[Owasp-testing] Brainstorming about the new Index

Alberto Revelli a.revelli at reply.it
Tue Oct 10 18:43:25 EDT 2006


Comments inline, all with abundant doses of IMHO :)

s4tan wrote:
> I agree with Carlo, "3.4 Phase 3" overlap whit "Code review project" IMHO.

>From my understanding, Chapter 3 is aimed to provide a general framework
that describes the testing methodologies that are better suited for each
step of the development cycle. The goal is to help the reader to
understand when to use each method (Risk Analysis, Threat Modeling,
Penetration Testing, Code Review, ...)
It does not get into any detailed description (Chapter 4 will do that,
and only for penetration testing). As long as we limit ourselves to a
short paragraph about what Code Review is and when it is to be used, and
provide a link to the corresponding OWASP project, we do not risk any
overlapping.

> One thing again, I think we can avoid to rename White box in Gray box, 
> because the "Phase 2" is about white box and not gray box methodology.

We have to define exactly what we mean with "gray box" and "white box".
To me, "gray box" is when we have some sort of initial information to
start with (e.g.: web server vendor and version, algorithm used to
generate a cookie, ...), as opposed to "black box" testing, in which we
start with no information at all.
When I think about "white box", I imagine a situation in which I have
*all* the information about the application, source code included.
Therefore, I think that the "white box" expression should indicate an
approach based on Code Review.

Ciao

ice

--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

--
The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.



More information about the Owasp-testing mailing list