[SAMM] Penetration tests
Christian Heinrich
christian.heinrich at owasp.org
Tue Sep 13 18:33:42 EDT 2011
Fabian,
On Mon, Sep 12, 2011 at 5:58 PM, <fabian.streitel at optimabit.com> wrote:
> Basically, the tests as they are described in ST1B are not "penetration
> tests" as they are described by e.g. BSIMM and they do also not match my
> experience working for a security company. Rather, I see the OpenSAMM
> "penetration tests" as simple security tests.
>
> By trying to stay repeatable, they lack an explorative approach to
> vulnerability detection: "Once specified, security test cases can be
> executed by security-savvy quality assurance or development staff"
The subtle difference with "penetration testing" in OpenSAMM is that
it is undertaken before release the vendor's environment i.e. maybe
dev or UAT and is similar to
https://www.owasp.org/index.php/How_to_bootstrap_your_SDLC_with_verification_activities
and they are a repeatable e.g. measuring the entropy of session
cookies.
What you are referring to as "penetration testing" is once the
software has shipped and installed within the end user's environment.
--
Regards,
Christian Heinrich
http://www.owasp.org/index.php/user:cmlh
More information about the SAMM
mailing list