[Owasp-testing] Comparison between our testing guide and the OSSTMM(Open Source Security Testing Methodology Manual)

Eoin eoinkeary at gmail.com
Fri Jan 19 06:31:10 EST 2007


Good work James
Answers below:


On 19/01/07, James Kist <kist at meridiansecurity.net> wrote:

>  Here's what I found in the application-related chapters of the
> Information Systems Security Assessment Framework (ISSAF), by chapter:
>
> WEB APPLICATION SECURITY ASSESSMENT
> T.6.7 Identifying Application Server (such as tomcat or other middleware)
> - is this in the OWASP guide? I did not see it.
>

We do have some in the application discovery section relating to nmap, url
id.




>  T.6.9 Copy web site (Offline) using tools such as HTTTRACK, Black Widow,
> WebCopier, wget. Not sure if this is explicitly mentioned in the OWASP
> guide.
>

No we have none of this website copy stuff.



>
> WEB APPLICATION SECURITY ASSESSMENT (CONTINUE…) – SQL INJECTIONS
> Very thorough and with lots of examples. Probably deserves a reference.
>


Fair enough

>  SOURCE CODE AUDITING
> Did not look at, as I think this relates more to the Code Review project.
> Agreed?
>
>

Correct

 BINARY AUDITING
> Incomplete chapter - looks they could use a reference here to our guide :)
>
>

yep, we need to do a bit on this also. in the code review guide.

 APPLICATION SECURITY EVALUATION CHECKLIST
> Has a pretty good evaluation checklist that covers technical and
> administrative controls (such as separation of duties, sufficient staff,
> NDAs for contract programmers, security in the SDLC, etc.)
>
>
Not sure about this, maybe in the next release.

 DATABASE SECURITY ASSESSMENT
> Covers vendor-specific database permissions and security settings. Good
> stuff. Do we want to include in the OWASP guide? Or just a reference?
>

We have a small bit on Oracle/Listener security etc.
More shall be in code review guide (Mysql).
Not sure if we want to open the DB "Can or worms"?





>  ------------------------------
> *From:* Dinis Cruz [mailto:dinis at ddplus.net]
> *Sent:* Thursday, January 18, 2007 7:16 PM
> *To:* James Kist
> *Subject:* Re: [Owasp-testing] Comparison between our testing guide and
> the OSSTMM(Open Source Security Testing Methodology Manual)
>
>
> good point james, are you able to take a look?
>
> Dinis
>
> On 1/19/07, James Kist <kist at meridiansecurity.net > wrote:
> >
> >  The Information Systems Security Assessment Framework (ISSAF) at
> > http://www.oissg.org/content/view/71/71/ has the following relevant
> > chapters:
> >
> > WEB APPLICATION SECURITY ASSESSMENT
> > WEB APPLICATION SECURITY ASSESSMENT (CONTINUE…) – SQL INJECTIONS
> > SOURCE CODE AUDITING
> > BINARY AUDITING
> > APPLICATION SECURITY EVALUATION CHECKLIST
> > DATABASE SECURITY ASSESSMENT
> >
> > We should also look at this guide to see if we missed anything.
> >
> >
> >  ------------------------------
> >  *From:* owasp-testing-bounces at lists.owasp.org [mailto:
> > owasp-testing-bounces at lists.owasp.org] *On Behalf Of *Dinis Cruz
> > *Sent:* Thursday, January 18, 2007 6:15 PM
> > *To:* owasp-testing at lists.owasp.org
> > *Subject:* [Owasp-testing] Comparison between our testing guide and the
> > OSSTMM(Open Source Security Testing Methodology Manual)
> >
> >
> >  It would be good to know (and to even include in our version of the
> > Guide) what are the differences between OWASP Testing Guide and
> > http://www.isecom.org/osstmm/
> >
> > If there major section(s) in the OSSTMM that are not covered in the
> > OWASP Testing Guide but are relevant to its audience, then we should add the
> > respective references
> >
> > Dinis Cruz
> > Chief OWASP Evangelist, Are you a member yet?
> > http://www.owasp.org
> >
>
>
>
> --
> Dinis Cruz
> Chief OWASP Evangelist, Are you a member yet?
> http://www.owasp.org
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070119/9558c574/attachment.html 


More information about the Owasp-testing mailing list