[Owasp-testing] editorial changes to intro

Marco Cova marco.cova at gmail.com
Thu Jul 17 12:27:45 EDT 2008


Marco

On Thu, Jul 17, 2008 at 4:36 AM, Marco M. Morana
<marco.m.morana at gmail.com> wrote:
> As I read your comments I think you reviewed the introduction of vs 2. Did
> you also review the new additions on the testing methodology of vs 3. If so
> I will be happy to address changes.

No, I haven't got there yet. I stopped at the end of section 3 in the
introduction... I hope to finish reading the new part today.

> The part on automated tools being bad at finding vulnerabilities should
> probably be clarified (Mindset paragraph in principles)
>
> I can provide changes to address threat modeling for testing and tools being
> bad to find vulnerabilities.

I guess my main concern here was that the paragraph reads a little bit
too categorical: I'm sure tools are good at detecting *certain*
classes of vulnerabilities under *certain* conditions. Then, as the
article says, they have limitations. Maybe, the discussion could be
cast in terms of false positives and false negatives?

Marco


More information about the Owasp-testing mailing list