[Owasp-testing] Testing Guide V4 - Start up

Simone Onofri simone.onofri at gmail.com
Sat Sep 1 00:36:23 UTC 2012


hi,

i think web application and mobile application share some tests in a
similar/hybrid context, but the question is if this guide has into the
scope also mobile testing... then decide to include or not.

cheers,

s.

On Fri, Aug 31, 2012 at 8:55 PM, Kevin Horvath <kevin.horvath at gmail.com>wrote:

> There is a separate OWASP guide for mobile testing.
>
> https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
>
>
> On Fri, Aug 31, 2012 at 1:01 PM, Eoin <eoin.keary at owasp.org> wrote:
> > Are we covering mobile testing at all?
> > Sorry if this was mentioned already.
> >
> >
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 31 Aug 2012, at 11:28, Matteo Meucci <matteo.meucci at owasp.org> wrote:
> >
> >> Hi Simon,
> >> yep I agree.
> >>
> >> Maybe we can distinguish as follow for each paragraph:
> >> - OWASP Tools:
> >> (Flagship, Labs, Incubator, Archive)
> >> - Other Open Source tools:
> >>
> >> I think that a contributor should be dedicated to verifies which tests
> >> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
> >> Tools")?
> >>
> >> Thanks,
> >> Mat
> >>
> >>
> >>
> >> On 08/31/2012 09:56 AM, psiinon wrote:
> >>> I think its right for us to suggest an open source tool (or tools) for
> >>> using in each section, however I dont think we should view this as a
> ZAP
> >>> vs WebScarab contest.
> >>> We want to suggest the best possible tool, but I also think that its
> >>> reasonable for us to /prefer /OWASP ones.
> >>> But we should also favour tools that are more mature and/or more
> >>> frequently updated.
> >>> For OWASP tools I think we can rely on the new classifications:
> >>> Flagship, Labs, Incubator, Archive.
> >>> So I think its really a sliding scale.
> >>> If theres a Flagship OWASP project that is great at finding a specific
> >>> type of vulnerability then we should definitely use that as the
> example.
> >>> If not then we have to balance how relevant that tool is likely to
> remain.
> >>> A brand new Incubator project might be great in one specific case, but
> >>> may also not really be in a fit state for most people to use, or the
> >>> project may quickly wither and die.
> >>> And if a well regarded non OWASP open source tool is the best option
> >>> then we should use that.
> >>>
> >>> Going back to ZAP, I obviously hope it will be the ideal tool in many
> >>> cases :)
> >>> And helping to establish if this is the case and explaining exactly how
> >>> ZAP can be used may be the most effective way I can contribute to this
> >>> guide.
> >>>
> >>> But I also want to use this process to learn where ZAP's weaknesses
> are.
> >>> And depending on how long it takes to produce the guide we (the ZAP
> >>> developers) may be able to enhance specific areas of ZAP as the work on
> >>> the guide develops.
> >>> So please let me know asap if/when you work on an area of the guide
> that
> >>> you dont think ZAP is effective in helping with, or if you would like
> >>> advice and guidance on how to use ZAP as effectively as possible.
> >>>
> >>> Cheers,
> >>>
> >>> Simon (ZAP Project Lead)
> >>>
> >>> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <
> matteo.meucci at owasp.org
> >>> <mailto:matteo.meucci at owasp.org>> wrote:
> >>>
> >>>    Perfect!
> >>>    I've updated the wiki, thanks!
> >>>
> >>>    Mat
> >>>
> >>>    On 08/30/2012 11:15 PM, Amro wrote:
> >>>> Thanks Mat,
> >>>>
> >>>> Please assign this task to me and I will make sure that our tool
> >>>    sets are updated.
> >>>>
> >>>> Regards,
> >>>> Amro
> >>>> Sent from BlackBerry®. Excuse typo's and brevity.
> >>>>
> >>>> -----Original Message-----
> >>>> From: Matteo Meucci <matteo.meucci at owasp.org
> >>>    <mailto:matteo.meucci at owasp.org>>
> >>>> Date: Thu, 30 Aug 2012 23:11:41
> >>>> To: <amro at owasp.org <mailto:amro at owasp.org>>
> >>>> Cc: <owasp-testing-bounces at lists.owasp.org
> >>>    <mailto:owasp-testing-bounces at lists.owasp.org>>;
> >>>    <owasp-testing at lists.owasp.org <mailto:
> owasp-testing at lists.owasp.org>>
> >>>> Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
> >>>>
> >>>> Hi Amro,
> >>>> good question related to the tools. Here we have to update many
> >>>    references.
> >>>>
> >>>> Usually at the end of each article we suggest to use a particular open
> >>>> source tool to perform the test. I think we can use and suggest
> >>>    both the
> >>>> tools in many situations.
> >>>> Also the Appendix A "Testing Tools" should pick all the testing tools
> >>>> cited in the Testing Guide and give more details.
> >>>>
> >>>> Thanks,
> >>>> Mat
> >>>>
> >>>> On 08/30/2012 10:58 PM, Amro wrote:
> >>>>> Please count me in as well .. Are we gonna use ZAP instead of
> >>>    WebScarab in the new version?
> >>>>>
> >>>>> Regards,
> >>>>> Amro
> >>>>> Sent from BlackBerry®. Excuse typo's and brevity.
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: Matteo Meucci <matteo.meucci at owasp.org
> >>>    <mailto:matteo.meucci at owasp.org>>
> >>>>> Sender: owasp-testing-bounces at lists.owasp.org
> >>>    <mailto:owasp-testing-bounces at lists.owasp.org>
> >>>>> Date: Thu, 30 Aug 2012 17:40:29
> >>>>> To: <owasp-testing at lists.owasp.org
> >>>    <mailto:owasp-testing at lists.owasp.org>>
> >>>>> Subject: [Owasp-testing] Testing Guide V4 - Start up
> >>>>>
> >>>>> Hi all Testing Guide contributors.
> >>>>>
> >>>>> Testing Guide v4 has been approved as Projects Reboot 2012!
> >>>>> https://www.owasp.org/index.php/Projects_Reboot_2012
> >>>>>
> >>>>> Here is the list of contributors I've collected:
> >>>>>
> >>>>> Pavol Luptak
> >>>>> Marco Morana
> >>>>> Giorgio Fedon
> >>>>> Stefano Di Paola
> >>>>> Gianrico Ingrosso
> >>>>> Giuseppe Bonfà
> >>>>> Roberto Suggi Liverani
> >>>>> Robert Smith
> >>>>> Andrew Muller
> >>>>> Robert Winkel
> >>>>> tripurari rai
> >>>>> Thomas Ryan
> >>>>> tim bertels
> >>>>> Cecil Su
> >>>>> Aung KhAnt
> >>>>> Norbert Szetei
> >>>>> michael.boman
> >>>>> Wagner Elias
> >>>>> Kevin Horvat
> >>>>> Juan Galiana Lara
> >>>>> Kenan Gursoy
> >>>>> Jason Flood
> >>>>> Javier Marcos de Prado
> >>>>> Sumit Siddharth
> >>>>> Mike Hryekewicz
> >>>>> psiinon
> >>>>> Ray Schippers
> >>>>> Raul Siles
> >>>>> Jayanta Karmakar
> >>>>> Brad Causey
> >>>>> Vicente Aguilera
> >>>>> Ismael Gonçalves
> >>>>>
> >>>>> Reviewers team:
> >>>>>
> >>>>> Paolo Perego
> >>>>> Daniel Cuthbert
> >>>>> Matthew Churcher
> >>>>> Lode Vanstechelman
> >>>>> Sebastien Gioria
> >>>>>
> >>>>>
> >>>>> Introduction and Project purpose for v4:
> >>>>> ============================ =============
> >>>>> The OWASP Testing Guide v3 includes a "best practice" penetration
> >>>>> testing framework which users can implement in their own
> >>>    organizations
> >>>>> and a "low level" penetration testing guide that describes techniques
> >>>>> for testing most common web application and web service security
> >>>>> issues. Nowadays the Testing Guide has become the standard to perform
> >>>>> a Web Application Penetration Testing and many Companies all around
> >>>>> the world have adopted it.
> >>>>> It is vital for the project mantaining an updated project that
> >>>>> represents the state of the art for WebAppSec.
> >>>>>
> >>>>> Project Roadmap
> >>>>> =============
> >>>>>
> >>>>> - (1) 1st phase: Brainstorming and create a new table of contents
> >>>>>
> >>>>> Objective: creating a new table of contents of the OTGv4
> >>>>> assigning a task for each contributor.
> >>>>> I created a new OWASP Testing Guide v4 table of Contents here:
> >>>>>
> >>>
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> >>>>>
> >>>>> - (2) 2nd phase:  Writing
> >>>>> 20th September 2012: Start writing the articles
> >>>>> 1st November 2012: 1st Draft
> >>>>> 30th November: end of writing phase
> >>>>>
> >>>>> - (3) 3rd phase: Reviewing
> >>>>>
> >>>>> - 1st December 2012: Starting the review phase,
> >>>>> - 15th December 2012: Create the RC1,
> >>>>> - 31st January 2013: Release the version 4.
> >>>>>
> >>>>> Timeline November 2012 1st Draft, January 2013 Final Release
> >>>>>
> >>>>> So, let's start discussion about phase (1)!
> >>>>>
> >>>>> Thanks!
> >>>>> Mat
> >>>>>
> >>>>> --
> >>>>> Matteo Meucci
> >>>>> OWASP Testing Guide Lead
> >>>>> OWASP-Italy President
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Owasp-testing mailing list
> >>>>> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>>>
> >>>>
> >>>
> >>>    --
> >>>    --
> >>>    Matteo Meucci
> >>>    OWASP Testing Guide Lead
> >>>    OWASP Italy President
> >>>    _______________________________________________
> >>>    Owasp-testing mailing list
> >>>    Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org
> >
> >>>    https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> OWASP ZAP: Toolsmith Tool of the Year 2011
> >>> <
> http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html
> >
> >>>
> >>
> >> --
> >> --
> >> Matteo Meucci
> >> OWASP Testing Guide Lead
> >> OWASP Italy President
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120901/a1d544b8/attachment.html>


More information about the Owasp-testing mailing list