[Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2 cents for you...)

Matteo Meucci matteo.meucci at gmail.com
Wed Oct 18 18:58:49 EDT 2006


Perfect...
ok,our world is open and democratic...so, I count more guys that are
pro the Matteo Flora idea. So we can add a very short "Summary" in
which we describe in "natural
language" what we want to do (very very short summary).

If we take a look at the table of Contents:
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents
I think we have set up a great team...thanks all!

Now I suggest to begin using the power of Wiki and begin writing the paragraphs,
sharing our experiences directly on our portal....5th November is not
so far...:)
I remember all to be pragmatic and explain by examples. May be in this
period of time is useful to discuss what to write in every single
paragraph if someone has some doubts.

Thanks,
Mat






On 10/18/06, Eoin <eoinkeary at gmail.com> wrote:
> Hey Seba,
>
> Fine with me as long as we do not keep repeating ourselves throughout the
> site.
> It's Matteo's call.
>
> Regarding the reporting stuff we also do some work with the metrics project.
> Especially in the categorisation of severity and criticality context. ie.
> "What is High severity, what is med, how do we define this as each project
> is unique and vulns are context sensitive.
>
> Nice one. Keep up all this good stuff and conversation. Things are really
> shaping up well.
> A real AoC success story, so far :0)
> Eoin
>
>
> On 18/10/06, Sebastien Deleersnyder
> <sebastien.deleersnyder at ascure.com> wrote:
> > All,
> >
> > I strongly support to add the 'idiot' introduction as follows:
> > > > The summary must not be longer than 50/60 words, and must clearly
> > > > answer the following two questions:
> > > >
> > > > 1. What kind of vulnerability are we testing ?
> > > > 2. What are the risks posed by such a vulnerability ?
> >
> > => we will need this anyway for the reporting (must be read by
> > managers).
> >
> > You can have a very technical skilled tester with magnificent result,
> > but if this is not correctly translated towards an analysis for a
> > manager, it's a waste of resources.
> >
> > I am candidate to aid in the reporting section, as this also really
> > touches the crucial expected outcome: improvement on short and longer
> > term.
> >
> > Regards,
> >
> > Sebastien
> >
> > -----Original Message-----
> > From: owasp-testing-bounces at lists.owasp.org
> > [mailto: owasp-testing-bounces at lists.owasp.org] On Behalf
> Of Ariel
> > Waissbein
> > Sent: woensdag 18 oktober 2006 19:58
> > To: Eoin
> > Cc: owasp-testing at lists.owasp.org
> > Subject: Re: [Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2
> > cents for you...)
> >
> >
> > Hi all,
> >
> > IMHO we should try to be concise with everything that is repeated
> > elsewhere and give pointers so that newbies can follow. On the other
> > hand, it is really a nuisance to follow eight links to read one article,
> > so there should be some tradeoff (which each contributor could manage
> > with out further explainations). :)
> >
> > Cheers,
> > Ariel
> >
> > Eoin wrote:
> > > HI Matteo,
> > > If the majority of the team wish to add the "idiots guide" (this makes
> > > me smile), then so be it, cool.
> > >
> > > I think we should be carefull that we dont reinvent  the wheel or
> > repeat
> > > definitions that we already have on the site. We can simply add a URL
> > > to a section on the OWASP site to the same information.?
> > >
> > > Matteo (Meucci), as technical AoC lead, its your call, if thats  ok
> > with
> > > everyone?
> > >
> > > Eoin
> > >
> > >
> > >
> > >
> > > On 18/10/06, *Matteo G.P. Flora* < mf at matteoflora.com
> > > <mailto:mf at matteoflora.com>> wrote:
> > >
> > >     On 10/18/06, Eoin <eoinkeary at gmail.com
> > <mailto:eoinkeary at gmail.com>>
> > >     wrote:
> > >     ...
> > >     > I think the  agreement already is to stick to the "how to test"
> > >     information
> > >     > and leave the theory and background other section of the site
> > >     which already
> > >     > exist.
> > >
> > >     Hi Eoin and thanx for the answer,
> > >
> > >     sorry for being blunt, but I humbly think this way you'll just
> > loose
> > >     80% of the audience.
> > >     The world isnt' made by pentest-geniouses and while I don't
> > suggest to
> > >     explain "what a cookie is" I strongly suggest to give the idiots a
> > >     chance...
> > >
> > >     "That's, of course, just my 2eurocents, but you can't suppose
> > everyone
> > >     will know everything and all the document risks to be setted in a
> > >     corner for reference only by managers. And this means it will be
> > >     setted in a corner by decision makers. And this means less and
> > less
> > >     adoption...
> > >
> > >     That's, of course, just my opinion having to handle to tenths of
> > >     organizations that choose ISO27001 over OSSTTMM for VA only
> > because
> > >     thay understand the former and not the latter...
> > >
> > >     This said it's not a religious belief on my side and I may be (and
> > >     probabily am) wrong...
> > >
> > >     Think about how many people know laws... And what's the problem of
> > laws?
> > >
> > >     "The former article XXX of YYY is changed according to YYY and XXX
> > >     while articole WWW will modify TTT to be real at EEE on ZZZ."
> > >
> > >
> > >
> > >     My 2eurocents as always and I'll not pursue this more.
> > >
> > >     MgpF
> > >
> > >     --
> > >     Matteo G.P. Flora | mf at matteoflora.com <mailto:mf at matteoflora.com>
> > |
> > >     www.MatteoFlora.com <http://www.MatteoFlora.com>
> > >     Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT
> > Notary
> > >     Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza
> > (OPSI)
> > >     Privacy & Security Consultant | Forensic Examiner | SEO Expert
> > >     Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com
> > >
> > >
> > >
> > >
> > > --
> > > Eoin Keary OWASP - Ireland
> > > http://www.owasp.org/local/ireland.html
> > > < http://www.owasp.org/local/ireland.html>
> > > http://www.owasp.org/index.php/OWASP_Testing_Project
> > >
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> > >
> <http://www.owasp.org/index.php/OWASP_Code_Review_Project>
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Owasp-testing mailing list
> > > Owasp-testing at lists.owasp.org
> > > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> > ---- eMail Disclaimer ----
> > This message may be confidential. It is also solely for the use of the
> individual or group to whom it is addressed. If you have received it
> > by mistake, please let us know by e-mail reply. Ascure is not liable for
> any direct or indirect damage arising from errors, inaccuracies or
> > any loss in the message, from unauthorized use, disclosure, copying or
> alteration of it.
> > For the complete version or other languages of this disclaimer see
> http://www.ascure.com/disclaimer.html
> >
>
>
>
> --
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
>  http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


-- 
-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide



More information about the Owasp-testing mailing list