[Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2cents for you...)

Mark Roxberry mark.roxberry at mpi.us.com
Wed Oct 18 08:45:33 EDT 2006


I like the idea.  A second, almost as important function IMHO, would be to
standardize our classification.  I think it would be useful for our
community to standardize what we communicate to our sponsors (managers,
clients, etc.).  How does the open source community define a Web Service -
XML Structural attack?  We would be somewhat creating an pentesting
"industry-accepted" definition in "management" speak.

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Daniel Cuthbert
Sent: Wednesday, October 18, 2006 8:10 AM
To: Alberto Revelli
Cc: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] WARNING: Dummies & Managers Ahead (aka my
2cents for you...)

Great idea, though i'd like us to not use the dummy connotation :0)

The biggest issue i've seen recently is the lack of testing  
experience with todays batch of pentesters. Maybe it's me being a old  
fart, but i feel todays testers dont have the background knowledge  
and act using the HackingExposed (tm) methodology.

Matteo, your idea is brilliant and one that needs to be included
On 18 Oct 2006, at 19:07, Alberto Revelli wrote:

> The idea sounds very good to me, and would increase the number of our
> potential readers.
>
> What we can do is to add a "summary" or "abstract" to the beginning of
> each topic.
> The summary must not be longer than 50/60 words, and must clearly  
> answer
> the following two questions:
>
> 1. What kind of vulnerability are we testing ?
> 2. What are the risks posed by such a vulnerability ?
>
> The second point is very important, as it would provide a non- 
> technical
> reader (read: a suit) a quick understanding of the danger, and it  
> would
> make the guide a good reference point also from a risk assessment
> perspective.
>
> As a further example, here's how I'd write a summary for "googling":
>
> ==SUMMARY==
> This test checks whether queries to search engines can provide
> information that is not supposed to be public.
> The impact of the vulnerability is the disclosure of
> proprietary/confidential information.
>
> Alberto
>
>
>> <PROPOSAL>
>>
>> I propose to prepend EACH technique (all the 4.x.x paragraph) with a
>> "for dummies" paragraph meant to be read by people that don't know
>> about the problem and giving a little insight on the subject from a
>> NON TECH view. LANGUAGE will be different, avoiding techie slang and
>> FORM would be different, outlining concepts instead of points....
>> I DO NOT suggest a "for dummy" title, but something like "Overview"
>> and "Technology" division....
>>
>> Let's take a look to an example:
>>
>> e.g. "Being able to tamper with cookies may result in hijacking the
>> sessions of legitimate users"
>>
>> Will become:
>>
>> "Manipulating the cookie content may result, and often results, in
>> changing the environment and may lead to simulate another user or to
>> gain unauthorized privileges or access"
>>
>> The aim is to let a TOTAL IDIOT (like me =]) understand what we're
>> talking about without falling into technical speech too much and
>> without letting the subject to frighten a reader.
>> In addition to this not anyone is prepared to cope with every subject
>> and more often than not I'm sure that people will thank us for that
>> and our introduction will explain them what to read and how to
>> document on a peculiar subject...
>>
>> I'll be able (as an ignorant) to take a look at most of the subjects
>> and to write briefings but what I'd really like is to know what do  
>> you
>> all think about this approach...
>
> --
> The information transmitted is intended for the person or entity to  
> which it is addressed and may contain confidential and/or  
> privileged material. Any review, retransmission, dissemination or  
> other use of, or taking of any action in reliance upon, this  
> information by persons or entities other than the intended  
> recipient is prohibited. If you received this in error, please  
> contact the sender and delete the material from any computer.
>
> --
> The information transmitted is intended for the person or entity to  
> which it is addressed and may contain confidential and/or  
> privileged material. Any review, retransmission, dissemination or  
> other use of, or taking of any action in reliance upon, this  
> information by persons or entities other than the intended  
> recipient is prohibited. If you received this in error, please  
> contact the sender and delete the material from any computer.
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing

_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing






More information about the Owasp-testing mailing list