[Owasp-testing] Checklists for testing guide v4

psiinon psiinon at gmail.com
Fri Feb 4 06:21:59 EST 2011


Hi folks,

I'm relatively new to this list, so apologies if this has been
discussed to death in the past!

I'd like to see a set of checklists, either as part of the core guide,
or as additional resources.
I understand the various comments in the v3  guide like "Try to avoid
using the guide as a checklist", but I do think that checklists could
be a useful addition to the guide.
I've had a look at pages like:
http://www.owasp.org/index.php/Testing_Checklist, and
http://a4apphack.com/featured/web-appsec-testing-checklist but they
dont quite match what I have in mind.
What I was thinking of was multiple checklists for different levels of
pentesting - eg a novice / 'quick and dirty' test, a medium depth test
and a full fat version.
Ideally these would also be available as html pages which could then
link directly to the relevant pages of the online version of the
guide.
I'd also really like them to be hierarchical, like
http://portswigger.net/wahh/tasks.html :)
They could then be included in tools (like the Zed Attack proxy;)
which could provide integrated checklists, again linking to the guide
contents.
Obviously thats one angle I'm looking at, but I also teach basic pen
testing techniques to functional testers, and for them the testing
guide is quite heavy weight.
A 'quick and dirty' checklist might make it easier for them to get
started with basic security testing.
If such checklists are thought to be useful then I'd be happy to
contribute to them.

Thanks,

Psiinon


More information about the Owasp-testing mailing list