mailing list archives
Re: [OWASP-TESTING] Re: what happened to the web testing methodology
From: Mark Curphey <mark () curphey com>
Date: Wed, 16 Jun 2004 10:45:25 -0400 (BST)
The preview I sent you was just a preview so i don’t think its valuable to discuss it on this list when it hasn’t been
made available to others and they can't contribute.
What I can say is the intention of Part 1 is to shed light on the scope of testing, techniques that can be applied and
dispel some myths about shiny red buttons. As an example we know from research and experience that testing the design
can be more valuable and cost effective than testing a deployed application.
Your right that is is really hard to develop a methodology on one hand. I think that is because unlike say an OS when
you can define ..."check the permission on file x to ensure they are XXRW" applications are generally bespoke, organic
and complex beasts. What we have tried to do in Part 1 is define the processes, techniques and tools that can help in
building a testing program for your software. This is more of a testing strategy.
In Part 2 we then will get down to the specifics of how to test for issues using those techniques (code review, pen
testing etc). What we didn’t want to do (which is where Davids doc started heading) was to create a black-box
orientated script of things that should be included as its clearly a tactical way to test and pen testing is rarely the
most effective (cost, time, efficient) way to test for issues in web apps.
We are calling the whole thing a framework as clearly different things will work for different people and this is a
framework from which people can build there own testing methodology from. I think when you look at 1 and 2 combined you
will have the information to do that and 1 alone will help people understand how to look at building a testing
framework for themselves. It is certainly not a pen test methodology which I can see could be of value to some people.
I think we could very easily repurpose the pen test content that is being developed for Part 2 into a stand-alone pen
test methodology if there is a need and interest.
Maybe Glyn can send his excellent example of what that will look like for Part 2 - Analyzing Session Tokens as a sample?
---- Mads Rasmussen <mads () opencs com br> wrote:
Glyn Geoghegan wrote:
Much of the technical content from the original guide has been/is being
edited and integrated into the forthcoming new ones.
Yes that's noticeable, I still think though that the original document
had a more methodology feeling to it though by no means anything finished