailing list