[Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2 cents for you...)

Eoin eoinkeary at gmail.com
Wed Oct 18 15:33:43 EDT 2006


Hey Seba,

Fine with me as long as we do not keep repeating ourselves throughout the
site.
It's Matteo's call.

Regarding the reporting stuff we also do some work with the metrics project.
Especially in the categorisation of severity and criticality context. ie.
"What is High severity, what is med, how do we define this as each project
is unique and vulns are context sensitive.

Nice one. Keep up all this good stuff and conversation. Things are really
shaping up well.
A real AoC success story, so far :0)
Eoin


On 18/10/06, Sebastien Deleersnyder <sebastien.deleersnyder at ascure.com>
wrote:
>
> All,
>
> I strongly support to add the 'idiot' introduction as follows:
> > > The summary must not be longer than 50/60 words, and must clearly
> > > answer the following two questions:
> > >
> > > 1. What kind of vulnerability are we testing ?
> > > 2. What are the risks posed by such a vulnerability ?
>
> => we will need this anyway for the reporting (must be read by
> managers).
>
> You can have a very technical skilled tester with magnificent result,
> but if this is not correctly translated towards an analysis for a
> manager, it's a waste of resources.
>
> I am candidate to aid in the reporting section, as this also really
> touches the crucial expected outcome: improvement on short and longer
> term.
>
> Regards,
>
> Sebastien
>
> -----Original Message-----
> From: owasp-testing-bounces at lists.owasp.org
> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Ariel
> Waissbein
> Sent: woensdag 18 oktober 2006 19:58
> To: Eoin
> Cc: owasp-testing at lists.owasp.org
> Subject: Re: [Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2
> cents for you...)
>
> Hi all,
>
> IMHO we should try to be concise with everything that is repeated
> elsewhere and give pointers so that newbies can follow. On the other
> hand, it is really a nuisance to follow eight links to read one article,
> so there should be some tradeoff (which each contributor could manage
> with out further explainations). :)
>
> Cheers,
> Ariel
>
> Eoin wrote:
> > HI Matteo,
> > If the majority of the team wish to add the "idiots guide" (this makes
> > me smile), then so be it, cool.
> >
> > I think we should be carefull that we dont reinvent  the wheel or
> repeat
> > definitions that we already have on the site. We can simply add a URL
> > to a section on the OWASP site to the same information.?
> >
> > Matteo (Meucci), as technical AoC lead, its your call, if thats  ok
> with
> > everyone?
> >
> > Eoin
> >
> >
> >
> >
> > On 18/10/06, *Matteo G.P. Flora* <mf at matteoflora.com
> > <mailto:mf at matteoflora.com>> wrote:
> >
> >     On 10/18/06, Eoin <eoinkeary at gmail.com
> <mailto:eoinkeary at gmail.com>>
> >     wrote:
> >     ...
> >     > I think the  agreement already is to stick to the "how to test"
> >     information
> >     > and leave the theory and background other section of the site
> >     which already
> >     > exist.
> >
> >     Hi Eoin and thanx for the answer,
> >
> >     sorry for being blunt, but I humbly think this way you'll just
> loose
> >     80% of the audience.
> >     The world isnt' made by pentest-geniouses and while I don't
> suggest to
> >     explain "what a cookie is" I strongly suggest to give the idiots a
> >     chance...
> >
> >     "That's, of course, just my 2eurocents, but you can't suppose
> everyone
> >     will know everything and all the document risks to be setted in a
> >     corner for reference only by managers. And this means it will be
> >     setted in a corner by decision makers. And this means less and
> less
> >     adoption...
> >
> >     That's, of course, just my opinion having to handle to tenths of
> >     organizations that choose ISO27001 over OSSTTMM for VA only
> because
> >     thay understand the former and not the latter...
> >
> >     This said it's not a religious belief on my side and I may be (and
> >     probabily am) wrong...
> >
> >     Think about how many people know laws... And what's the problem of
> laws?
> >
> >     "The former article XXX of YYY is changed according to YYY and XXX
> >     while articole WWW will modify TTT to be real at EEE on ZZZ."
> >
> >
> >
> >     My 2eurocents as always and I'll not pursue this more.
> >
> >     MgpF
> >
> >     --
> >     Matteo G.P. Flora | mf at matteoflora.com <mailto:mf at matteoflora.com>
> |
> >     www.MatteoFlora.com <http://www.MatteoFlora.com>
> >     Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT
> Notary
> >     Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza
> (OPSI)
> >     Privacy & Security Consultant | Forensic Examiner | SEO Expert
> >     Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com
> >
> >
> >
> >
> > --
> > Eoin Keary OWASP - Ireland
> > http://www.owasp.org/local/ireland.html
> > <http://www.owasp.org/local/ireland.html>
> > http://www.owasp.org/index.php/OWASP_Testing_Project
> > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > <http://www.owasp.org/index.php/OWASP_Code_Review_Project>
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
> ---- eMail Disclaimer ----
> This message may be confidential. It is also solely for the use of the
> individual or group to whom it is addressed. If you have received it
> by mistake, please let us know by e-mail reply. Ascure is not liable for
> any direct or indirect damage arising from errors, inaccuracies or
> any loss in the message, from unauthorized use, disclosure, copying or
> alteration of it.
> For the complete version or other languages of this disclaimer see
> http://www.ascure.com/disclaimer.html
>



-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20061018/61185a08/attachment-0002.html 


More information about the Owasp-testing mailing list