<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'>We probably don't have to test for usability, particularly given functional testers have that ground covered. But we could put a few notes against the relevant controls, like CAPTCHA, prompting the security tester to evaluate whether the control is necessary or usable.<BR><BR>
<HR id=zwchr>

<DIV style="FONT-STYLE: normal; FONT-FAMILY: Helvetica,Arial,sans-serif; COLOR: #000; FONT-SIZE: 12pt; FONT-WEIGHT: normal; TEXT-DECORATION: none"><B>From: </B>"Colin Watson" <colin.watson@owasp.org><BR><B>To: </B>"Andrew Muller" <andrew@ionize.com.au><BR><B>Cc: </B>"owasp-testing" <owasp-testing@lists.owasp.org><BR><B>Sent: </B>Wednesday, 23 October, 2013 6:03:49 PM<BR><B>Subject: </B>Re: [Owasp-testing] A Few Additions to Testing Guide v4<BR><BR>
<DIV dir=ltr>
<DIV>Andrew<BR></DIV>
<DIV><BR></DIV>
<DIV>You are probably right - the dancing pigs test case might be difficult to define adequately.  Maybe add to the the 2015 edition?</DIV>
<DIV><BR></DIV>
<DIV>Colin</DIV>
<DIV class=gmail_extra><BR><BR>
<DIV class=gmail_quote>On 23 October 2013 06:27, Andrew Muller <SPAN dir=ltr><<A href="mailto:andrew@ionize.com.au" target=_blank>andrew@ionize.com.au</A>></SPAN> wrote:<BR>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class=gmail_quote>
<DIV>
<DIV style="FONT-FAMILY: times new roman,new york,times,serif; FONT-SIZE: 12pt">
<P>Thanks Colin,<BR>  Great work! </P>
<P>Regarding testing for "security measure that waste users' time", I'm not sure we can definitively or quantitatively test for security usability. But Angela's point is valid for usability and user acceptance testing. Do you have some thoughts of how we could achieve this? A test for dancing pigs test case? ;)</P>
<P>Andrew<BR><BR></P>
<P></P>
<HR>

<P></P>
<DIV style="FONT-STYLE: normal; FONT-FAMILY: Helvetica,Arial,sans-serif; FONT-SIZE: 12pt; FONT-WEIGHT: normal; TEXT-DECORATION: none"><B>From: </B>"Colin Watson" <<A href="mailto:colin.watson@owasp.org" target=_blank>colin.watson@owasp.org</A>><BR><B>To: </B>"owasp-testing" <<A href="mailto:owasp-testing@lists.owasp.org" target=_blank>owasp-testing@lists.owasp.org</A>><BR><B>Sent: </B>Wednesday, 16 October, 2013 3:00:03 AM<BR><B>Subject: </B>[Owasp-testing] A Few Additions to Testing Guide v4
<DIV>
<DIV class=h5><BR><BR>Andrew and Matt<BR><BR>I have updated:<BR><BR>   <A href="https://www.owasp.org/index.php/Testing:_Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)" target=_blank>https://www.owasp.org/index.php/Testing:_Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)</A><BR><BR>   <A href="https://www.owasp.org/index.php/Test_Application_Platform_Configuration_(OTG-CONFIG-002)" target=_blank>https://www.owasp.org/index.php/Test_Application_Platform_Configuration_(OTG-CONFIG-002)</A><BR><BR><BR>and created first drafts for:<BR><BR>   <A href="https://www.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010)" target=_blank>https://www.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010)</A><BR><BR>   <A href="https://www.owasp.org/index.php/Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011)" target=_blank>https://www.owasp.org/index.php/Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011)</A><BR><BR>   <A href="https://www.owasp.org/index.php/Test_time_synchronisation_(OTG-LOG-001)" target=_blank>https://www.owasp.org/index.php/Test_time_synchronisation_(OTG-LOG-001)</A><BR><BR>   <A href="https://www.owasp.org/index.php/Test_user-viewable_log_of_authentication_events_(OTG-LOG-002)" target=_blank>https://www.owasp.org/index.php/Test_user-viewable_log_of_authentication_events_(OTG-LOG-002)</A><BR><BR>If you don't want a Logging section, I think LOG-001 could be moved to<BR>Business Logic Testing, and LOG-002 to Authentication Testing.  Note<BR>that logging is also discussed in OTG-CONFIG-002.<BR><BR>I wasn't sure if I got the default headings correct as there seems to<BR>be some differences across the tests. And I may not be consistent with<BR>my use of "website", "web application" and "application". The case of<BR>some test names is not always the same - some sentence case and some<BR>title case, and I wondered if its worth tidying this up before it gets<BR>too late.<BR><BR>At AppSec EU this year the opening keynote was given by Angela Sasse.<BR>She suggested that "Security measures that waste users' time" should<BR>be one of the OWASP Top Ten because they undermine security. Should we<BR>have a test description for this based on Angela's presentation?<BR><BR>   <A href="https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal/high_quality/OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4" target=_blank>https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal/high_quality/OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4</A><BR><BR>Colin<BR></DIV></DIV>_______________________________________________<BR>Owasp-testing mailing list<BR><A href="mailto:Owasp-testing@lists.owasp.org" target=_blank>Owasp-testing@lists.owasp.org</A><BR><A href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target=_blank>https://lists.owasp.org/mailman/listinfo/owasp-testing</A><BR></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></DIV><BR></div></body></html>