[Owasp-testing] New OWASP Testing guide: discussion about the Index

Eoin eoinkeary at gmail.com
Mon Oct 9 05:07:58 EDT 2006


Did you try HTTrack, converts  a website to an offline version.
Works for the WIKI, i tried it before.

On 09/10/06, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
> Rogan prototyped a Wiki2PDF solution for OWASP and it was pretty much
> working.  It's not the prettiest in the world, but it did work.
>
> Rogan, what's the status of that thing?
>
> --Jeff
>
> -----Original Message-----
> From: owasp-testing-bounces at lists.owasp.org
> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo
> Meucci
> Sent: Friday, October 06, 2006 11:32 AM
> To: Dinis Cruz
> Cc: Jeff Williams; owasp-testing at lists.owasp.org;
> owasp-leaders at lists.owasp.org
> Subject: [Owasp-testing] New OWASP Testing guide: discussion about the
> Index
>
> Yes, that's right Dinis.
> But I've involved you because some changes have an impact on all the
> OWASP Projects. I mean the problem to create a project that doesn't
> overlap with the other ones.
>
> I think that the Testing methodologies are:
> Manual Inspection & Review
> Threat Modeling
> Code Review
> Penetration Testing
>
> I think that we have to write a chapter about that and create a link
> with the other OWASP projects. In this chapter we can compare the
> different methologies and talk about positive and negative issues.
> After this we focus only about Penetration Testing otherwise we'll
> make an overlap with the other projects and go outside the scope of
> the Guide.
> I think we can use a kind of threat modeling to create a framework to
> evaluate the real risk after finding the technical vulnerabilities.
>
> Mat
>
> On 10/6/06, Dinis Cruz <dinis at ddplus.net> wrote:
> > Matteo,
> >
> > Shouldn't this discussion also be occuring at the owasp-testing
> mailing
> > list?
> >
> > And since the testing guide will be all in Wiki format (
> > https://www.owasp.org/index.php/OWASP_Testing_Guide_Table_of_Contents)
> > we should start working on the solution to convert Wiki to Pdf.
> >
> > I have some experience in using XSL-FO to convert xml files to PDF, so
> that
> > would be an option)
> >
> > Best regards
> >
> > Dinis Cruz
> > OWASP Autumn of Code 2006,
> > http://www.owasp.org/index.php/OAC
> > OWASP .Net Project, http://www.owasp.org/index.php/.Net
> >
> >
> >
> >
> > On 10/6/06, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> > > Hi all,
> > > I'm updating the Index of the Testing Guide. Here you can find it:
> > >
> >
> https://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Te
> sting_Guide_-_Index
> > >
> > > I'm looking at Cap. 3-4-5: they don't work.
> > > I think the Guide should focus on "Web Application Penetration
> Testing".
> > > If you look at cap 3-4-5 it seems that the Guide will explain:
> > > a) Threat Modeling
> > > b) Code Review
> > > c) Penetration Testing
> > > But we have other 2 projects about a) and b) and the guide does not
> > > explain in detail it.
> > >
> > > So, the question is:
> > > I think we don't have to concentrate on Threat modeling and Code
> > > Review, but just introduce it in the chapter "The OWASP Testing
> > > Framework".
> > > In that way we do not introduce overlap on the other OWASP Project.
> > > In other words I think the more appropriate name for this project is
> > > "OWASP Penetration
> > > Testing methodology"
> > >
> > > I'd like to change the Index from:
> > >
> > > 1 Frontispiece
> > > 2. Introduction
> > > 3. Methodologies Used
> > > 4. Finding Specific Issues In a Non-Technical Manner
> > > 5. Finding Specific Vulnerabilities Using Source Code
> > > 6. Manual testing techniques
> > > 7. The OWASP Testing Framework
> > > Appendix A: Testing Tools
> > > Appendix B: Suggested Reading
> > > Appendix C: Fuzz Vectors
> > >
> > > To:
> > > 1 Frontispiece
> > > 2. Introduction
> > > 3. The OWASP Testing Framework (we describe the framework and the
> > > testing methodologies)
> > > 4. Web Application Penetration Testing Techniques (we describe all
> > > about the pentesting splitted by categories like authentication,
> > > session management, ecc)
> > > 5. Writing Reports: value the real risk (a new chapter about the
> value
> > > of the real risk after finding the vulnerabilities)
> > > Appendix A: Testing Tools
> > > Appendix B: Suggested Reading
> > > Appendix C: Fuzz Vectors
> > >
> > > What is your opinion?
> > >
> > > Thanks,
> > > Mat
> > >
> >
> >
> >
> > --
> >
> >
>
>
> --
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> site: http://www.owasp.org/index.php/Italy
> mail: matteo.meucci at owasp.org
> ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html



More information about the Owasp-testing mailing list