[Owasp-testing] A Few Additions to Testing Guide v4

Colin Watson colin.watson at owasp.org
Wed Oct 23 07:03:49 UTC 2013


Andrew

You are probably right - the dancing pigs test case might be difficult to
define adequately.  Maybe add to the the 2015 edition?

Colin


On 23 October 2013 06:27, Andrew Muller <andrew at ionize.com.au> wrote:

> Thanks Colin,
>   Great work!
>
> Regarding testing for "security measure that waste users' time", I'm not
> sure we can definitively or quantitatively test for security usability. But
> Angela's point is valid for usability and user acceptance testing. Do you
> have some thoughts of how we could achieve this? A test for dancing pigs
> test case? ;)
>
> Andrew
>
>  ------------------------------
>
> *From: *"Colin Watson" <colin.watson at owasp.org>
> *To: *"owasp-testing" <owasp-testing at lists.owasp.org>
> *Sent: *Wednesday, 16 October, 2013 3:00:03 AM
> *Subject: *[Owasp-testing] A Few Additions to Testing Guide v4
>
>
> Andrew and Matt
>
> I have updated:
>
>
> https://www.owasp.org/index.php/Testing:_Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)
>
>
> https://www.owasp.org/index.php/Test_Application_Platform_Configuration_(OTG-CONFIG-002)
>
>
> and created first drafts for:
>
>
> https://www.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010)
>
>
> https://www.owasp.org/index.php/Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011)
>
>    https://www.owasp.org/index.php/Test_time_synchronisation_(OTG-LOG-001)
>
>
> https://www.owasp.org/index.php/Test_user-viewable_log_of_authentication_events_(OTG-LOG-002)
>
> If you don't want a Logging section, I think LOG-001 could be moved to
> Business Logic Testing, and LOG-002 to Authentication Testing.  Note
> that logging is also discussed in OTG-CONFIG-002.
>
> I wasn't sure if I got the default headings correct as there seems to
> be some differences across the tests. And I may not be consistent with
> my use of "website", "web application" and "application". The case of
> some test names is not always the same - some sentence case and some
> title case, and I wondered if its worth tidying this up before it gets
> too late.
>
> At AppSec EU this year the opening keynote was given by Angela Sasse.
> She suggested that "Security measures that waste users' time" should
> be one of the OWASP Top Ten because they undermine security. Should we
> have a test description for this based on Angela's presentation?
>
>
> https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal/high_quality/OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4
>
> Colin
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20131023/aeaefe9c/attachment.html>


More information about the Owasp-testing mailing list