Re: [OWASP-TESTING] Re: what happened to the web testing methodology

[Mads Rasmussen <mads () opencs com br>]

Mark Curphey wrote:
> What I can say is the intention of Part 1 is to shed light on the scope of testing, 
>techniques that can be applied and dispel some myths about shiny red 
buttons.
> As an example we know from research and experience that testing the design can be
> more valuable and cost effective than testing a deployed application.

Agreed, that's my experience aswell, though it's not an easy task.

> Your right that is is really hard to develop a methodology on one hand. 
> I think that is because unlike say an OS when you can define 
>..."check the permission on file x to ensure they are XXRW" 
applications are generally
>bespoke, organic and complex beasts.

Sure although I think the OWASP guides shouldn't go into OS specific 
stuff aswell as network and firewall rules.
I think we could refer to the OSSTM project for that and focus just on 
application testing.

> In Part 2 we then will get down to the specifics of how to test for issues
> using those techniques (code review, pen testing etc).
> What we didn’t want to do (which is where Davids doc started heading)
> was to create a black-box orientated script of things that should be
> included as its clearly a tactical way to test and pen testing is 
> rarely the most effective (cost, time, efficient) way to test for
> issues in web apps. 

ok

> We are calling the whole thing a framework as clearly different things will
> work for different people and this is a framework from which people can
> build there own testing methodology from. I think when you look at 1
> and 2 combined you will have the information to do that and 1 alone will
>help people understand how to look at building a testing framework for 
themselves.

I don't think we're there yet but I see your point.

I think more information should be included on tools, I don't know how 
you feel about including information on comercial products but we could 
include information on what products exists (open source and 
comercially) and a description of the purpose of each one and it's 
strong and weak points.
It would be valuable for whoever picks up the guide and for the 
companies aswell who would get their products reviewed by something 
becoming a web security testing reference.

Well just an idea, might just increase the companies efforts :-)

Another thing worth thinking about is how to present the results of the 
tests performed. Davids document started some speculations related to this.

> It is certainly not a pen test methodology which I can see could be of 
>value to some people. I think we could very easily repurpose the pen test
> content that is being developed for Part 2 into a stand-alone pen test 
> methodology if there is a need and interest.

That was what I meant, but let's finish part 2 first :o)

--
Mads Rasmussen, M.Sc.
Open Communications Security
www.opencs.com.br
+55 11 3345 2525