[OWASP-TESTING] WAVA vs Pentest

glyng at moiler.com glyng at moiler.com
Fri Jun 24 06:54:07 EDT 2005


We tend to use the term 'penetration test' for impact, but
(application|infrastructure) security assessment as the actual description.

We're heading for a more all encompassing security review of web-applications
through this methodology than 'vulnerability assessment' would imply, and I
agree that it's more an infrastructure related term.  As Dan says,
vulnerability assessment is, in my experience, used to define the more
automated approach to security assessments, and OWASP is very much driven by a
more skilled and manual methodology.

While terms including the word 'hack' may have negative connotations to some,
I've rarely experienced anyone who feels the same way about 'penetration
testing'.

Quoting Revelli Alberto <a.revelli at reply.it>:

> I prefer to use "penetration testing" too.
>
> Whether it is correct or not, "vulnerability assessment" is more and =
> more used to indicate automated scans that only scratch the surface of =
> what is to be tested.
>
> I have never had the impression that "penetration testing" could convey =
> a negative impression (at least here in Italy). But IMHO it would not be =
> a problem anyway, since this Guide is meant to be a practical resource =
> for security professionals and not a marketing tool targeted to =
> customers.=20
>
> ...and "WAPT" sounds good to me
>
> Alberto
>
> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net on behalf of Syed =
> Mohamed A
> Sent: Fri 6/24/2005 11:30 AM
> To: 'Daniel Cuthbert'; 'Stephen Venter'
> Cc: owasp-testing at lists.sourceforge.net
> Subject: RE: [OWASP-TESTING] WAVA vs Pentest
> =20
> I agree with Dan... "Auditing" sounds more of non technical .. so OWASP
> Guide to WAPT (Web Application Penetration Testing)
> How does it sound "WAPT"?
>
> Regards
> Syed
> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net
> [mailto:owasp-testing-admin at lists.sourceforge.net]On Behalf Of Daniel
> Cuthbert
> Sent: Friday, June 24, 2005 2:38 PM
> To: Stephen Venter
> Cc: owasp-testing at lists.sourceforge.net
> Subject: Re: [OWASP-TESTING] WAVA vs Pentest
>
>
> Im not sure about the term vulnerability assessments, to me, it has
> always been used by consultancies who do not have the knowledge of
> advanced penetration testing, and use tools like nessus to find
> vulnerabilities (but not exploit them)
>
> Also black box and white box testing is used throughout the industry
> and i REALLY dont want the word audit anywhere, as there is a massive
> difference between an audit function and a security review (speaking
> from experience here being an ex KPMG person)
>
> Remember this guide isnt meant for non-technical people, its aimed at
> professionals who need to test their applications for security issues.
>
>
> On 24 Jun 2005, at 09:41, Stephen Venter wrote:
>
>> Hi all
>>
>> When I raised this point before, I didn't get much in the way of
>> responses. Perhaps you all might take a moment now to comment on or
>> discuss these suggestions of mine?
>> I also refer you to:
>> http://sourceforge.net/mailarchive/message.php?msg_id=3D11512183
>> and
>> http://sourceforge.net/mailarchive/message.php?msg_id=3D11513842
>>
>> Basically I am proposing that it could be better to use the term
>> Application Vulnerability Assessment (AVA), or in this specific case:
>> Web Application Vulnerability Assessment (WAVA), instead of the term
>> Pentest.
>>
>> So we'd call the guide the "OWASP Guide to Web Application
>> Vulnerability Assessments" instead of the "OWASP Guide to Web
>> Application Penetration Testing", and within the guide we'd use
>> headings like (see: the template1.htm published with the latest
>> "Testing_Guide_II_structure.doc"):
>>  - Anonymous or Unauthenticated user perspective [short version:
>> Anonymous]
>>  - Authenticated or logged in user perspective [short: Authenticated]
>>  - Auditor or Full access perspective [short: Auditor]
>> instead of:
>>  - Black Box; and
>>  - White Box
>>
>> Some motivations for these ideas, including:
>> 1. I find that customer non-technical executives understand the term
>> "Vulnerability Assessment" better than "Pentest"
>> 2. Pentest has more connotations of a negative nature, or associations
>> with terms like "hacking" and "trying to break the system", whereas
>> "Vulnerability Assessments" is a term that seems convey more positive
>> ideas like what we're really trying to do here: i.e. help identify
>> weaknesses so they can be resolved effectively.
>> 3. Also, terms like "Anonymous", "Authenticated" and "Auditor" are
>> understood better by non-technical people than the terms "Black Box"
>> and "White box"
>>
>> Also, following on from this, there would obviously be a need to
>> explain the terms within the Testing guide introduction / overview
>> sections.
>>
>> Also, I feel that the template1.htm (published with the latest
>> "Testing_Guide_II_structure.doc") could be updated to include the
>> sections:
>> How to Test -> Anonymous perspective; Authenticated perspective; and
>> Auditor perspective
>> instead of currently: How to Test -> Black Box; and White Box
>>
>> Also, the "Short Description of Issue" section could include a "Short
>> statement with reference to Anonymous, Authenticated and Auditor
>> perspectives" after the basic outline of the issue - for example an
>> SQL Injection issue identified in an ASP page that you cannot access
>> unless you have successfully authenticated, then the issue (as well as
>> the remediation measure) are not applicable for the anonymous user
>> perspective [but it does expose the system to serious risk with
>> respect to authenticated users].
>>
>> Also, couldn't there perhaps be another section like "Short
>> description of the remediation options", e.g. input validation
>> controls to be build into the application, or an application firewall
>> / filter, or better password complexity checking, or things like that?
>> Perhaps this section could also consider the differences between
>> Anonymous, Authenticated and Auditor perspectives - e.g. when testing
>> for SQL Injection in an ASP page that you cannot access unless you are
>> authenticated, then the issue as well as the remediation measure are
>> not applicable for the anonymous user perspective, but if the SQL
>> injection occurs in the login screen / page of the app, then it places
>> the system and organisation at risk from anonymous users.
>>
>> Regards,
>> Steve-------------------------------------------------------
>> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>> informative Webcasts and more! Get everything you need to get up to
>> speed, fast. =
> http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=3Dclick
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=3Dick
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Owasp-testing mailing list