[Owasp-testing] Testing Guide V4: Stop writing, start the review

Jim Manico jim.manico at owasp.org
Tue Apr 1 21:13:14 UTC 2014


Wow, very exciting. :) I'm thrilled to see this close to getting released!

Aloha,
Jim

On 4/1/14, 10:47 AM, Matteo Meucci wrote:
> Hi all,
> the reviewing phase is finished.
> Some reviewers did the review, but it is not complete.
>
> Please if you have reviews to add to the wiki do it now.
>
> In the next days we will start the last phase of the project.
>
> Thanks!
> Mat
>
> On 04/01/2014 04:03 PM, Mitchell, Rick (6030318) wrote:
>> I had some time to tackle more review this morning. I only made it through the first few sections, here are some notes:
>>
>> Testing: Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)
>> * Lead-in paragraph indicates: " Indirect methods relate to gleaning sensitive design and configuration information by searching forums, newsgroups and tendering websites." Yet no such information is covered in the entry. IMHO either this article needs to be beefed up or the statement should be removed.
>> * Made minor corrections related to punctuation (addition of Oxford commas and some missing periods, as well as borders on images).
>>
>> Fingerprint Web Server (OTG-INFO-002)
>> * Minor updates, grammar and content.
>> * Makes me wonder if we have a style guide? Are we supposed to be using Title Caps for section naming?
>>
>> Testing: Review Webserver Metafiles for Information Leakage (OTG-INFO-003)
>> * Reference links in this article are confusing. For example: [1] in the "Summary" section is not the same as [1] in the "How to Test" section...
>> * Minor updates, grammar and content.
>>
>> Rick
>>
>>
>> -----Original Message-----
>> From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo Meucci
>> Sent: Saturday, March 08, 2014 6:25 PM
>> To: owasp-testing at lists.owasp.org
>> Cc: Andrew Muller; Davide Danelon
>> Subject: [Owasp-testing] Testing Guide V4: Stop writing, start the review
>>
>> Dear OWASP Testing Guide followers.
>> thanks to David who did the last rush, we have closed the Testing Guide
>> Project's first phase!
>> Many thanks to all the contributors!
>>
>> All the articles are closed now.
>> Now it is time for the reviewers.
>>
>> You can see the status here:
>> https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AmEhPtZ0cHq3dDc5ZFI0Nm9oSkhzNkNxTzNJbGdPdVE#gid=0
>>
>> Now the ToC is definitive:
>> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>
>> We deleted many items and 3 chapters:
>> - Web Services Testing (no completed at all, it's better to have a
>> separate guide on this)
>> - Logging (not in scope of the wapt)
>> - Denial of Service (not in scope of the wapt)
>>
>> Now we have split the set of active tests in 12 sub-categories for a
>> total of 91 controls:
>> Information Gathering
>> Configuration and Deploy Management Testing
>> Identity Management Testing
>> Authentication Testing
>> Authorization Testing
>> Session Management Testing
>> Data Validation Testing
>> Error Handling
>> Cryptography
>> Logging
>> Business Logic Testing
>> Client Side Testing
>>
>> NEXT STEP:
>> We'll contact all the proposed reviewers asking them to review the
>> Guide in the next 2 weeks:
>>> Paolo Perego
>>> Daniel Cuthbert
>>> Matthew Churcher
>>> Lode Vanstechelman
>>> Sebastien Gioria
>>> Antonio Fontes
>> Any others that want to help? Please answer only if you can review the
>> guide in the next days.
>>
>> Deadline: end of March 2014
>>
>> Thanks!
>> Mat & Andrew
>>
>> --
>> Matteo Meucci
>> OWASP Testing Guide co-Lead
>> OWASP Italy President
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>



More information about the Owasp-testing mailing list