[Owasp-testing] Comparison between our testing guide and the OSSTMM(Open Source Security Testing Methodology Manual)

James Kist kist at meridiansecurity.net
Thu Jan 18 20:29:58 EST 2007


Here's what I found in the application-related chapters of the Information
Systems Security Assessment Framework (ISSAF), by chapter:
 
WEB APPLICATION SECURITY ASSESSMENT
T.6.7 Identifying Application Server (such as tomcat or other middleware) -
is this in the OWASP guide? I did not see it.
T.6.9 Copy web site (Offline) using tools such as HTTTRACK, Black Widow,
WebCopier, wget. Not sure if this is explicitly mentioned in the OWASP
guide.
 
WEB APPLICATION SECURITY ASSESSMENT (CONTINUE.) - SQL INJECTIONS
Very thorough and with lots of examples. Probably deserves a reference.

SOURCE CODE AUDITING
Did not look at, as I think this relates more to the Code Review project.
Agreed?
 
BINARY AUDITING
Incomplete chapter - looks they could use a reference here to our guide :)
 
APPLICATION SECURITY EVALUATION CHECKLIST
Has a pretty good evaluation checklist that covers technical and
administrative controls (such as separation of duties, sufficient staff,
NDAs for contract programmers, security in the SDLC, etc.)
 
DATABASE SECURITY ASSESSMENT
Covers vendor-specific database permissions and security settings. Good
stuff. Do we want to include in the OWASP guide? Or just a reference? 


  _____  

From: Dinis Cruz [mailto:dinis at ddplus.net] 
Sent: Thursday, January 18, 2007 7:16 PM
To: James Kist
Subject: Re: [Owasp-testing] Comparison between our testing guide and the
OSSTMM(Open Source Security Testing Methodology Manual)


good point james, are you able to take a look?

Dinis


On 1/19/07, James Kist <kist at meridiansecurity.net
<mailto:kist at meridiansecurity.net> > wrote: 

The Information Systems Security Assessment Framework (ISSAF) at
http://www.oissg.org/content/view/71/71/ has the following relevant
chapters:
 
WEB APPLICATION SECURITY ASSESSMENT
WEB APPLICATION SECURITY ASSESSMENT (CONTINUE.) - SQL INJECTIONS
SOURCE CODE AUDITING
BINARY AUDITING
APPLICATION SECURITY EVALUATION CHECKLIST
DATABASE SECURITY ASSESSMENT
 
We should also look at this guide to see if we missed anything. 
 
 
  _____  

From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Thursday, January 18, 2007 6:15 PM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Comparison between our testing guide and the
OSSTMM(Open Source Security Testing Methodology Manual)



It would be good to know (and to even include in our version of the Guide)
what are the differences between OWASP Testing Guide and
http://www.isecom.org/osstmm/ 

If there major section(s) in the OSSTMM that are not covered in the OWASP
Testing Guide but are relevant to its audience, then we should add the
respective references 

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org 




-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070118/61cd1107/attachment-0001.html 


More information about the Owasp-testing mailing list