[OWASP-TESTING] Timeline for 2nd phase

Daniel Cuthbert daniel.cuthbert at owasp.org
Fri Jun 24 09:38:42 EDT 2005


     I agree on the closed point, lets rather get some sections done  
and then decide on the merits of calling it what it is?


On 24 Jun 2005, at 14:22, Matteo Meucci wrote:

>> Where did you get "think PT is more suitable for the Network  
>> level, VA is
>> more suitable for the Application level." This is not the industry  
>> view.
>>
>
> Ok this is my point of view. I think this is the industry point of  
> view.
> I also think that we are few to think of WAVA instead of WAPT, so we
> can close the thread and go on.
>
> Mat
>
>
>
>
>>> From: Matteo Meucci <matteo.meucci at gmail.com>
>>> Reply-To: Matteo Meucci <matteo.meucci at gmail.com>
>>> To: Daniel Cuthbert <daniel.cuthbert at owasp.org>
>>> CC: owasp-testing at lists.sourceforge.net
>>> Subject: Re: [OWASP-TESTING] Timeline for 2nd phase
>>> Date: Fri, 24 Jun 2005 12:24:19 +0200
>>>
>>> I understand your opinion but I think that is important:
>>> - to distinguish the Network PT from WebApp PT (or VA):
>>> I think PT is more suitable for the Network level, VA is more  
>>> suitable
>>>  for the Application level.
>>> - give a document that will be the standard "de facto": if the term
>>> WAVA is more diffused than WAPT, I think we have to choose the first
>>> one.
>>>
>>> Mat
>>>
>>>
>>>
>>> On 6/24/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
>>>
>>>> Here is how the two terms have always been seen in the industry:
>>>>
>>>> vulnerability assessment -> find the security hole BUT do not  
>>>> exploit
>>>> the hole to prove its exploitable
>>>> penetration test -> find the security hole and try and exploit/gain
>>>> access as much as possible
>>>>
>>>> Are we saying that this guide will only give the 1st steps for
>>>> finding the hole, but not how to gain further access into the
>>>> application
>>>>
>>>> an example would be:
>>>>
>>>> input form vulnerable to sql injection
>>>> --> add %27 to determine impact
>>>>   --> add ; exec master..xp_cmdShell 'net user OWASP /add' --
>>>>    --> then execute ; exec master..xp_cmdShell 'net localgroup
>>>> administrators OWASP /add' --
>>>>    --> and then add the user with admin priv's within the db itself
>>>>
>>>> See if we are only going to show how to do the 1st step, then how
>>>> would someone actually know if it was possible to exploit the app
>>>>
>>>> The problem today is that there are way too many consultants out
>>>> there who are "vulnerability assessors", but actually have no  
>>>> clue on
>>>> how to take the test to the next step
>>>>
>>>>
>>>> On 24 Jun 2005, at 10:15, Matteo Meucci wrote:
>>>>
>>>>
>>>>> Ok Daniel,
>>>>> I've two questions:
>>>>> 1) The title: "OWASP Guide to Web Application Penetration Testing"
>>>>> Why not: "OWASP Guide to Web Application Vulnerability Assessment"
>>>>> I think "WAVA" is more suitable.
>>>>> 2) Time line: in Italy from 1st August to 15th everything is  
>>>>> closed,
>>>>> and also all the people are in vacation...
>>>>>
>>>>> Just my thought.
>>>>> Mat
>>>>>
>>>>>
>>>>> On 6/23/05, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
>>>>>
>>>>>
>>>>>> Thanks to Javier, here is the timeline:
>>>>>>
>>>>>> --------------------------------------------------------
>>>>>> August 1st - first version of the volunteered sections
>>>>>> [ peer review of sections, detection of who is not active,  
>>>>>> decission
>>>>>> to offer up sections to others if people are overloaded, etc ]
>>>>>>
>>>>>> August 15th - final version of the sections
>>>>>> [ peer review of sections, editorial changes ]
>>>>>>
>>>>>> August 31st - first document draft (all sections put together)
>>>>>>
>>>>>> [ peer review of the document]
>>>>>>
>>>>>> September 30th - final release of section 2
>>>>>> ---------------------------------------------------------------
>>>>>>
>>>>>> You will notice the date of release has been extended, as i  
>>>>>> know it
>>>>>> will not be done in 2 weeks :0)
>>>>>>
>>>>>> Also.. the name of this guide will become the OWASP Guide to Web
>>>>>> Application Penetration Testing. For us to even try and call it a
>>>>>> testing guide, when in reality it has always been a  
>>>>>> penetration test
>>>>>> guide, is just mad. We don't, and won't, cover all aspects of web
>>>>>> application testing and this document should represent that.
>>>>>>
>>>>>> I will be sending out an updated structure doc with everyones
>>>>>> names soon
>>>>>>
>>>>>> Daniel
>>>>>>
>>>>>>
>>>>>>
>>>>>> -------------------------------------------------------
>>>>>> SF.Net email is sponsored by: Discover Easy Linux Migration
>>>>>> Strategies
>>>>>> from IBM. Find simple to follow Roadmaps, straightforward  
>>>>>> articles,
>>>>>> informative Webcasts and more! Get everything you need to get  
>>>>>> up to
>>>>>> speed, fast. http://ads.osdn.com/? 
>>>>>> ad_id=7477&alloc_id=16492&op=click
>>>>>> _______________________________________________
>>>>>> owasp-testing mailing list
>>>>>> owasp-testing at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------
>>>>> SF.Net email is sponsored by: Discover Easy Linux Migration  
>>>>> Strategies
>>>>> from IBM. Find simple to follow Roadmaps, straightforward  
>>>>> articles,
>>>>> informative Webcasts and more! Get everything you need to get  
>>>>> up to
>>>>> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>>>>> _______________________________________________
>>>>> owasp-testing mailing list
>>>>> owasp-testing at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------
>>>> SF.Net email is sponsored by: Discover Easy Linux Migration  
>>>> Strategies
>>>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>>>> informative Webcasts and more! Get everything you need to get up to
>>>> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opclick
>>>> _______________________________________________
>>>> owasp-testing mailing list
>>>> owasp-testing at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>>>
>>>>
>>>
>>>
>>> -------------------------------------------------------
>>> SF.Net email is sponsored by: Discover Easy Linux Migration  
>>> Strategies
>>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>>> informative Webcasts and more! Get everything you need to get up to
>>> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>>> _______________________________________________
>>> owasp-testing mailing list
>>> owasp-testing at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>>
>>
>> _________________________________________________________________
>> Upgrade to Messenger 7.0 - more fun features, still totally FREE!
>> http://messenger.msn.co.uk
>>
>>
>>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>





More information about the Owasp-testing mailing list