[OWASP-TESTING] WAVA vs Pentest

Stephen Venter stephen.venter at gmail.com
Fri Jun 24 09:15:20 EDT 2005


Please don't get hung up on specific word - I don't care if we don't
use the word audit, use the term "super user perspective" or "Admin
perspective" or "Code review perspective".

Also, any issues you identify in a web app review have to be
demonstrated via showing the exploit in one way or another. Whether it
is called pentest or vulnerability assessment, does not stop the
assessor from doing the job he's meant to do.

Can you explain how the section in the guide "Finding specific
Vulnerabilities using Source Code Review" is more suited under the
banner of "pentest" than "vulnerability assessment"? Is this activity
not performed during a "code review" [aka "Audit"]? Unless it is a
client-side applet that you download, or you have fully compromised
the server, you would have to get authorised "super user access" or
"Admin Access" or "Code review perspective" access to the code to
assess it.

Also, is it more efficient to try to assess the risks associated with
things like "Process permissions" via locally host reviewing (aka
"auditing") the box, or via first trying to compromising it?

This document is covering more things than just the brute force way of
doing things.  I thought it was about showing the wide variety of
perspectives and options - with the ultimate aim of allowing people to
chooses the most effective, and efficient ways of demonstrating
weaknesses so that they may be fixed properly - and quickly.
Pentesting is not the only means of achieving that goal. Is it? It
certainly does play a large role, but my point is that pentesting it
is not the only activity involved.

On 6/24/05, Eoin Keary <eoinkeary at hotmail.com> wrote:
> Im with you Dan.
> Audit is not a great word given the amount of popularity compliance audit is
> getting.
> Pent test was always the politically correct word for  what we do?
>




More information about the Owasp-testing mailing list