Eoin Keary eoinkeary at hotmail.com
Fri Jun 24 08:35:25 EDT 2005

Im with you Dan.
Audit is not a great word given the amount of popularity compliance audit is 
Pent test was always the politically correct word for  what we do?

>From: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>To: Stephen Venter <stephen.venter at gmail.com>
>CC: owasp-testing at lists.sourceforge.net
>Subject: Re: [OWASP-TESTING] WAVA vs Pentest
>Date: Fri, 24 Jun 2005 10:07:37 +0100
>Im not sure about the term vulnerability assessments, to me, it has  always 
>been used by consultancies who do not have the knowledge of  advanced 
>penetration testing, and use tools like nessus to find  vulnerabilities 
>(but not exploit them)
>Also black box and white box testing is used throughout the industry  and i 
>REALLY dont want the word audit anywhere, as there is a massive  difference 
>between an audit function and a security review (speaking  from experience 
>here being an ex KPMG person)
>Remember this guide isnt meant for non-technical people, its aimed at  
>professionals who need to test their applications for security issues.
>On 24 Jun 2005, at 09:41, Stephen Venter wrote:
>>Hi all
>>When I raised this point before, I didn't get much in the way of
>>responses. Perhaps you all might take a moment now to comment on or
>>discuss these suggestions of mine?
>>I also refer you to:
>>Basically I am proposing that it could be better to use the term
>>Application Vulnerability Assessment (AVA), or in this specific case:
>>Web Application Vulnerability Assessment (WAVA), instead of the term
>>So we'd call the guide the "OWASP Guide to Web Application
>>Vulnerability Assessments" instead of the "OWASP Guide to Web
>>Application Penetration Testing", and within the guide we'd use
>>headings like (see: the template1.htm published with the latest
>>  - Anonymous or Unauthenticated user perspective [short version:  
>>  - Authenticated or logged in user perspective [short: Authenticated]
>>  - Auditor or Full access perspective [short: Auditor]
>>instead of:
>>  - Black Box; and
>>  - White Box
>>Some motivations for these ideas, including:
>>1. I find that customer non-technical executives understand the term
>>"Vulnerability Assessment" better than "Pentest"
>>2. Pentest has more connotations of a negative nature, or associations
>>with terms like "hacking" and "trying to break the system", whereas
>>"Vulnerability Assessments" is a term that seems convey more positive
>>ideas like what we're really trying to do here: i.e. help identify
>>weaknesses so they can be resolved effectively.
>>3. Also, terms like "Anonymous", "Authenticated" and "Auditor" are
>>understood better by non-technical people than the terms "Black Box"
>>and "White box"
>>Also, following on from this, there would obviously be a need to
>>explain the terms within the Testing guide introduction / overview
>>Also, I feel that the template1.htm (published with the latest
>>"Testing_Guide_II_structure.doc") could be updated to include the
>>How to Test -> Anonymous perspective; Authenticated perspective; and
>>Auditor perspective
>>instead of currently: How to Test -> Black Box; and White Box
>>Also, the "Short Description of Issue" section could include a "Short
>>statement with reference to Anonymous, Authenticated and Auditor
>>perspectives" after the basic outline of the issue - for example an
>>SQL Injection issue identified in an ASP page that you cannot access
>>unless you have successfully authenticated, then the issue (as well as
>>the remediation measure) are not applicable for the anonymous user
>>perspective [but it does expose the system to serious risk with
>>respect to authenticated users].
>>Also, couldn't there perhaps be another section like "Short
>>description of the remediation options", e.g. input validation
>>controls to be build into the application, or an application firewall
>>/ filter, or better password complexity checking, or things like that?
>>Perhaps this section could also consider the differences between
>>Anonymous, Authenticated and Auditor perspectives – e.g. when testing
>>for SQL Injection in an ASP page that you cannot access unless you are
>>authenticated, then the issue as well as the remediation measure are
>>not applicable for the anonymous user perspective, but if the SQL
>>injection occurs in the login screen / page of the app, then it places
>>the system and organisation at risk from anonymous users.
>>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>>from IBM. Find simple to follow Roadmaps, straightforward articles,
>>informative Webcasts and more! Get everything you need to get up to
>>speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>>owasp-testing mailing list
>>owasp-testing at lists.sourceforge.net
>SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>from IBM. Find simple to follow Roadmaps, straightforward articles,
>informative Webcasts and more! Get everything you need to get up to
>speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net

Start dating right now with FREE Match.com membership! http://match.msn.ie

More information about the Owasp-testing mailing list