[Owasp-testing] New OWASP Testing guide: discussion about the Index

Matteo Meucci matteo.meucci at gmail.com
Fri Oct 6 11:32:22 EDT 2006


Yes, that's right Dinis.
But I've involved you because some changes have an impact on all the
OWASP Projects. I mean the problem to create a project that doesn't
overlap with the other ones.

I think that the Testing methodologies are:
Manual Inspection & Review
Threat Modeling
Code Review
Penetration Testing

I think that we have to write a chapter about that and create a link
with the other OWASP projects. In this chapter we can compare the
different methologies and talk about positive and negative issues.
After this we focus only about Penetration Testing otherwise we'll
make an overlap with the other projects and go outside the scope of
the Guide.
I think we can use a kind of threat modeling to create a framework to
evaluate the real risk after finding the technical vulnerabilities.

Mat

On 10/6/06, Dinis Cruz <dinis at ddplus.net> wrote:
> Matteo,
>
> Shouldn't this discussion also be occuring at the owasp-testing mailing
> list?
>
> And since the testing guide will be all in Wiki format (
> https://www.owasp.org/index.php/OWASP_Testing_Guide_Table_of_Contents)
> we should start working on the solution to convert Wiki to Pdf.
>
> I have some experience in using XSL-FO to convert xml files to PDF, so that
> would be an option)
>
> Best regards
>
> Dinis Cruz
> OWASP Autumn of Code 2006,
> http://www.owasp.org/index.php/OAC
> OWASP .Net Project, http://www.owasp.org/index.php/.Net
>
>
>
>
> On 10/6/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> > Hi all,
> > I'm updating the Index of the Testing Guide. Here you can find it:
> >
> https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide_-_Index
> >
> > I'm looking at Cap. 3-4-5: they don't work.
> > I think the Guide should focus on "Web Application Penetration Testing".
> > If you look at cap 3-4-5 it seems that the Guide will explain:
> > a) Threat Modeling
> > b) Code Review
> > c) Penetration Testing
> > But we have other 2 projects about a) and b) and the guide does not
> > explain in detail it.
> >
> > So, the question is:
> > I think we don't have to concentrate on Threat modeling and Code
> > Review, but just introduce it in the chapter "The OWASP Testing
> > Framework".
> > In that way we do not introduce overlap on the other OWASP Project.
> > In other words I think the more appropriate name for this project is
> > "OWASP Penetration
> > Testing methodology"
> >
> > I'd like to change the Index from:
> >
> > 1 Frontispiece
> > 2. Introduction
> > 3. Methodologies Used
> > 4. Finding Specific Issues In a Non-Technical Manner
> > 5. Finding Specific Vulnerabilities Using Source Code
> > 6. Manual testing techniques
> > 7. The OWASP Testing Framework
> > Appendix A: Testing Tools
> > Appendix B: Suggested Reading
> > Appendix C: Fuzz Vectors
> >
> > To:
> > 1 Frontispiece
> > 2. Introduction
> > 3. The OWASP Testing Framework (we describe the framework and the
> > testing methodologies)
> > 4. Web Application Penetration Testing Techniques (we describe all
> > about the pentesting splitted by categories like authentication,
> > session management, ecc)
> > 5. Writing Reports: value the real risk (a new chapter about the value
> > of the real risk after finding the vulnerabilities)
> > Appendix A: Testing Tools
> > Appendix B: Suggested Reading
> > Appendix C: Fuzz Vectors
> >
> > What is your opinion?
> >
> > Thanks,
> > Mat
> >
>
>
>
> --
>
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
site: http://www.owasp.org/index.php/Italy
mail: matteo.meucci at owasp.org
ml: http://lists.owasp.org/mailman/listinfo/owasp-italy



More information about the Owasp-testing mailing list