[OWASP-TESTING] WAVA vs Pentest

Revelli Alberto a.revelli at reply.it
Fri Jun 24 06:34:11 EDT 2005


I prefer to use "penetration testing" too.

Whether it is correct or not, "vulnerability assessment" is more and more used to indicate automated scans that only scratch the surface of what is to be tested.

I have never had the impression that "penetration testing" could convey a negative impression (at least here in Italy). But IMHO it would not be a problem anyway, since this Guide is meant to be a practical resource for security professionals and not a marketing tool targeted to customers. 

...and "WAPT" sounds good to me

Alberto

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net on behalf of Syed Mohamed A
Sent: Fri 6/24/2005 11:30 AM
To: 'Daniel Cuthbert'; 'Stephen Venter'
Cc: owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] WAVA vs Pentest
 
I agree with Dan... "Auditing" sounds more of non technical .. so OWASP
Guide to WAPT (Web Application Penetration Testing)
How does it sound "WAPT"?

Regards
Syed
-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net
[mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Daniel
Cuthbert
Sent: Friday, June 24, 2005 2:38 PM
To: Stephen Venter
Cc: owasp-testing at lists.sourceforge.net
Subject: Re: [OWASP-TESTING] WAVA vs Pentest


Im not sure about the term vulnerability assessments, to me, it has
always been used by consultancies who do not have the knowledge of
advanced penetration testing, and use tools like nessus to find
vulnerabilities (but not exploit them)

Also black box and white box testing is used throughout the industry
and i REALLY dont want the word audit anywhere, as there is a massive
difference between an audit function and a security review (speaking
from experience here being an ex KPMG person)

Remember this guide isnt meant for non-technical people, its aimed at
professionals who need to test their applications for security issues.


On 24 Jun 2005, at 09:41, Stephen Venter wrote:

> Hi all
>
> When I raised this point before, I didn't get much in the way of
> responses. Perhaps you all might take a moment now to comment on or
> discuss these suggestions of mine?
> I also refer you to:
> http://sourceforge.net/mailarchive/message.php?msg_id=11512183
> and
> http://sourceforge.net/mailarchive/message.php?msg_id=11513842
>
> Basically I am proposing that it could be better to use the term
> Application Vulnerability Assessment (AVA), or in this specific case:
> Web Application Vulnerability Assessment (WAVA), instead of the term
> Pentest.
>
> So we'd call the guide the "OWASP Guide to Web Application
> Vulnerability Assessments" instead of the "OWASP Guide to Web
> Application Penetration Testing", and within the guide we'd use
> headings like (see: the template1.htm published with the latest
> "Testing_Guide_II_structure.doc"):
>  - Anonymous or Unauthenticated user perspective [short version:
> Anonymous]
>  - Authenticated or logged in user perspective [short: Authenticated]
>  - Auditor or Full access perspective [short: Auditor]
> instead of:
>  - Black Box; and
>  - White Box
>
> Some motivations for these ideas, including:
> 1. I find that customer non-technical executives understand the term
> "Vulnerability Assessment" better than "Pentest"
> 2. Pentest has more connotations of a negative nature, or associations
> with terms like "hacking" and "trying to break the system", whereas
> "Vulnerability Assessments" is a term that seems convey more positive
> ideas like what we're really trying to do here: i.e. help identify
> weaknesses so they can be resolved effectively.
> 3. Also, terms like "Anonymous", "Authenticated" and "Auditor" are
> understood better by non-technical people than the terms "Black Box"
> and "White box"
>
> Also, following on from this, there would obviously be a need to
> explain the terms within the Testing guide introduction / overview
> sections.
>
> Also, I feel that the template1.htm (published with the latest
> "Testing_Guide_II_structure.doc") could be updated to include the
> sections:
> How to Test -> Anonymous perspective; Authenticated perspective; and
> Auditor perspective
> instead of currently: How to Test -> Black Box; and White Box
>
> Also, the "Short Description of Issue" section could include a "Short
> statement with reference to Anonymous, Authenticated and Auditor
> perspectives" after the basic outline of the issue - for example an
> SQL Injection issue identified in an ASP page that you cannot access
> unless you have successfully authenticated, then the issue (as well as
> the remediation measure) are not applicable for the anonymous user
> perspective [but it does expose the system to serious risk with
> respect to authenticated users].
>
> Also, couldn't there perhaps be another section like "Short
> description of the remediation options", e.g. input validation
> controls to be build into the application, or an application firewall
> / filter, or better password complexity checking, or things like that?
> Perhaps this section could also consider the differences between
> Anonymous, Authenticated and Auditor perspectives - e.g. when testing
> for SQL Injection in an ASP page that you cannot access unless you are
> authenticated, then the issue as well as the remediation measure are
> not applicable for the anonymous user perspective, but if the SQL
> injection occurs in the login screen / page of the app, then it places
> the system and organisation at risk from anonymous users.
>
> Regards,
> Steve-------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing









More information about the Owasp-testing mailing list