[OWASP-TESTING] final draft of the outline

Revelli Alberto a.revelli at reply.it
Thu May 12 11:10:58 EDT 2005


very clear point, Eoin.

What if instead of trying to answer a question like "how long does it take" we limit ourselves to something like "what should you consider to estimate the effort" ?

I am thinking here about a short section that briefly mentions aspects like:

- dimension of the application (10 pages/views ? 100 ? 1,000 ?)
- complexity (static ? dynamic ? requires authentication ?)
- interconnections to other systems (is it stand-alone ? or fetches data from a dozen of backend databases) ?

No more than 1 or 2 pages, describing the variables that affect the needed effort, but without giving a quantitative measure of the effort itself. That would help managers to perform a reasonable analysis of the needed resources, and at the same there would not be any "guesstimate" in our document...

Alberto

-----Original Message-----
From: owasp-testing-admin at lists.sourceforge.net on behalf of Eoin Keary
Sent: Thu 5/12/2005 4:20 PM
To: owasp-testing at lists.sourceforge.net
Subject: RE: [OWASP-TESTING] final draft of the outline
 
After talking to a number of people in the academic and industry I still 
dont think we should use "guesstimates" in documents we would like to become 
industry standards.

The document is depicting fact, procedure and best practice, but under the 
"How long shall this take/Cost" section we are going to answer: "Guess".
Sounds a bit foolish and also damages the integrity of the document. I know 
ISO 17799 or COBIT docs dont have guessing games ;0)

Just a thought.
Eoin


>From: "Shields, Larry" <Larry.Shields at FMR.COM>
>To: <owasp-testing at lists.sourceforge.net>
>Subject: RE: [OWASP-TESTING] final draft of the outline
>Date: Thu, 5 May 2005 08:52:33 -0400
>
>
>I agree.  Especially in black box testing, you can provide some rough
>rule of thumb stuff for a timebox for various applications.  It will at
>least provide a rough guesstimate for the poor project manager who's
>trying to make sure the application is secure and needs to put some
>number in the budget.
>
>-Larry
>
>-----Original Message-----
>From: Revelli Alberto [mailto:a.revelli at reply.it]
>Sent: Thursday, May 05, 2005 6:54 AM
>To: owasp-testing at lists.sourceforge.net
>Subject: RE: [OWASP-TESTING] final draft of the outline
>
>
>
> >True, but a guideline (with a massive caveat stating this isnt set in
> >concrete blah blah blah) would help companies who have zero
> >understanding of app testing to understand if they are being taken for
>a ride.
>
>Exactly.
>I agree that needed resources heavily depend on the
>complexity/size/insert_your_favorite_variable_here of the application,
>but exactly for this reason it would be great to provide a few hints to
>help companies to have some clues about how much effort is needed to
>test their apps.
>
> >Ok, hows about i'll write up the section and everyone can review it
> >once the rest of the sections are finished?
>
>Sounds great :)
>
>Cheers
>
>Alberto
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: NEC IT Guy Games.
>Get your fingers limbered up and give it your best shot. 4 great events,
>4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
>win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: NEC IT Guy Games.
>Get your fingers limbered up and give it your best shot. 4 great events, 4
>opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
>win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing

_________________________________________________________________
Go where quality Irish singles meet - get FREE Match.com membership! 
http://match.msn.ie



-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
owasp-testing mailing list
owasp-testing at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-testing






More information about the Owasp-testing mailing list