Hi, Matteo, Eoin Here.<br>If one needs theory it can be found in other sections of the OWASP site.<br>One issue the OWASP leaders have defined is that the we do not required overlap in the site.<br><br>If one needs to understand the issue from a technology perspective it can be found elsewhere in the site.
<br><br>I think the agreement already is to stick to the "how to test" information and leave the theory and background other section of the site which already exist.<br><br>Hope this explains it,<br><br>Eoin<br>
<br><br><span style="font-style: italic;">OWASP Testing Project Lead</span><br><br><div><span class="gmail_quote">On 18/10/06, <b class="gmail_sendername">Matteo G.P. Flora</b> <<a href="mailto:mf@matteoflora.com">mf@matteoflora.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi all,<br><br>PREAMBLE: this mail was meant to be a couple lines long but went out
<br>of my hand... If you have only a minute or so go to <PROPOSAL> section<br>directly...<br><br><WHOAMI><br><br>My name is Matteo Flora and I'm very pleased to meet you all... I met<br>Matt and Alberto here in Italy and they told me to sign on to the ML
<br>and take a look at the document...<br><br>Well, it surely is something worth looking at!<br><br>Just my passing 2 cents: I'm basically a "political" sort of guy,<br>directing Italian Privacy and Security Observatory (OPSI) and with a
<br>leading role in Italian Computer Society (AIP)...<br>I struggle everyday to take some kind of awareness in Corporate and<br>Gov, with direct connection with Italian (and to minimum degree<br>European) institutes for adoption of Sec methodologies.
<br><br>But I'm not here to talk about me ;)<br><br><THEPROBLEM><br><br>I was pointing to Matt and Alberto that the actual document is a<br>perfect example of what a methodology should be and I scarcely am able<br>to think to anything that isn't covered in there (while I confess huge
<br>gaps in methodologies I didn't even know the name of!).<br>Working with management (ISO27001) I often am able to see at the<br>adoption route of a methodology over another and I have a couple of<br>observation to share with you (each of them not worth more than my 2
<br>eurocents)....<br><br>We're facing a couple problems:<br><br>1) Pentester aren't uniformly SMART<br>While we're here and we know what to do and how (well, at least YOU<br>DO) many pentesters or wannabe in the world don't know much about
<br>in-depth methodologies and so on. Many of them simply rely on<br>off-the-shelf tools and off-the-shelf methodologies and even if these<br>are NOT what PT should be we must be aware of their existence.<br><br>2) Managers tend to screen methodologies
<br>IT world has changed in the last few years even on the side of<br>management: typical European manager (or PM) is nowaday a hybrid<br>figure closer than before to code and developing. He tends to look<br>deeply at methodologies and being security the "buzz of these years"
<br>each manager tend to spot his competence in this field.<br><br>How does this affect us at all?<br><br>Well, nowadays we see a plethora of new certifications, methodologies,<br>tools, codes, guidelines, best practices and so on scattered around
<br>and each of them is used or not based on two factors: political power<br>of the solution (i.e. ISO) and ease of adoption.<br><br>While we cannot impact (right now) on the "political power" of OWASP<br>we can impact deeply on the ease of use. If people are able to use our
<br>document they'll gladly adopt it.<br><br>BUT (there's always a BUT.... Murphy thing, you understand...)<br><br>It is my opinion that the actual structure of the document will<br>represent a very though and steep entry-level to a poorly skilled
<br>pentester and/or to a manager.<br>Let me clear up: that's not necessarily a PROBLEM... We could happily<br>say "f*ck the dummies, this is a pro document", but I think we'll<br>loose 80% of possible audience. In addition to this let's remember
<br>that the TESTING document is in many cases far more important than<br>Coding Guidelines! Why's that? It's simple: reviewing and testing an<br>application if far easier than building a perfect one and even if a<br>manager isn't maybe able to review the code he can look at injections
<br>and hijacking quite easily....<br><br><PROPOSAL><br><br>I propose to prepend EACH technique (all the 4.x.x paragraph) with a<br>"for dummies" paragraph meant to be read by people that don't know<br>about the problem and giving a little insight on the subject from a
<br>NON TECH view. LANGUAGE will be different, avoiding techie slang and<br>FORM would be different, outlining concepts instead of points....<br>I DO NOT suggest a "for dummy" title, but something like "Overview"
<br>and "Technology" division....<br><br>Let's take a look to an example:<br><br>e.g. "Being able to tamper with cookies may result in hijacking the<br>sessions of legitimate users"<br><br>Will become:
<br><br>"Manipulating the cookie content may result, and often results, in<br>changing the environment and may lead to simulate another user or to<br>gain unauthorized privileges or access"<br><br>The aim is to let a TOTAL IDIOT (like me =]) understand what we're
<br>talking about without falling into technical speech too much and<br>without letting the subject to frighten a reader.<br>In addition to this not anyone is prepared to cope with every subject<br>and more often than not I'm sure that people will thank us for that
<br>and our introduction will explain them what to read and how to<br>document on a peculiar subject...<br><br>I'll be able (as an ignorant) to take a look at most of the subjects<br>and to write briefings but what I'd really like is to know what do you
<br>all think about this approach...<br><br>Matt gave me an overenthusiastic feedback, but we all know Matt ;)<br><br>Ok, sorry to have wasted so much of your time and let me know if I've<br>been not clear...<br><br><br>Ciao!
<br><br>MgpF<br><br>--<br>Matteo G.P. Flora | <a href="mailto:mf@matteoflora.com">mf@matteoflora.com</a> | <a href="http://www.MatteoFlora.com">www.MatteoFlora.com</a><br>Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
<br>Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)<br>Privacy & Security Consultant | Forensic Examiner | SEO Expert<br>Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com<br>_______________________________________________
<br>Owasp-testing mailing list<br><a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a><br><a href="http://lists.owasp.org/mailman/listinfo/owasp-testing">http://lists.owasp.org/mailman/listinfo/owasp-testing
</a><br></blockquote></div><br><br clear="all"><br>-- <br>Eoin Keary OWASP - Ireland<br><a href="http://www.owasp.org/local/ireland.html">http://www.owasp.org/local/ireland.html</a><br><a href="http://www.owasp.org/index.php/OWASP_Testing_Project">
http://www.owasp.org/index.php/OWASP_Testing_Project</a><br><a href="http://www.owasp.org/index.php/OWASP_Code_Review_Project">http://www.owasp.org/index.php/OWASP_Code_Review_Project</a>