[Owasp-testing] New OWASP Testing guide: discussion about the Index

Jeff Williams jeff.williams at aspectsecurity.com
Sun Oct 8 23:02:20 EDT 2006


Rogan prototyped a Wiki2PDF solution for OWASP and it was pretty much
working.  It's not the prettiest in the world, but it did work.

Rogan, what's the status of that thing?

--Jeff
 
-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo
Meucci
Sent: Friday, October 06, 2006 11:32 AM
To: Dinis Cruz
Cc: Jeff Williams; owasp-testing at lists.owasp.org;
owasp-leaders at lists.owasp.org
Subject: [Owasp-testing] New OWASP Testing guide: discussion about the
Index

Yes, that's right Dinis.
But I've involved you because some changes have an impact on all the
OWASP Projects. I mean the problem to create a project that doesn't
overlap with the other ones.

I think that the Testing methodologies are:
Manual Inspection & Review
Threat Modeling
Code Review
Penetration Testing

I think that we have to write a chapter about that and create a link
with the other OWASP projects. In this chapter we can compare the
different methologies and talk about positive and negative issues.
After this we focus only about Penetration Testing otherwise we'll
make an overlap with the other projects and go outside the scope of
the Guide.
I think we can use a kind of threat modeling to create a framework to
evaluate the real risk after finding the technical vulnerabilities.

Mat

On 10/6/06, Dinis Cruz <dinis at ddplus.net> wrote:
> Matteo,
>
> Shouldn't this discussion also be occuring at the owasp-testing
mailing
> list?
>
> And since the testing guide will be all in Wiki format (
> https://www.owasp.org/index.php/OWASP_Testing_Guide_Table_of_Contents)
> we should start working on the solution to convert Wiki to Pdf.
>
> I have some experience in using XSL-FO to convert xml files to PDF, so
that
> would be an option)
>
> Best regards
>
> Dinis Cruz
> OWASP Autumn of Code 2006,
> http://www.owasp.org/index.php/OAC
> OWASP .Net Project, http://www.owasp.org/index.php/.Net
>
>
>
>
> On 10/6/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> > Hi all,
> > I'm updating the Index of the Testing Guide. Here you can find it:
> >
>
https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Te
sting_Guide_-_Index
> >
> > I'm looking at Cap. 3-4-5: they don't work.
> > I think the Guide should focus on "Web Application Penetration
Testing".
> > If you look at cap 3-4-5 it seems that the Guide will explain:
> > a) Threat Modeling
> > b) Code Review
> > c) Penetration Testing
> > But we have other 2 projects about a) and b) and the guide does not
> > explain in detail it.
> >
> > So, the question is:
> > I think we don't have to concentrate on Threat modeling and Code
> > Review, but just introduce it in the chapter "The OWASP Testing
> > Framework".
> > In that way we do not introduce overlap on the other OWASP Project.
> > In other words I think the more appropriate name for this project is
> > "OWASP Penetration
> > Testing methodology"
> >
> > I'd like to change the Index from:
> >
> > 1 Frontispiece
> > 2. Introduction
> > 3. Methodologies Used
> > 4. Finding Specific Issues In a Non-Technical Manner
> > 5. Finding Specific Vulnerabilities Using Source Code
> > 6. Manual testing techniques
> > 7. The OWASP Testing Framework
> > Appendix A: Testing Tools
> > Appendix B: Suggested Reading
> > Appendix C: Fuzz Vectors
> >
> > To:
> > 1 Frontispiece
> > 2. Introduction
> > 3. The OWASP Testing Framework (we describe the framework and the
> > testing methodologies)
> > 4. Web Application Penetration Testing Techniques (we describe all
> > about the pentesting splitted by categories like authentication,
> > session management, ecc)
> > 5. Writing Reports: value the real risk (a new chapter about the
value
> > of the real risk after finding the vulnerabilities)
> > Appendix A: Testing Tools
> > Appendix B: Suggested Reading
> > Appendix C: Fuzz Vectors
> >
> > What is your opinion?
> >
> > Thanks,
> > Mat
> >
>
>
>
> --
>
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
site: http://www.owasp.org/index.php/Italy
mail: matteo.meucci at owasp.org
ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing



More information about the Owasp-testing mailing list