[Owasp-testing] Brainstorming about the new Index

Eoin Keary eoinkeary at hotmail.com
Wed Oct 11 17:19:13 EDT 2006


Hi,

Question:
Do we want to get into Unit Testing and SDLC methodology in this guide?
I thought they would be more suite to Andrews dev guide or the code review 
project.
unit testing is related to testing small blocks of a syaytem individually 
and hence a development phase done prior to system and integration testing.
The Guide currently focuses on penetration testing which is "After the Fact" 
testing and not really one until the system in developed.

What y'all think?

Eoin



>From: Stephen de Vries <stephen at corsaire.com>
>To: mark.roxberry at mpi.us.com
>CC: owasp-testing at lists.owasp.org
>Subject: Re: [Owasp-testing] Brainstorming about the new Index
>Date: Tue, 10 Oct 2006 21:41:57 +0700
>
>
>Hi Mark,
>
>I wrote a paper and a presentation on this very topic for the past
>OWASP EU conference:
>http://www.owasp.org/index.php/
>Image:AutomatedSecurityTestingofWebApplications-StephendeVries.pdf
>
>Some of the main points:
>- Security testing is not that different from other software testing
>- Security testing can easily be integrated into unit testing,
>integration testing and functional testing phases
>- There are a wealth of tools available for unit testing that can be
>used for security testing, such as the unit testing frameworks,
>apache cactus, htmlunit, httpunit, WATIR (for ruby), and more.
>
>I'd be glad to rework some of the material to fit into the guide, if
>you decide it's appropriate.
>
>regards,
>Stephen
>
>
>El 10 Oct 2006, a las 21:18, Mark Roxberry escribió:
>
> > Hi everyone,
> >
> > I am new to the testing list, so please forgive my
> > presumptuousness, but I think 3.4 Phase 3 absolutely needs to be
> > here.  Moreover,  I believe UNIT TESTING needs to be added to 3.4
> > Phase 3.  In my opinion, it would be a mistake to *not* include a
> > section for testing during development.  There are several tools
> > for this, JUNIT, NUNIT, FxCOP that can be used to check for
> > function bounds and any security rules.
> >
> > Regards,
> >
> > Mark
> >
> > Mark Roxberry, CISSP, CEH
> >
> >
> >
> > From: "Carlo Pelliccioni" <carlo.pelliccioni at gmail.com>
> > Sent: Tuesday, October 10, 2006 6:57 AM
> > To: owasp-testing at lists.owasp.org
> > Subject: Re: [Owasp-testing] Brainstorming about the new Index
> >
> > I'm sorry, I meant "3.4 Phase 3" (During development) and not Phase 4.
> >
> > Bye
> > Carlo
> >
> > On 10/10/06, Eoin < eoinkeary at gmail.com> wrote:Hi,
> > If you fee that we could "Push" any of the sections into the code
> > review guide or the Development guide please suggest.
> >
> >
> > On 10/10/06, Carlo Pelliccioni <carlo.pelliccioni at gmail.com> wrote:Hi,
> >
> > I think that the new index is good but the Phase 4 (During
> > development) is useless in this testing guide (I think).
> > How do you feel about this?
> >
> > Bye bye
> > Carlo
> >
> >
> >
> > On 10/10/06, Eoin <eoinkeary at gmail.com> wrote:
> > Hi,
> >
> > Sounds very promising but take into account that the Autumn of Code
> > project is of a finite time.
> >
> > It is important to consider:
> >
> > In order to re-write all the chapters AND add the required new
> > content shall take some time. The completion date is the 31st
> > December 2006 which gives us about 11 weeks, not much time from my
> > experience of developing the existing Testing guide.
> >
> > It would be better not to take too much on and miss the completion
> > date. The guide shall be ever evolving and the aim of this AoC
> > project is to consolidate the existing guide and NOT to perform a
> > complete rewrite.
> >
> > So my concern is the amount of time we have to complete this
> > project Vs the ever expanding scope of work.
> >
> > regards,
> >
> > Eoin,
> > OWASP Testing Guide Lead and coordinator.
> >
> >
> >
> >
> >
> > On 10/10/06, Matteo Meucci < matteo.meucci at gmail.com> wrote:
> > > Hi all,
> > > What do you think about the new Index?
> > > http://www.owasp.org/index.php/
> > OWASP_Testing_Guide_v2_Table_of_Contents
> > >
> > > 1) Look at the doc "OWASPTesting_PhaseOne"
> > > (http://sourceforge.net/project/showfiles.php?
> > group_id=64424&package_id=62285 )
> > > IMHO I think we have to insert the Chaper 2" Principle of testing" ,
> > > Chapter 3 "Testing techniques explained" and "The OWASP Testing
> > > Framework" as first chapter of this guide.
> > >
> > > 2) I'd like to rename Chapter 4 from "Manual testing techniques" to
> > > "Web Application Penetration Testing".
> > >
> > > 3) In accordance with Alberto Revelli, we think to create a new
> > > template for Chapter 4:
> > > 1 Short Description of the Issue
> > > 2 How to Test
> > >     2.1 Black Box testing and example
> > >     2.2 White Box testing and example
> > > 3 References
> > >     Whitepapers
> > >     Tools
> > > What do you think about that? More, may be we have to rename
> > White Box
> > > in Gray box, so it is clear the difference between penetration
> > testing
> > > (Black and Gray Box) and Code Review (White Box) that is a different
> > > OWASP Project.
> > >
> > > What are your feed back?
> > > Thanks,
> > > Mat
> > >
> > >
> > >
> > >
> > > --
> > > Matteo Meucci
> > > OWASP-Italy Chair, CISSP, CISA
> > > site: http://www.owasp.org/index.php/Italy
> > > mail: matteo.meucci at owasp.org
> > > ml: http://lists.owasp.org/mailman/listinfo/owasp-italy
> > > _______________________________________________
> > > Owasp-testing mailing list
> > > Owasp-testing at lists.owasp.org
> > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > >
> >
> >
> > --
> > Eoin Keary OWASP - Ireland
> > http://www.owasp.org/local/ireland.html
> >
> > OWASP Testing Project Lead
> > http://www.owasp.org/index.php/OWASP_Testing_Project
> >
> > OWASP Code Review Project Lead
> > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >
> > OWASP Live CD Lead
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> >
> >
> >
> > --
> > Eoin Keary OWASP - Ireland
> > http://www.owasp.org/local/ireland.html
> >
> > OWASP Testing Project Lead
> > http://www.owasp.org/index.php/OWASP_Testing_Project
> >
> > OWASP Code Review Project Lead
> > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >
> > OWASP Live CD Lead
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>--
>Stephen de Vries
>Corsaire Ltd
>E-mail: stephen at corsaire.com
>Tel:	+44 1483 226014
>Fax: 	+44 1483 226068
>Web: 	http://www.corsaire.com
>
>
>
>
>_______________________________________________
>Owasp-testing mailing list
>Owasp-testing at lists.owasp.org
>http://lists.owasp.org/mailman/listinfo/owasp-testing

_________________________________________________________________
Discover the magic of RSS feeds at MSN Ireland! http://ie.msn.com/




More information about the Owasp-testing mailing list