[Owasp-testing] Brainstorming about the new Index

Jeff Williams jeff.williams at aspectsecurity.com
Tue Oct 10 23:51:02 EDT 2006


Hi,

Great progress everyone.  I'd really like to see references to articles
already at OWASP about the various attacks and vulnerabilities you're
testing for.  Check the Honeycomb project for lots of these.  This will
help to reduce overlap and redundancy.

--Jeff

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo
Meucci
Sent: Tuesday, October 10, 2006 10:32 AM
To: mark.roxberry at mpi.us.com
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Brainstorming about the new Index

I agree.
Mat

On 10/10/06, Mark Roxberry <mark.roxberry at mpi.us.com> wrote:
>  Hi everyone,
>
> I am new to the testing list, so please forgive my presumptuousness,
but I
> think 3.4 Phase 3 absolutely needs to be here.  Moreover,  I believe
UNIT
> TESTING needs to be added to 3.4 Phase 3.  In my opinion, it would be
a
> mistake to *not* include a section for testing during development.
There
> are several tools for this, JUNIT, NUNIT, FxCOP that can be used to
check
> for function bounds and any security rules.
>
> Regards,
>
> Mark
>
> Mark Roxberry, CISSP, CEH
>
>
>
>  ________________________________
>  From: "Carlo Pelliccioni" <carlo.pelliccioni at gmail.com>
> Sent: Tuesday, October 10, 2006 6:57 AM
> To: owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] Brainstorming about the new Index
>
> I'm sorry, I meant "3.4 Phase 3" (During development) and not Phase 4.
>
> Bye
> Carlo
>
> On 10/10/06, Eoin < eoinkeary at gmail.com> wrote:
> > Hi,
> > If you fee that we could "Push" any of the sections into the code
review
> guide or the Development guide please suggest.
> >
> >
> >
> > On 10/10/06, Carlo Pelliccioni <carlo.pelliccioni at gmail.com> wrote:
> > > Hi,
> > >
> > > I think that the new index is good but the Phase 4 (During
development)
> is useless in this testing guide (I think).
> > > How do you feel about this?
> > >
> > > Bye bye
> > > Carlo
> > >
> > >
> > >
> > >
> > > On 10/10/06, Eoin <eoinkeary at gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > Sounds very promising but take into account that the Autumn of
Code
> project is of a finite time.
> > > >
> > > > It is important to consider:
> > > >
> > > > In order to re-write all the chapters AND add the required new
content
> shall take some time. The completion date is the 31st December 2006
which
> gives us about 11 weeks, not much time from my experience of
developing the
> existing Testing guide.
> > > >
> > > > It would be better not to take too much on and miss the
completion
> date. The guide shall be ever evolving and the aim of this AoC project
is to
> consolidate the existing guide and NOT to perform a complete rewrite.
> > > >
> > > > So my concern is the amount of time we have to complete this
project
> Vs the ever expanding scope of work.
> > > >
> > > > regards,
> > > >
> > > > Eoin,
> > > > OWASP Testing Guide Lead and coordinator.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 10/10/06, Matteo Meucci < matteo.meucci at gmail.com> wrote:
> > > >
> > > > > Hi all,
> > > > > What do you think about the new Index?
> > > > >
>
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
> > > > >
> > > > > 1) Look at the doc "OWASPTesting_PhaseOne"
> > > > >
>
(http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=
62285
> )
> > > > > IMHO I think we have to insert the Chaper 2" Principle of
testing" ,
> > > > > Chapter 3 "Testing techniques explained" and "The OWASP
Testing
> > > > > Framework" as first chapter of this guide.
> > > > >
> > > > > 2) I'd like to rename Chapter 4 from "Manual testing
techniques" to
> > > > > "Web Application Penetration Testing".
> > > > >
> > > > > 3) In accordance with Alberto Revelli, we think to create a
new
> > > > > template for Chapter 4:
> > > > > 1 Short Description of the Issue
> > > > > 2 How to Test
> > > > >     2.1 Black Box testing and example
> > > > >     2.2 White Box testing and example
> > > > > 3 References
> > > > >     Whitepapers
> > > > >     Tools
> > > > > What do you think about that? More, may be we have to rename
White
> Box
> > > > > in Gray box, so it is clear the difference between penetration
> testing
> > > > > (Black and Gray Box) and Code Review (White Box) that is a
different
> > > > > OWASP Project.
> > > > >
> > > > > What are your feed back?
> > > > > Thanks,
> > > > > Mat
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > > --
> > > > > Matteo Meucci
> > > > > OWASP-Italy Chair, CISSP, CISA
> > > > > site: http://www.owasp.org/index.php/Italy
> > > > > mail: matteo.meucci at owasp.org
> > > > > ml:
> http://lists.owasp.org/mailman/listinfo/owasp-italy
> > > > > _______________________________________________
> > > > > Owasp-testing mailing list
> > > > > Owasp-testing at lists.owasp.org
> > > > >
> http://lists.owasp.org/mailman/listinfo/owasp-testing
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Eoin Keary OWASP - Ireland
> > > > http://www.owasp.org/local/ireland.html
> > > >
> > > > OWASP Testing Project Lead
> > > > http://www.owasp.org/index.php/OWASP_Testing_Project
> > > >
> > > > OWASP Code Review Project Lead
> > > >
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > > >
> > > > OWASP Live CD Lead
> > > >
> > > > _______________________________________________
> > > > Owasp-testing mailing list
> > > > Owasp-testing at lists.owasp.org
> > > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Owasp-testing mailing list
> > > Owasp-testing at lists.owasp.org
> > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > >
> > >
> > >
> >
> >
> >
> >
> > --
> > Eoin Keary OWASP - Ireland
> > http://www.owasp.org/local/ireland.html
> >
> > OWASP Testing Project Lead
> > http://www.owasp.org/index.php/OWASP_Testing_Project
> >
> > OWASP Code Review Project Lead
> > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >
> > OWASP Live CD Lead
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
site: http://www.owasp.org/index.php/Italy
mail: matteo.meucci at owasp.org
ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing



More information about the Owasp-testing mailing list