[Owasp-testing] A Few Additions to Testing Guide v4

Andrew Muller andrew at ionize.com.au
Wed Oct 23 05:27:42 UTC 2013


Thanks Colin, 
  Great work! 
Regarding testing for "security measure that waste users' time", I'm not sure we can definitively or quantitatively test for security usability. But Angela's point is valid for usability and user acceptance testing. Do you have some thoughts of how we could achieve this? A test for dancing pigs test case? ;) 
Andrew 


----- Original Message -----

From: "Colin Watson" <colin.watson at owasp.org> 
To: "owasp-testing" <owasp-testing at lists.owasp.org> 
Sent: Wednesday, 16 October, 2013 3:00:03 AM 
Subject: [Owasp-testing] A Few Additions to Testing Guide v4 

Andrew and Matt 

I have updated: 

   https://www.owasp.org/index.php/Testing:_Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001) 

   https://www.owasp.org/index.php/Test_Application_Platform_Configuration_(OTG-CONFIG-002) 


and created first drafts for: 

   https://www.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010) 

   https://www.owasp.org/index.php/Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011) 

   https://www.owasp.org/index.php/Test_time_synchronisation_(OTG-LOG-001) 

   https://www.owasp.org/index.php/Test_user-viewable_log_of_authentication_events_(OTG-LOG-002) 

If you don't want a Logging section, I think LOG-001 could be moved to 
Business Logic Testing, and LOG-002 to Authentication Testing.  Note 
that logging is also discussed in OTG-CONFIG-002. 

I wasn't sure if I got the default headings correct as there seems to 
be some differences across the tests. And I may not be consistent with 
my use of "website", "web application" and "application". The case of 
some test names is not always the same - some sentence case and some 
title case, and I wondered if its worth tidying this up before it gets 
too late. 

At AppSec EU this year the opening keynote was given by Angela Sasse. 
She suggested that "Security measures that waste users' time" should 
be one of the OWASP Top Ten because they undermine security. Should we 
have a test description for this based on Angela's presentation? 

   https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal/high_quality/OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4 

Colin 
_______________________________________________ 
Owasp-testing mailing list 
Owasp-testing at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-testing 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20131023/5236e64f/attachment.html>


More information about the Owasp-testing mailing list