[OWASP-TESTING] final draft of the outline

Eoin Keary eoinkeary at hotmail.com
Thu May 12 12:00:20 EDT 2005


Hi Alberto,
Good call, I think that is a much better solution.
A qualitative instead of a quantitative approach. Similar to trying to nail 
unknowns in risk assessment.
Better than a “guesstimate” anyways!

So points to affect the critical path of the timeline:

Complexity: (which is a subjective measure).

Size (relative measure also) is it 10 "pages" or 1000?

Technology - related to complexity. Pen testing web services may take longer 
than a "vanilla" application.

Areas of focus, obviously confidential areas would take more time and one 
would take more effort to test these areas?

Stability of the app is always an issue.

Types of user: For every distinct user type the test shall be different 
because what is available to that user changes with role type. (if you know 
what I mean)?^&*##

Any other suggestions to add to this list, anybody???
Send them to Dan C (daniel.cuthbert at owasp.org), Not me, he’s the leader!!

Eoin





>From: "Revelli Alberto" <a.revelli at reply.it>
>To: <owasp-testing at lists.sourceforge.net>
>Subject: RE: [OWASP-TESTING] final draft of the outline
>Date: Thu, 12 May 2005 17:10:58 +0200
>
>very clear point, Eoin.
>
>What if instead of trying to answer a question like "how long does it take" 
>we limit ourselves to something like "what should you consider to estimate 
>the effort" ?
>
>I am thinking here about a short section that briefly mentions aspects 
>like:
>
>- dimension of the application (10 pages/views ? 100 ? 1,000 ?)
>- complexity (static ? dynamic ? requires authentication ?)
>- interconnections to other systems (is it stand-alone ? or fetches data 
>from a dozen of backend databases) ?
>
>No more than 1 or 2 pages, describing the variables that affect the needed 
>effort, but without giving a quantitative measure of the effort itself. 
>That would help managers to perform a reasonable analysis of the needed 
>resources, and at the same there would not be any "guesstimate" in our 
>document...
>
>Alberto
>
>-----Original Message-----
>From: owasp-testing-admin at lists.sourceforge.net on behalf of Eoin Keary
>Sent: Thu 5/12/2005 4:20 PM
>To: owasp-testing at lists.sourceforge.net
>Subject: RE: [OWASP-TESTING] final draft of the outline
>
>After talking to a number of people in the academic and industry I still
>dont think we should use "guesstimates" in documents we would like to 
>become
>industry standards.
>
>The document is depicting fact, procedure and best practice, but under the
>"How long shall this take/Cost" section we are going to answer: "Guess".
>Sounds a bit foolish and also damages the integrity of the document. I know
>ISO 17799 or COBIT docs dont have guessing games ;0)
>
>Just a thought.
>Eoin
>
>
> >From: "Shields, Larry" <Larry.Shields at FMR.COM>
> >To: <owasp-testing at lists.sourceforge.net>
> >Subject: RE: [OWASP-TESTING] final draft of the outline
> >Date: Thu, 5 May 2005 08:52:33 -0400
> >
> >
> >I agree.  Especially in black box testing, you can provide some rough
> >rule of thumb stuff for a timebox for various applications.  It will at
> >least provide a rough guesstimate for the poor project manager who's
> >trying to make sure the application is secure and needs to put some
> >number in the budget.
> >
> >-Larry
> >
> >-----Original Message-----
> >From: Revelli Alberto [mailto:a.revelli at reply.it]
> >Sent: Thursday, May 05, 2005 6:54 AM
> >To: owasp-testing at lists.sourceforge.net
> >Subject: RE: [OWASP-TESTING] final draft of the outline
> >
> >
> >
> > >True, but a guideline (with a massive caveat stating this isnt set in
> > >concrete blah blah blah) would help companies who have zero
> > >understanding of app testing to understand if they are being taken for
> >a ride.
> >
> >Exactly.
> >I agree that needed resources heavily depend on the
> >complexity/size/insert_your_favorite_variable_here of the application,
> >but exactly for this reason it would be great to provide a few hints to
> >help companies to have some clues about how much effort is needed to
> >test their apps.
> >
> > >Ok, hows about i'll write up the section and everyone can review it
> > >once the rest of the sections are finished?
> >
> >Sounds great :)
> >
> >Cheers
> >
> >Alberto
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by: NEC IT Guy Games.
> >Get your fingers limbered up and give it your best shot. 4 great events,
> >4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
> >win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
> >_______________________________________________
> >owasp-testing mailing list
> >owasp-testing at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-testing
> >
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by: NEC IT Guy Games.
> >Get your fingers limbered up and give it your best shot. 4 great events, 
>4
> >opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
> >win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
> >_______________________________________________
> >owasp-testing mailing list
> >owasp-testing at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>_________________________________________________________________
>Go where quality Irish singles meet - get FREE Match.com membership!
>http://match.msn.ie
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by Oracle Space Sweepstakes
>Want to be the first software developer in space?
>Enter now for the Oracle Space Sweepstakes!
>http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by Oracle Space Sweepstakes
>Want to be the first software developer in space?
>Enter now for the Oracle Space Sweepstakes!
>http://ads.osdn.com/?ad_ids93&alloc_id281&op=click
>_______________________________________________
>owasp-testing mailing list
>owasp-testing at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/owasp-testing

_________________________________________________________________
Upgrade to Messenger 7.0 - more fun features, still totally FREE! 
http://messenger.msn.co.uk





More information about the Owasp-testing mailing list