[Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2 cents for you...)

Daniel Cuthbert daniel.cuthbert at owasp.org
Wed Oct 18 08:10:29 EDT 2006


Great idea, though i'd like us to not use the dummy connotation :0)

The biggest issue i've seen recently is the lack of testing  
experience with todays batch of pentesters. Maybe it's me being a old  
fart, but i feel todays testers dont have the background knowledge  
and act using the HackingExposed (tm) methodology.

Matteo, your idea is brilliant and one that needs to be included
On 18 Oct 2006, at 19:07, Alberto Revelli wrote:

> The idea sounds very good to me, and would increase the number of our
> potential readers.
>
> What we can do is to add a "summary" or "abstract" to the beginning of
> each topic.
> The summary must not be longer than 50/60 words, and must clearly  
> answer
> the following two questions:
>
> 1. What kind of vulnerability are we testing ?
> 2. What are the risks posed by such a vulnerability ?
>
> The second point is very important, as it would provide a non- 
> technical
> reader (read: a suit) a quick understanding of the danger, and it  
> would
> make the guide a good reference point also from a risk assessment
> perspective.
>
> As a further example, here's how I'd write a summary for "googling":
>
> ==SUMMARY==
> This test checks whether queries to search engines can provide
> information that is not supposed to be public.
> The impact of the vulnerability is the disclosure of
> proprietary/confidential information.
>
> Alberto
>
>
>> <PROPOSAL>
>>
>> I propose to prepend EACH technique (all the 4.x.x paragraph) with a
>> "for dummies" paragraph meant to be read by people that don't know
>> about the problem and giving a little insight on the subject from a
>> NON TECH view. LANGUAGE will be different, avoiding techie slang and
>> FORM would be different, outlining concepts instead of points....
>> I DO NOT suggest a "for dummy" title, but something like "Overview"
>> and "Technology" division....
>>
>> Let's take a look to an example:
>>
>> e.g. "Being able to tamper with cookies may result in hijacking the
>> sessions of legitimate users"
>>
>> Will become:
>>
>> "Manipulating the cookie content may result, and often results, in
>> changing the environment and may lead to simulate another user or to
>> gain unauthorized privileges or access"
>>
>> The aim is to let a TOTAL IDIOT (like me =]) understand what we're
>> talking about without falling into technical speech too much and
>> without letting the subject to frighten a reader.
>> In addition to this not anyone is prepared to cope with every subject
>> and more often than not I'm sure that people will thank us for that
>> and our introduction will explain them what to read and how to
>> document on a peculiar subject...
>>
>> I'll be able (as an ignorant) to take a look at most of the subjects
>> and to write briefings but what I'd really like is to know what do  
>> you
>> all think about this approach...
>
> --
> The information transmitted is intended for the person or entity to  
> which it is addressed and may contain confidential and/or  
> privileged material. Any review, retransmission, dissemination or  
> other use of, or taking of any action in reliance upon, this  
> information by persons or entities other than the intended  
> recipient is prohibited. If you received this in error, please  
> contact the sender and delete the material from any computer.
>
> --
> The information transmitted is intended for the person or entity to  
> which it is addressed and may contain confidential and/or  
> privileged material. Any review, retransmission, dissemination or  
> other use of, or taking of any action in reliance upon, this  
> information by persons or entities other than the intended  
> recipient is prohibited. If you received this in error, please  
> contact the sender and delete the material from any computer.
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing




More information about the Owasp-testing mailing list