[Owasp-testing] RES: Documented workflows

Felipe Santos De Andrade felipeandrade at oi.net.br
Thu Apr 26 14:52:50 UTC 2012


For tools and technology, you can use OWASP for sure.

For baseline and orientation, I recommend the Mozilla Web App Security documentation.

For process regarding security/assessment in SDLC, please refer to this excelent doc:
http://www.itl.nist.gov/lab/bulletns/bltndec03.htm


Hope it helps :)


--
Felipe Santos de Andrade
Ger Segurança de Aplicações
Dir Administrativo e Financeiro
Oi: (21) 8771-2223
felipeandrade at oi.net.br


-----Mensagem original-----
De: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] Em nome de Lovelace, Sunni
Enviada em: quinta-feira, 26 de abril de 2012 10:14
Para: crib bar ; Owasp asvs ; owasp-testing at lists.owasp.org
Assunto: Re: [Owasp-testing] Documented workflows

I work for a Fortune 500 Insurance company and we run the tool AppScan in our development and test regains.   

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of crib bar
Sent: Thursday, April 26, 2012 9:07 AM
To: Owasp asvs ; owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Documented workflows

Does anyone have any sort of documented workflow on the steps you take when performing a web application assessment. I know often it's a combination of tools and manual assessments when performing the audit, but there must be some sort of logical workflow you follow when doing an audit, i.e. 1) do this first .. 20) wrap up testing and write the report.
 
There must be some tests you run before others, and some areas of the app tested before other areas. I just wondered if you have a workflow that you follow when you do your audits if anyone could share the workflow of whats tested first, perhaps a 1-20 type guide, with 1 being the first thing you do when engaging in a new audit, and 20 being the final thing.  
 
If you do have such a workflow, can you share it? Or point me in the direction of a template workflow that you perhaps built your internal audit workflow on...
 
Thanks
Sent using BlackBerry® from Orange
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
====================
This email/fax message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message.

_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
Esta mensagem, incluindo seus anexos, pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida sem autorizacao do remetente. Se voce nao e o destinatario ou pessoa autorizada a recebe-la, informamos que o seu uso, divulgacao, copia ou arquivamento sao proibidos. Portanto, se você recebeu esta mensagem por engano, por favor, nos informe respondendo imediatamente a este e-mail e em seguida apague-a.



More information about the Owasp-testing mailing list