WebApp Sec mailing list archives
Re: [OWASP-TESTING] Re: what happened to the web testing methodology
From: Mark Curphey <mark () curphey com>
Date: Wed, 16 Jun 2004 10:45:25 -0400 (BST)
Mads The preview I sent you was just a preview so i don’t think its valuable to discuss it on this list when it hasn’t been made available to others and they can't contribute. What I can say is the intention of Part 1 is to shed light on the scope of testing, techniques that can be applied and dispel some myths about shiny red buttons. As an example we know from research and experience that testing the design can be more valuable and cost effective than testing a deployed application. Your right that is is really hard to develop a methodology on one hand. I think that is because unlike say an OS when you can define ..."check the permission on file x to ensure they are XXRW" applications are generally bespoke, organic and complex beasts. What we have tried to do in Part 1 is define the processes, techniques and tools that can help in building a testing program for your software. This is more of a testing strategy. In Part 2 we then will get down to the specifics of how to test for issues using those techniques (code review, pen testing etc). What we didn’t want to do (which is where Davids doc started heading) was to create a black-box orientated script of things that should be included as its clearly a tactical way to test and pen testing is rarely the most effective (cost, time, efficient) way to test for issues in web apps. We are calling the whole thing a framework as clearly different things will work for different people and this is a framework from which people can build there own testing methodology from. I think when you look at 1 and 2 combined you will have the information to do that and 1 alone will help people understand how to look at building a testing framework for themselves. It is certainly not a pen test methodology which I can see could be of value to some people. I think we could very easily repurpose the pen test content that is being developed for Part 2 into a stand-alone pen test methodology if there is a need and interest. Maybe Glyn can send his excellent example of what that will look like for Part 2 - Analyzing Session Tokens as a sample? ---- Mads Rasmussen <mads () opencs com br> wrote:
Glyn Geoghegan wrote:Much of the technical content from the original guide has been/is being edited and integrated into the forthcoming new ones.Yes that's noticeable, I still think though that the original document had a more methodology feeling to it though by no means anything finished
Current thread:
- what happened to the web testing methodology Mads Rasmussen (Jun 14)
- RE: what happened to the web testing methodology Mark Curphey (Jun 14)
- Message not available
- Re: what happened to the web testing methodology Mads Rasmussen (Jun 14)
- RE: what happened to the web testing methodology Mark Curphey (Jun 14)
- RE: what happened to the web testing methodology Glyn Geoghegan (Jun 14)
- Re: what happened to the web testing methodology Mads Rasmussen (Jun 16)
- Re: [OWASP-TESTING] Re: what happened to the web testing methodology Mark Curphey (Jun 16)
- Re: [OWASP-TESTING] Re: what happened to the web testing methodology Mads Rasmussen (Jun 16)
- Re: what happened to the web testing methodology Mads Rasmussen (Jun 14)