[OWASP-TESTING] Timeline for 2nd phase

Matteo Meucci matteo.meucci at gmail.com
Fri Jun 24 09:22:12 EDT 2005


> Where did you get "think PT is more suitable for the Network level, VA is
> more suitable for the Application level." This is not the industry view.

Ok this is my point of view. I think this is the industry point of view.
I also think that we are few to think of WAVA instead of WAPT, so we
can close the thread and go on.

Mat



> >From: Matteo Meucci <matteo.meucci at gmail.com>
> >Reply-To: Matteo Meucci <matteo.meucci at gmail.com>
> >To: Daniel Cuthbert <daniel.cuthbert at owasp.org>
> >CC: owasp-testing at lists.sourceforge.net
> >Subject: Re: [OWASP-TESTING] Timeline for 2nd phase
> >Date: Fri, 24 Jun 2005 12:24:19 +0200
> >
> >I understand your opinion but I think that is important:
> >- to distinguish the Network PT from WebApp PT (or VA):
> >I think PT is more suitable for the Network level, VA is more suitable
> >  for the Application level.
> >- give a document that will be the standard "de facto": if the term
> >WAVA is more diffused than WAPT, I think we have to choose the first
> >one.
> >
> >Mat
> >
> >
> >
> >On 6/24/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> > > Here is how the two terms have always been seen in the industry:
> > >
> > > vulnerability assessment -> find the security hole BUT do not exploit
> > > the hole to prove its exploitable
> > > penetration test -> find the security hole and try and exploit/gain
> > > access as much as possible
> > >
> > > Are we saying that this guide will only give the 1st steps for
> > > finding the hole, but not how to gain further access into the
> > > application
> > >
> > > an example would be:
> > >
> > > input form vulnerable to sql injection
> > > --> add %27 to determine impact
> > >   --> add ; exec master..xp_cmdShell 'net user OWASP /add' --
> > >    --> then execute ; exec master..xp_cmdShell 'net localgroup
> > > administrators OWASP /add' --
> > >    --> and then add the user with admin priv's within the db itself
> > >
> > > See if we are only going to show how to do the 1st step, then how
> > > would someone actually know if it was possible to exploit the app
> > >
> > > The problem today is that there are way too many consultants out
> > > there who are "vulnerability assessors", but actually have no clue on
> > > how to take the test to the next step
> > >
> > >
> > > On 24 Jun 2005, at 10:15, Matteo Meucci wrote:
> > >
> > > > Ok Daniel,
> > > > I've two questions:
> > > > 1) The title: "OWASP Guide to Web Application Penetration Testing"
> > > > Why not: "OWASP Guide to Web Application Vulnerability Assessment"
> > > > I think "WAVA" is more suitable.
> > > > 2) Time line: in Italy from 1st August to 15th everything is closed,
> > > > and also all the people are in vacation...
> > > >
> > > > Just my thought.
> > > > Mat
> > > >
> > > >
> > > > On 6/23/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
> > > >
> > > >> Thanks to Javier, here is the timeline:
> > > >>
> > > >> --------------------------------------------------------
> > > >> August 1st - first version of the volunteered sections
> > > >> [ peer review of sections, detection of who is not active, decission
> > > >> to offer up sections to others if people are overloaded, etc ]
> > > >>
> > > >> August 15th - final version of the sections
> > > >> [ peer review of sections, editorial changes ]
> > > >>
> > > >> August 31st - first document draft (all sections put together)
> > > >>
> > > >> [ peer review of the document]
> > > >>
> > > >> September 30th - final release of section 2
> > > >> ---------------------------------------------------------------
> > > >>
> > > >> You will notice the date of release has been extended, as i know it
> > > >> will not be done in 2 weeks :0)
> > > >>
> > > >> Also.. the name of this guide will become the OWASP Guide to Web
> > > >> Application Penetration Testing. For us to even try and call it a
> > > >> testing guide, when in reality it has always been a penetration test
> > > >> guide, is just mad. We don't, and won't, cover all aspects of web
> > > >> application testing and this document should represent that.
> > > >>
> > > >> I will be sending out an updated structure doc with everyones
> > > >> names soon
> > > >>
> > > >> Daniel
> > > >>
> > > >>
> > > >>
> > > >> -------------------------------------------------------
> > > >> SF.Net email is sponsored by: Discover Easy Linux Migration
> > > >> Strategies
> > > >> from IBM. Find simple to follow Roadmaps, straightforward articles,
> > > >> informative Webcasts and more! Get everything you need to get up to
> > > >> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > > >> _______________________________________________
> > > >> owasp-testing mailing list
> > > >> owasp-testing at lists.sourceforge.net
> > > >> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > > >>
> > > >>
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > > > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > > > informative Webcasts and more! Get everything you need to get up to
> > > > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> > > > _______________________________________________
> > > > owasp-testing mailing list
> > > > owasp-testing at lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > > >
> > > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > > informative Webcasts and more! Get everything you need to get up to
> > > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opclick
> > > _______________________________________________
> > > owasp-testing mailing list
> > > owasp-testing at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-testing
> > >
> >
> >
> >-------------------------------------------------------
> >SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> >from IBM. Find simple to follow Roadmaps, straightforward articles,
> >informative Webcasts and more! Get everything you need to get up to
> >speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> >_______________________________________________
> >owasp-testing mailing list
> >owasp-testing at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 
> _________________________________________________________________
> Upgrade to Messenger 7.0 - more fun features, still totally FREE!
> http://messenger.msn.co.uk
> 
>




More information about the Owasp-testing mailing list