[OWASP-TESTING] Next stage

Yvan G.J. Boily yboily at gmail.com
Thu Jun 23 07:27:49 EDT 2005


I agree with this; client reporting is designed to present a list of
findings to the client!  If they want to stick their heads in the sand after
you give them the report and ignore it, that is their prerogative.

If you trim out and customize information to pacify management you have
moved yourself into being part of the problem, not part of the solution.  In
the past the reports I have done have never rescinded analysis of issues;
rather they include all of the steps taken to mitigate the issues since
discovered.  

My clients have preferred this (with some prodding :P) because they can use
it to show that they are not actually being proactive.  Proper explanation
of this and ensuring that clients up front can relieve the pressure of this
with a difficult client.

Regards,
Yvan Boily

On 6/23/05 5:33 AM, "Eoin Keary" <eoinkeary at hotmail.com> wrote:

> You may not agree with me but here I go (again):
> 
> <rant>
> 
> Reporting results to a client can fall into one of either two categories.
> 1. Acceptance of the findings and risk evaluation level (Low, Medium High)
> 2. Non-Acceptance of the findings or Risk eval level.
> 
> "sticking to ones Guns" regarding an analyists opinion of the risk and bad
> practice may not be what the client wants to hear.
> They may wish for you to downgrade the risk level, or they may say "Trusted
> users use this application only" in order to lower the perception of any
> risk.
> 
> This can be difficult and to keep a client happy, who is paying you. What
> does one do? (We all would like repeat business.)
> In my opinion one should NOT, Never, No Way dilute the results. Being
> careful on the words used in the executive summary is of paramount
> importance to explain the risk but not be alarmst.
> </rant>
> 
> 
>> From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>> To: Sebastien Deleersnyder <sdl at ascure.com>
>> CC: owasp-testing at lists.sourceforge.net
>> Subject: Re: [OWASP-TESTING] Next stage
>> Date: Thu, 23 Jun 2005 11:09:17 +0100
>> 
>> I am also working on a fairly big section of reporting and after  effects
>> of the security test, so would appreciate the help!
>> 
>> 
>> On 23 Jun 2005, at 09:34, Sebastien Deleersnyder wrote:
>> 
>>> Hi,
>>> 
>>> I would like to:
>>> 1) put in a section on reporting results (after Analyzing results ?)
>>> 2) help with the overall review
>>> 
>>> I do not agree with the free-loader remark: one of the reasons I
>>> subscribed to this list is to stay current on progress and report this
>>> in the Belgium Chapter meetings (being the Chapter leader).
>>> 
>>> Regards,
>>> 
>>> Seba
>>> 
>>> 
>>> -----Original Message-----
>>> From: owasp-testing-admin at lists.sourceforge.net
>>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Daniel
>>> Cuthbert
>>> Sent: dinsdag 21 juni 2005 11:05
>>> To: owasp-testing at lists.sourceforge.net
>>> Subject: [OWASP-TESTING] Next stage
>>> 
>>> Morning all,
>>> 
>>> Sorry for the short break in the testing guide progress, the real  world
>>> caught up with me.
>>> Attached are the documents needed for the next part of the guide, and
>>> they are:
>>> 
>>> Testing Guide II Structure.doc
>>> 
>>> This is the final TOC as we agreed and next to each section, there is
>>> the option to add your name and your e-mail address(i.e you will be
>>> writing this section)
>>> 
>>> template1.htm
>>> 
>>> If you could structure all your submissions using this template  (you can
>>> use any format you like, word/text/xml, as long as i can read it on a
>>> mac!)
>>> 
>>> Guidelines for creating sections:
>>> 
>>> - DO NOT DO A STRAIGHT COPY FROM ANY OTHER SOURCES ON THE WEB!
>>> Plagiarism won't be accepted.
>>> This testing guide should reflect the experience you all have in
>>> application testing. One of the benefits of OWASP is that the  wealth of
>>> experience from the contributors enables the reader to understand the
>>> section they are reading, as it is presented in a well structured
>>> format, which unlike a large amount of research papers on the web  today,
>>> isn't normally the case.
>>> 
>>> - Try and use examples where possible and also let other "non-  security"
>>> individuals read what you have written. This ensures that it makes  sense
>>> to everyone and not just the hardcore penetration testers out there.
>>> 
>>> - I understand everyone has a life and work commitments, so please  don't
>>> select loads of sections if you know you may not be able to commit to
>>> them in the end run.
>>> 
>>> - Contact me if you have any issues during this next phase
>>> 
>>> 
>>> I think we should aim to have all the sections written by mid August,
>>> how does this sound for everyone?
>>> 
>>> Obviously if you feel there is a section missing from the TOC, by all
>>> means contact me
>>> 
>>> Look forward to seeing the work coming in
>>> 
>>> Daniel Cuthbert
>>> 
>>> 
>>> -------------------------------------------------------
>>> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>>> informative Webcasts and more! Get everything you need to get up to
>>> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>>> _______________________________________________
>>> owasp-testing mailing list
>>> owasp-testing at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>> 
>>> 
>> 
>> 
>> 
>> -------------------------------------------------------
>> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>> informative Webcasts and more! Get everything you need to get up to
>> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 
> _________________________________________________________________
> Start dating right now with FREE Match.com membership! http://match.msn.ie
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing






More information about the Owasp-testing mailing list