[Owasp-testing] Addressing Marco's Comments on Testing Guide Introduction Chapter

Marco M. Morana marco.m.morana at gmail.com
Sun Aug 31 20:29:50 EDT 2008



I have made changes to introduction section of the guide (*) to take care of
Marco Cova comments (**). 

Most of the changes are related to a formatting, very little content changes
as required.


Regarding the OWASP TM I refer to the one being written for source code
analysis (it the most up to date). I took out the code snipped for the note
on source code analysis and changed a little the wording to emphasize common


I have included a little introductory summary text at the beginning of
section 4 to help the transition between the concepts expressed as part of
section 3 of the guide vs. 2 and new ones I added as section 4 of vs3 of the




Marco Morana

OWASP Cincinnati Chapter Leader


NYC OWASP Conference is the OWASP USA Event!






I've completed a read-through of the guide (except a few sections toward the
end), changing some things along the way (mostly to fix typos or clarify
paragraphs: yes, sorry for all those minor edits :-)).


Here are some more notes/comments, which hopefully should be addressable in
a short time (the number refers to the chapter/section, "all" means it is
applicable to the whole content):

all: There should be a standard format for references: different sections
use different styles (e.g., inline, footnote).

all: Remove all references to part 1/part 2 of the guide and use appropriate
chapter numbers instead.

2: It refers to a detailed threat modeling methodology ("Part 2 of the OWASP
Testing Guide (the detailed 'How To' text) will outline a specific Threat
Modeling methodology"), which doesn't seem to exist The paragraph "A Note
about Static Source Code Review Tools" is very confusing (what is the code,
what is the undefined variable temp?): it should either be improved
substantially or be removed.

Before the section on Security requirements, there is a link to the TOC:

is that supposed to be there?

What is meant by "application security frame categorization"?

"From the defect management and reporting perspective, software quality and
security testing can leverage similar issue categorizations and

metrics": not clear

Section 3 and Section 4 are a bit disconnected. It probably would be good to
have a paragraph to introduce Section 4, so that it is clear why it's there.
For example, something along the lines of "if you want to have a successful
testing program, you need to know what are the objectives of the testing.
These objectives are specified by security requirements. This section

Some parts of the last section overlap with the content of the next chapter.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080831/d6088815/attachment.html 

More information about the Owasp-testing mailing list