[OWASP-TESTING] final draft of the outline

Daniel Cuthbert daniel.cuthbert at owasp.org
Fri May 13 04:09:07 EDT 2005


I know where Mark is coming from, hell there are a bucket load of  
lazy people out there who would use it as "but OWASP said it would  
take this long and thats all im going to do"

I have to admit, i was always nervous about adding such a section but  
could see the benefits if it was done correctly.
Can we maybe leave this as a side addition and work out a way to best  
approach it?


On 13 May 2005, at 08:55, Eoin Keary wrote:

> Hi Mark,
> The original thread was discussing the idea of "How long would  
> testing take".
> People suggested guessing. Putting this into a document that we  
> hope is going to be industry standard is a bit foolish if this  
> document is to be taken seriously.
> Another idea (below) is to do some qualitative analysis on the  
> application to be tested and to take into account some factors  
> which may affect the timeline. The solution below is better than  
> guessing (don't you think?). Do you have any better ideas how to  
> estimate work effort for a arbitrary test?
>
> Eoin
>
>
>
>
>> From: "Curphey, Mark" <mark.curphey at foundstone.com>
>> To: <owasp-testing at lists.sourceforge.net>
>> Subject: RE: [OWASP-TESTING] final draft of the outline
>> Date: Thu, 12 May 2005 14:03:28 -0700
>>
>> OK someone asked me to clarify. I am not against checklists. I am
>> against someone proposing an industry accepted pricing model  
>> (times to
>> test, same difference) that will lead to people working backwards  
>> from
>> money and not forwards from technical needs.
>>
>> -----Original Message-----
>> From: owasp-testing-admin at lists.sourceforge.net
>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of  
>> Curphey,
>> Mark
>> Sent: Thursday, May 12, 2005 10:16 AM
>> To: Eoin Keary; a.revelli at reply.it; owasp- 
>> testing at lists.sourceforge.net;
>> daniel.cuthbert at owasp.org
>> Subject: RE: [OWASP-TESTING] final draft of the outline
>>
>> 2 cents
>>
>> This is going to lead to an industry where joe blogs does the minimum
>> possible to complete a checklist for the lowest cost possible.  
>> This is
>> not condusive to promoting good quality testing and is 100% wrong  
>> IMHO.
>>
>> -----Original Message-----
>> From: owasp-testing-admin at lists.sourceforge.net
>> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf Of Eoin
>> Keary
>> Sent: Thursday, May 12, 2005 9:00 AM
>> To: a.revelli at reply.it; owasp-testing at lists.sourceforge.net;
>> daniel.cuthbert at owasp.org
>> Subject: RE: [OWASP-TESTING] final draft of the outline
>>
>> Hi Alberto,
>> Good call, I think that is a much better solution.
>> A qualitative instead of a quantitative approach. Similar to  
>> trying to
>> nail unknowns in risk assessment.
>> Better than a "guesstimate" anyways!
>>
>> So points to affect the critical path of the timeline:
>>
>> Complexity: (which is a subjective measure).
>>
>> Size (relative measure also) is it 10 "pages" or 1000?
>>
>> Technology - related to complexity. Pen testing web services may take
>> longer than a "vanilla" application.
>>
>> Areas of focus, obviously confidential areas would take more time and
>> one would take more effort to test these areas?
>>
>> Stability of the app is always an issue.
>>
>> Types of user: For every distinct user type the test shall be  
>> different
>> because what is available to that user changes with role type. (if  
>> you
>> know what I mean)?^&*##
>>
>> Any other suggestions to add to this list, anybody???
>> Send them to Dan C (daniel.cuthbert at owasp.org), Not me, he's the
>> leader!!
>>
>> Eoin
>>
>>
>>
>>
>>
>> >From: "Revelli Alberto" <a.revelli at reply.it>
>> >To: <owasp-testing at lists.sourceforge.net>
>> >Subject: RE: [OWASP-TESTING] final draft of the outline
>> >Date: Thu, 12 May 2005 17:10:58 +0200
>> >
>> >very clear point, Eoin.
>> >
>> >What if instead of trying to answer a question like "how long  
>> does it
>> take"
>> >we limit ourselves to something like "what should you consider to
>> >estimate the effort" ?
>> >
>> >I am thinking here about a short section that briefly mentions  
>> aspects
>> >like:
>> >
>> >- dimension of the application (10 pages/views ? 100 ? 1,000 ?)
>> >- complexity (static ? dynamic ? requires authentication ?)
>> >- interconnections to other systems (is it stand-alone ? or fetches
>> >data from a dozen of backend databases) ?
>> >
>> >No more than 1 or 2 pages, describing the variables that affect the
>> >needed effort, but without giving a quantitative measure of the  
>> effort
>> itself.
>> >That would help managers to perform a reasonable analysis of the  
>> needed
>>
>> >resources, and at the same there would not be any "guesstimate"  
>> in our
>> >document...
>> >
>> >Alberto
>> >
>> >-----Original Message-----
>> >From: owasp-testing-admin at lists.sourceforge.net on behalf of Eoin  
>> Keary
>> >Sent: Thu 5/12/2005 4:20 PM
>> >To: owasp-testing at lists.sourceforge.net
>> >Subject: RE: [OWASP-TESTING] final draft of the outline
>> >
>> >After talking to a number of people in the academic and industry I
>> >still dont think we should use "guesstimates" in documents we would
>> >like to become industry standards.
>> >
>> >The document is depicting fact, procedure and best practice, but  
>> under
>> >the "How long shall this take/Cost" section we are going to answer:
>> "Guess".
>> >Sounds a bit foolish and also damages the integrity of the  
>> document. I
>> >know ISO 17799 or COBIT docs dont have guessing games ;0)
>> >
>> >Just a thought.
>> >Eoin
>> >
>> >
>> > >From: "Shields, Larry" <Larry.Shields at FMR.COM>
>> > >To: <owasp-testing at lists.sourceforge.net>
>> > >Subject: RE: [OWASP-TESTING] final draft of the outline
>> > >Date: Thu, 5 May 2005 08:52:33 -0400
>> > >
>> > >
>> > >I agree.  Especially in black box testing, you can provide some  
>> rough
>>
>> > >rule of thumb stuff for a timebox for various applications.  It  
>> will
>> > >at least provide a rough guesstimate for the poor project manager
>> > >who's trying to make sure the application is secure and needs  
>> to put
>> > >some number in the budget.
>> > >
>> > >-Larry
>> > >
>> > >-----Original Message-----
>> > >From: Revelli Alberto [mailto:a.revelli at reply.it]
>> > >Sent: Thursday, May 05, 2005 6:54 AM
>> > >To: owasp-testing at lists.sourceforge.net
>> > >Subject: RE: [OWASP-TESTING] final draft of the outline
>> > >
>> > >
>> > >
>> > > >True, but a guideline (with a massive caveat stating this  
>> isnt set
>> > > >in concrete blah blah blah) would help companies who have zero
>> > > >understanding of app testing to understand if they are being  
>> taken
>> > > >for
>> > >a ride.
>> > >
>> > >Exactly.
>> > >I agree that needed resources heavily depend on the
>> > >complexity/size/insert_your_favorite_variable_here of the
>> > >application, but exactly for this reason it would be great to  
>> provide
>>
>> > >a few hints to help companies to have some clues about how much
>> > >effort is needed to test their apps.
>> > >
>> > > >Ok, hows about i'll write up the section and everyone can  
>> review it
>>
>> > > >once the rest of the sections are finished?
>> > >
>> > >Sounds great :)
>> > >
>> > >Cheers
>> > >
>> > >Alberto
>> > >
>> > >
>> > >-------------------------------------------------------
>> > >This SF.Net email is sponsored by: NEC IT Guy Games.
>> > >Get your fingers limbered up and give it your best shot. 4 great
>> > >events,
>> > >4 opportunities to win big! Highest score wins.NEC IT Guy  
>> Games. Play
>>
>> > >to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
>> > >_______________________________________________
>> > >owasp-testing mailing list
>> > >owasp-testing at lists.sourceforge.net
>> > >https://lists.sourceforge.net/lists/listinfo/owasp-testing
>> > >
>> > >
>> > >
>> > >-------------------------------------------------------
>> > >This SF.Net email is sponsored by: NEC IT Guy Games.
>> > >Get your fingers limbered up and give it your best shot. 4 great
>> > >events,
>> >4
>> > >opportunities to win big! Highest score wins.NEC IT Guy Games.  
>> Play
>> > >to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r
>> > >_______________________________________________
>> > >owasp-testing mailing list
>> > >owasp-testing at lists.sourceforge.net
>> > >https://lists.sourceforge.net/lists/listinfo/owasp-testing
>> >
>> >_________________________________________________________________
>> >Go where quality Irish singles meet - get FREE Match.com membership!
>> >http://match.msn.ie
>> >
>> >
>> >
>> >-------------------------------------------------------
>> >This SF.Net email is sponsored by Oracle Space Sweepstakes Want  
>> to be
>> >the first software developer in space?
>> >Enter now for the Oracle Space Sweepstakes!
>> >http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
>> >_______________________________________________
>> >owasp-testing mailing list
>> >owasp-testing at lists.sourceforge.net
>> >https://lists.sourceforge.net/lists/listinfo/owasp-testing
>> >
>> >
>> >
>> >
>> >-------------------------------------------------------
>> >This SF.Net email is sponsored by Oracle Space Sweepstakes Want  
>> to be
>> >the first software developer in space?
>> >Enter now for the Oracle Space Sweepstakes!
>> >http://ads.osdn.com/?ad_ids93&alloc_id281&op=click
>> >_______________________________________________
>> >owasp-testing mailing list
>> >owasp-testing at lists.sourceforge.net
>> >https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>> _________________________________________________________________
>> Upgrade to Messenger 7.0 - more fun features, still totally FREE!
>> http://messenger.msn.co.uk
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be
>> the first software developer in space?
>> Enter now for the Oracle Space Sweepstakes!
>> http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be
>> the first software developer in space?
>> Enter now for the Oracle Space Sweepstakes!
>> http://ads.osdn.com/?ad_ids93&alloc_id281&op=ick
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by Oracle Space Sweepstakes
>> Want to be the first software developer in space?
>> Enter now for the Oracle Space Sweepstakes!
>> http://ads.osdn.com/?ad_ids93&alloc_id281&op=click
>> _______________________________________________
>> owasp-testing mailing list
>> owasp-testing at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>>
>
> _________________________________________________________________
> Start dating right now with FREE Match.com membership! http:// 
> match.msn.ie
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
>
>





More information about the Owasp-testing mailing list