[Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2 cents for you...)
eoinkeary at gmail.com
Wed Oct 18 12:25:38 EDT 2006
Hi, Matteo, Eoin Here.
If one needs theory it can be found in other sections of the OWASP site.
One issue the OWASP leaders have defined is that the we do not required
overlap in the site.
If one needs to understand the issue from a technology perspective it can be
found elsewhere in the site.
I think the agreement already is to stick to the "how to test" information
and leave the theory and background other section of the site which already
Hope this explains it,
OWASP Testing Project Lead
On 18/10/06, Matteo G.P. Flora <mf at matteoflora.com> wrote:
> Hi all,
> PREAMBLE: this mail was meant to be a couple lines long but went out
> of my hand... If you have only a minute or so go to <PROPOSAL> section
> My name is Matteo Flora and I'm very pleased to meet you all... I met
> Matt and Alberto here in Italy and they told me to sign on to the ML
> and take a look at the document...
> Well, it surely is something worth looking at!
> Just my passing 2 cents: I'm basically a "political" sort of guy,
> directing Italian Privacy and Security Observatory (OPSI) and with a
> leading role in Italian Computer Society (AIP)...
> I struggle everyday to take some kind of awareness in Corporate and
> Gov, with direct connection with Italian (and to minimum degree
> European) institutes for adoption of Sec methodologies.
> But I'm not here to talk about me ;)
> I was pointing to Matt and Alberto that the actual document is a
> perfect example of what a methodology should be and I scarcely am able
> to think to anything that isn't covered in there (while I confess huge
> gaps in methodologies I didn't even know the name of!).
> Working with management (ISO27001) I often am able to see at the
> adoption route of a methodology over another and I have a couple of
> observation to share with you (each of them not worth more than my 2
> We're facing a couple problems:
> 1) Pentester aren't uniformly SMART
> While we're here and we know what to do and how (well, at least YOU
> DO) many pentesters or wannabe in the world don't know much about
> in-depth methodologies and so on. Many of them simply rely on
> off-the-shelf tools and off-the-shelf methodologies and even if these
> are NOT what PT should be we must be aware of their existence.
> 2) Managers tend to screen methodologies
> IT world has changed in the last few years even on the side of
> management: typical European manager (or PM) is nowaday a hybrid
> figure closer than before to code and developing. He tends to look
> deeply at methodologies and being security the "buzz of these years"
> each manager tend to spot his competence in this field.
> How does this affect us at all?
> Well, nowadays we see a plethora of new certifications, methodologies,
> tools, codes, guidelines, best practices and so on scattered around
> and each of them is used or not based on two factors: political power
> of the solution (i.e. ISO) and ease of adoption.
> While we cannot impact (right now) on the "political power" of OWASP
> we can impact deeply on the ease of use. If people are able to use our
> document they'll gladly adopt it.
> BUT (there's always a BUT.... Murphy thing, you understand...)
> It is my opinion that the actual structure of the document will
> represent a very though and steep entry-level to a poorly skilled
> pentester and/or to a manager.
> Let me clear up: that's not necessarily a PROBLEM... We could happily
> say "f*ck the dummies, this is a pro document", but I think we'll
> loose 80% of possible audience. In addition to this let's remember
> that the TESTING document is in many cases far more important than
> Coding Guidelines! Why's that? It's simple: reviewing and testing an
> application if far easier than building a perfect one and even if a
> manager isn't maybe able to review the code he can look at injections
> and hijacking quite easily....
> I propose to prepend EACH technique (all the 4.x.x paragraph) with a
> "for dummies" paragraph meant to be read by people that don't know
> about the problem and giving a little insight on the subject from a
> NON TECH view. LANGUAGE will be different, avoiding techie slang and
> FORM would be different, outlining concepts instead of points....
> I DO NOT suggest a "for dummy" title, but something like "Overview"
> and "Technology" division....
> Let's take a look to an example:
> e.g. "Being able to tamper with cookies may result in hijacking the
> sessions of legitimate users"
> Will become:
> "Manipulating the cookie content may result, and often results, in
> changing the environment and may lead to simulate another user or to
> gain unauthorized privileges or access"
> The aim is to let a TOTAL IDIOT (like me =]) understand what we're
> talking about without falling into technical speech too much and
> without letting the subject to frighten a reader.
> In addition to this not anyone is prepared to cope with every subject
> and more often than not I'm sure that people will thank us for that
> and our introduction will explain them what to read and how to
> document on a peculiar subject...
> I'll be able (as an ignorant) to take a look at most of the subjects
> and to write briefings but what I'd really like is to know what do you
> all think about this approach...
> Matt gave me an overenthusiastic feedback, but we all know Matt ;)
> Ok, sorry to have wasted so much of your time and let me know if I've
> been not clear...
> Matteo G.P. Flora | mf at matteoflora.com | www.MatteoFlora.com
> Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
> Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)
> Privacy & Security Consultant | Forensic Examiner | SEO Expert
> Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
Eoin Keary OWASP - Ireland
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing