[Owasp-testing] Testing Guide V4 - Start up

David Fern dfern at verizon.net
Sat Sep 8 22:39:49 UTC 2012

I agree here are some process items I have from v3:
Section 1 – Testing Techniques Explained
– Page 19
            Although Black, Grey, white Box
testing is addressed in the document and are
            common terms should they be defined?
            Should the concept of Automated
Static and dynamic testing be addressed?
Section 1 – Testing Techniques Explained
- Page 20 Threat Modeling
this link to the OWASP Threat Risk Modeling page?
Section 1 –
Testing Techniques Explained – Page 26 – Security Requirements Validation
Could it be mentioned that the list
of controls in Section 4 Could be used as “Global” requirements in addition to
the “specific” requirements specified in the application requirements. All may
not be applicable for all applications. 
Section 1 – Testing Techniques Explained
– Page 36
            Would this be a good place to
discuss the OWASP Risk Rating
            Which is included in page 325 in
Section 3 – The OWASP Testing Framework
– Page 40
            Should Open SAMM be mentioned here
Section 3 – The OWASP Testing Framework
– Phase 2: During Definition and Design - Page 41
            Should ESAPI be mentioned here as a
best practice?
            Should the references to coding
standards be given, for example:
CERT - https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards;jsessionid=A9B9B2080B83DEEB21CE15B1415CEDD9
Section 3 – The OWASP Testing Framework
– The Phases especially 4 and 5 page 43
            I would like to see some more
details, guidance and checklists or what exactly to do and
Section 3 – The OWASP Testing Framework
– OWASP Testing Framework Work Flow – Page 45
All work tasks do not seem to be
included in this section, for example the section details do not include “Unit
and System Tests” and “Acceptance Tests” in the Deployment part of this section
on page 43 or 44. 
Section 4 - Web Application Penetration
Testing – Chart - page 47
            Would it be possible to add another column  linking to the specific OWASP top 10. My
reasoning is that someone may say they will test to the OWASP top 10. So they
need a good list.
Section 4 - Web Application Penetration
            It seems like the test types have Grey box, White
box and Black Box but it is not consistent. I think all should probably include
all 3 types and if it is not applicable state it.
Appendix A: Testing Tools
            Should WebInspect be added to the
Commercial Black Box Testing Tools?
there be an acceptance Testing Tools – Commercial section for tools such as:
            HP Quick Test Professional
                        IBM Rational Robot
            Should the BuildSecurityin web site
be added to the “Useful Websites” section?
            Should Web Service testing tool
soapUI be added?
David :)  

 From: Ismael Rocha <ismaelrocha.projetos at gmail.com>
To: Matteo Meucci <matteo.meucci at owasp.org> 
Cc: owasp-testing at lists.owasp.org 
Sent: Friday, September 7, 2012 6:26 PM
Subject: Re: [Owasp-testing] Testing Guide V4 - Start up

I know we've been focused on testing list but I have some comments for other sections.
a) About the Web Application Penetration Testing
Talking about the Web Application Penetration Testing (chapter 4), I suggest we improve the section with some explanations. 
4. Web Application Penetration testing
4.1 Introduction and Objectives
 -> Introduce about typical penetration test phases 
  Here we would have an overview of a typical pen-test, divided into 4 phases.
  1) Plan
   This part basically talks about how to plan a penetration test
   -> Types of the Test (maybe the explanation about types of test could be fit in a section in the beginning of the testing guide)
    -> Black Box
    -> White Box
    -> Gray Box
   -> Viewpoint
    -> External
    -> Internal
   -> Scope
    -> http://www.targetedapp.com
   -> Restrictions
    -> List of all restrictions (e.g. do not perform DoS, social engineering)
  2) Discovery
   -> Information Gathering
   -> Vulnerability Analysis
  3) Attack
   -> Attack itself
  4) Report
   -> Last Phase of a penetration test (chapter 5 writing report)

b) About the paragraph of the testing cases:
One of the goals of this version is to make the Testing Guide more readable. I think we need to define commons subsections present in all testing cases.
Then, all testing cases would have the same sections and formats. I already suggest to have the checklist (questions) in a pre-defined subsection inside each 
testing case. If we have a checklist in a table format, we could get them and put them into a big table that could be printed and checked. 
For example:
4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)   Brief Summary   Description of the issue   Related security activities   Threats   Countermesures   Testing
    -> Black Box 
            -> Technique 1
            -> Results expected
    -> Gray Box
    -> White Box
             ....   Checklist
   | OWASP-SM-004                                      | Black Box | White Box | Gray Box |
   | 1. Cache-control definied to no-cache      |           |           |          |                    |
   | 2. Different session token after login        |           |           |          |                    |
   -------------------------------------------------------------------------------------------------------    References  Tools
We can also have a box called tips in each section with some tips highlighted.


Ismael Gonçalves

On Thu, Sep 6, 2012 at 4:22 AM, Matteo Meucci <matteo.meucci at owasp.org> wrote:

Great Luca!
>On 09/04/2012 07:29 PM, Luca Carettoni wrote:
>> On Thu, 2012-08-30 at 22:44 +0200, Matteo Meucci wrote:
>>> My idea is also to contact the authors of the new testing techniques
>>> asking for their contributes.
>>> So for example I wish that for HTTP Verb Tampering, Arshan could help
>>> and for HTTP Parameter pollution, Stefano and Luca can give us the
>>> better contents.
>> Sure! Feel free to add my name on the list.
>> Actually, me and Stefano have already something drafted on HPP that has
>> been written during our research.
>> Cheers,
>> Luca
>Owasp-testing mailing list
>Owasp-testing at lists.owasp.org

Ismael Gonçalves

Owasp-testing mailing list
Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120908/27b31dea/attachment-0001.html>

More information about the Owasp-testing mailing list