[OWASP-TESTING] WAVA vs Pentest

Daniel Cuthbert daniel.cuthbert at owasp.org
Fri Jun 24 05:07:37 EDT 2005


Im not sure about the term vulnerability assessments, to me, it has  
always been used by consultancies who do not have the knowledge of  
advanced penetration testing, and use tools like nessus to find  
vulnerabilities (but not exploit them)

Also black box and white box testing is used throughout the industry  
and i REALLY dont want the word audit anywhere, as there is a massive  
difference between an audit function and a security review (speaking  
from experience here being an ex KPMG person)

Remember this guide isnt meant for non-technical people, its aimed at  
professionals who need to test their applications for security issues.


On 24 Jun 2005, at 09:41, Stephen Venter wrote:

> Hi all
>
> When I raised this point before, I didn't get much in the way of
> responses. Perhaps you all might take a moment now to comment on or
> discuss these suggestions of mine?
> I also refer you to:
> http://sourceforge.net/mailarchive/message.php?msg_id=11512183
> and
> http://sourceforge.net/mailarchive/message.php?msg_id=11513842
>
> Basically I am proposing that it could be better to use the term
> Application Vulnerability Assessment (AVA), or in this specific case:
> Web Application Vulnerability Assessment (WAVA), instead of the term
> Pentest.
>
> So we'd call the guide the "OWASP Guide to Web Application
> Vulnerability Assessments" instead of the "OWASP Guide to Web
> Application Penetration Testing", and within the guide we'd use
> headings like (see: the template1.htm published with the latest
> "Testing_Guide_II_structure.doc"):
>  - Anonymous or Unauthenticated user perspective [short version:  
> Anonymous]
>  - Authenticated or logged in user perspective [short: Authenticated]
>  - Auditor or Full access perspective [short: Auditor]
> instead of:
>  - Black Box; and
>  - White Box
>
> Some motivations for these ideas, including:
> 1. I find that customer non-technical executives understand the term
> "Vulnerability Assessment" better than "Pentest"
> 2. Pentest has more connotations of a negative nature, or associations
> with terms like "hacking" and "trying to break the system", whereas
> "Vulnerability Assessments" is a term that seems convey more positive
> ideas like what we're really trying to do here: i.e. help identify
> weaknesses so they can be resolved effectively.
> 3. Also, terms like "Anonymous", "Authenticated" and "Auditor" are
> understood better by non-technical people than the terms "Black Box"
> and "White box"
>
> Also, following on from this, there would obviously be a need to
> explain the terms within the Testing guide introduction / overview
> sections.
>
> Also, I feel that the template1.htm (published with the latest
> "Testing_Guide_II_structure.doc") could be updated to include the
> sections:
> How to Test -> Anonymous perspective; Authenticated perspective; and
> Auditor perspective
> instead of currently: How to Test -> Black Box; and White Box
>
> Also, the "Short Description of Issue" section could include a "Short
> statement with reference to Anonymous, Authenticated and Auditor
> perspectives" after the basic outline of the issue - for example an
> SQL Injection issue identified in an ASP page that you cannot access
> unless you have successfully authenticated, then the issue (as well as
> the remediation measure) are not applicable for the anonymous user
> perspective [but it does expose the system to serious risk with
> respect to authenticated users].
>
> Also, couldn't there perhaps be another section like "Short
> description of the remediation options", e.g. input validation
> controls to be build into the application, or an application firewall
> / filter, or better password complexity checking, or things like that?
> Perhaps this section could also consider the differences between
> Anonymous, Authenticated and Auditor perspectives – e.g. when testing
> for SQL Injection in an ASP page that you cannot access unless you are
> authenticated, then the issue as well as the remediation measure are
> not applicable for the anonymous user perspective, but if the SQL
> injection occurs in the login screen / page of the app, then it places
> the system and organisation at risk from anonymous users.
>
> Regards,
> Steve-------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>





More information about the Owasp-testing mailing list