[Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2cents for you...)

Matteo Meucci matteo.meucci at gmail.com
Wed Oct 18 09:21:25 EDT 2006


Perfect.
So I'll update the template for the paragraphs in Chapter 4 including
"In brief" or "Summary" at the top.

Mark, I think we have to update the optimum doc Checklist v1.1 with
the list of test we decribe (looking also at HoneyComb project as Jeff
said), and include it at the top of Chapter 4 (Web App Pen Testing).
Then make a link with Chapter 5 in wich we describe a methology to
value the REAL risk of the vulnerabilities founded: also in this
chapter we can make the difference from a management point of view
because we'll show numbers ! ;)

Mat




On 10/18/06, Mark Roxberry <mark.roxberry at mpi.us.com> wrote:
> I like the idea.  A second, almost as important function IMHO, would be to
> standardize our classification.  I think it would be useful for our
> community to standardize what we communicate to our sponsors (managers,
> clients, etc.).  How does the open source community define a Web Service -
> XML Structural attack?  We would be somewhat creating an pentesting
> "industry-accepted" definition in "management" speak.
>
> -----Original Message-----
> From: owasp-testing-bounces at lists.owasp.org
> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Daniel Cuthbert
> Sent: Wednesday, October 18, 2006 8:10 AM
> To: Alberto Revelli
> Cc: owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] WARNING: Dummies & Managers Ahead (aka my
> 2cents for you...)
>
> Great idea, though i'd like us to not use the dummy connotation :0)
>
> The biggest issue i've seen recently is the lack of testing
> experience with todays batch of pentesters. Maybe it's me being a old
> fart, but i feel todays testers dont have the background knowledge
> and act using the HackingExposed (tm) methodology.
>
> Matteo, your idea is brilliant and one that needs to be included
> On 18 Oct 2006, at 19:07, Alberto Revelli wrote:
>
> > The idea sounds very good to me, and would increase the number of our
> > potential readers.
> >
> > What we can do is to add a "summary" or "abstract" to the beginning of
> > each topic.
> > The summary must not be longer than 50/60 words, and must clearly
> > answer
> > the following two questions:
> >
> > 1. What kind of vulnerability are we testing ?
> > 2. What are the risks posed by such a vulnerability ?
> >
> > The second point is very important, as it would provide a non-
> > technical
> > reader (read: a suit) a quick understanding of the danger, and it
> > would
> > make the guide a good reference point also from a risk assessment
> > perspective.
> >
> > As a further example, here's how I'd write a summary for "googling":
> >
> > ==SUMMARY==
> > This test checks whether queries to search engines can provide
> > information that is not supposed to be public.
> > The impact of the vulnerability is the disclosure of
> > proprietary/confidential information.
> >
> > Alberto
> >
> >
> >> <PROPOSAL>
> >>
> >> I propose to prepend EACH technique (all the 4.x.x paragraph) with a
> >> "for dummies" paragraph meant to be read by people that don't know
> >> about the problem and giving a little insight on the subject from a
> >> NON TECH view. LANGUAGE will be different, avoiding techie slang and
> >> FORM would be different, outlining concepts instead of points....
> >> I DO NOT suggest a "for dummy" title, but something like "Overview"
> >> and "Technology" division....
> >>
> >> Let's take a look to an example:
> >>
> >> e.g. "Being able to tamper with cookies may result in hijacking the
> >> sessions of legitimate users"
> >>
> >> Will become:
> >>
> >> "Manipulating the cookie content may result, and often results, in
> >> changing the environment and may lead to simulate another user or to
> >> gain unauthorized privileges or access"
> >>
> >> The aim is to let a TOTAL IDIOT (like me =]) understand what we're
> >> talking about without falling into technical speech too much and
> >> without letting the subject to frighten a reader.
> >> In addition to this not anyone is prepared to cope with every subject
> >> and more often than not I'm sure that people will thank us for that
> >> and our introduction will explain them what to read and how to
> >> document on a peculiar subject...
> >>
> >> I'll be able (as an ignorant) to take a look at most of the subjects
> >> and to write briefings but what I'd really like is to know what do
> >> you
> >> all think about this approach...
> >
> > --
> > The information transmitted is intended for the person or entity to
> > which it is addressed and may contain confidential and/or
> > privileged material. Any review, retransmission, dissemination or
> > other use of, or taking of any action in reliance upon, this
> > information by persons or entities other than the intended
> > recipient is prohibited. If you received this in error, please
> > contact the sender and delete the material from any computer.
> >
> > --
> > The information transmitted is intended for the person or entity to
> > which it is addressed and may contain confidential and/or
> > privileged material. Any review, retransmission, dissemination or
> > other use of, or taking of any action in reliance upon, this
> > information by persons or entities other than the intended
> > recipient is prohibited. If you received this in error, please
> > contact the sender and delete the material from any computer.
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>


-- 
-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide



More information about the Owasp-testing mailing list