[Owasp-testing] V4 Update ideas

Agazzini Maurizio inode at mediaservice.net
Thu Sep 27 09:03:50 UTC 2012

On 27/09/2012 01:42, Christian Heinrich wrote:
> The above is already covered in other documents (outside of OWASP) and
> we would ultimately just be duplicating their information without
> providing any additional value.
> Since @mediaservice contribute to the OSSTMM i.e.
> http://www.isecom.org/team.html then maybe you could include the
> relevant links to/from the OWASP Testing Guide v4?

Hi Christian,

Before starting write to the ML for the new ideas/contributions we
discuss (some colleagues) how OWASP Testing Guide can be a better guide,
we tried to ask ourself what are the point that a newbie "web app
pentester" need to learn to do the job.

It's true a lot of our proposal can be found on others documents, we are
not creating nothing new, but all OWASP TG chapter/info can be found in
others places. As wrote on the project overview, the goal of the project
it's create a "best practices web application penetration testing
framework", so why exclude some things useful for the testers?

A skilled pentester (maybe one that do also others kind of PT) doesn't
need all these info for do the job, he don't need a chapter about
finding the web server technology or a chapter about how to identify if
a WAF is on the target. So what's the correct audience of OWASP TG? For
who is OWASP TG?

Add just some links to the testing guide it's a way, but I'm not sure
that is the best way for OWASP to grow.

I hope that also others people will reply to this topic to know also
others thought.



Maurizio Agazzini                     CISSP, OPST
Senior Security Advisor               Gsm: +39-346-52.09.207
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via Santorelli, 15                    Fax: +39-011-32.46.497
10095 Grugliasco (TO) ITALY           http://mediaservice.net/disclaimer

"C programmers never die. They are just cast into void"

More information about the Owasp-testing mailing list