Re: [OWASP-TESTING] Re: what happened to the web testing methodology

[Mark Curphey <mark () curphey com>]

Mads

The preview I sent you was just a preview so i don’t think its valuable to discuss it on this list when it hasn’t been 
made available to others and they can't contribute.

What I can say is the intention of Part 1 is to shed light on the scope of testing, techniques that can be applied and 
dispel some myths about shiny red buttons. As an example we know from research and experience that testing the design 
can be more valuable and cost effective than testing a deployed application. 

Your right that is is really hard to develop a methodology on one hand. I think that is because unlike say an OS when 
you can define ..."check the permission on file x to ensure they are XXRW" applications are generally bespoke, organic 
and complex beasts. What we have tried to do in Part 1 is define the processes, techniques and tools that can help in 
building a testing program for your software. This is more of a testing strategy.

In Part 2 we then will get down to the specifics of how to test for issues using those techniques (code review, pen 
testing etc). What we didn’t want to do (which is where Davids doc started heading) was to create a black-box 
orientated script of things that should be included as its clearly a tactical way to test and pen testing is rarely the 
most effective (cost, time, efficient) way to test for issues in web apps. 

We are calling the whole thing a framework as clearly different things will work for different people and this is a 
framework from which people can build there own testing methodology from. I think when you look at 1 and 2 combined you 
will have the information to do that and 1 alone will help people understand how to look at building a testing 
framework for themselves. It is certainly not a pen test methodology which I can see could be of value to some people. 
I think we could very easily repurpose the pen test content that is being developed for Part 2 into a stand-alone pen 
test methodology if there is a need and interest. 

Maybe Glyn can send his excellent example of what that will look like for Part 2 - Analyzing Session Tokens as a sample?

---- Mads Rasmussen <mads () opencs com br> wrote:
> Glyn Geoghegan wrote:
> > Much of the technical content from the original guide has been/is being
> > edited and integrated into the forthcoming new ones.
>
> Yes that's noticeable, I still think though that the original document 
> had a more methodology feeling to it though by no means anything finished