mailing list archives
Re: [OWASP-TESTING] Re: what happened to the web testing methodology
From: Mads Rasmussen <mads () opencs com br>
Date: Wed, 16 Jun 2004 14:38:38 -0300
Mark Curphey wrote:
What I can say is the intention of Part 1 is to shed light on the scope of testing,
>techniques that can be applied and dispel some myths about shiny red
As an example we know from research and experience that testing the design can be
> more valuable and cost effective than testing a deployed application.
Agreed, that's my experience aswell, though it's not an easy task.
Your right that is is really hard to develop a methodology on one hand.
I think that is because unlike say an OS when you can define
>..."check the permission on file x to ensure they are XXRW"
applications are generally
>bespoke, organic and complex beasts.
Sure although I think the OWASP guides shouldn't go into OS specific
stuff aswell as network and firewall rules.
I think we could refer to the OSSTM project for that and focus just on
In Part 2 we then will get down to the specifics of how to test for issues
> using those techniques (code review, pen testing etc).
> What we didn’t want to do (which is where Davids doc started heading)
> was to create a black-box orientated script of things that should be
included as its clearly a tactical way to test and pen testing is
> rarely the most effective (cost, time, efficient) way to test for
issues in web apps.
We are calling the whole thing a framework as clearly different things will
> work for different people and this is a framework from which people can
> build there own testing methodology from. I think when you look at 1
> and 2 combined you will have the information to do that and 1 alone will
>help people understand how to look at building a testing framework for
I don't think we're there yet but I see your point.
I think more information should be included on tools, I don't know how
you feel about including information on comercial products but we could
include information on what products exists (open source and
comercially) and a description of the purpose of each one and it's
strong and weak points.
It would be valuable for whoever picks up the guide and for the
companies aswell who would get their products reviewed by something
becoming a web security testing reference.
Well just an idea, might just increase the companies efforts :-)
Another thing worth thinking about is how to present the results of the
tests performed. Davids document started some speculations related to this.
It is certainly not a pen test methodology which I can see could be of
>value to some people. I think we could very easily repurpose the pen test
content that is being developed for Part 2 into a stand-alone pen test
> methodology if there is a need and interest.
That was what I meant, but let's finish part 2 first :o)
Mads Rasmussen, M.Sc.
Open Communications Security
+55 11 3345 2525