This email is to be read subject to the disclaimer below.

Sorry for the late input into the thread.

The testing framework may be rigorous when it is finished, however, testing
is always resource intensive in order to be completed fully and most seek
to short cut the process. If you take a risk based approach, it allows
orgs and individuals to apply the framework according to their budget
constraints, but minimise their perceived exposure. Risk is compromised of
the likelihood and the consequence. So for each scenario I would determine
and ease or exploitation (likelihood factor) and then a so what (or
consequence) factor. This will allow you to rank the scenarios according
to risk rating. The so what factor will also allow you to link scenarios
in chains to possibly derive an overall so what! As a standards based
approach you could use AS/NZ 4360 for risk management.

Cheers

                                                                                                                   
                    "Mark
                    Curphey" To: webappsecsecurityfocus.com
                    <mcurpheyone cc:
                    box.com> Subject: OWASP : What to test ?
                                                                                                                   
                    12/01/2002
                    06:04 AM
                    Please
                    respond to
                    mark
                                                                                                                   
                                                                                                                   

As you know we are starting to build the testing framework....we are
going to capture the mailing list debate and thoughts to want your input.
Well then publish it for community review and input.

One of the areas that seems really important is What to test ? I put
some provisional headings down at http://www.owasp.org/projects/testing/

Imaginary scneario : you are presented with a site dns name and asked
to review its security of the applications running on it.

Where do you start ?
Do you spider the site looking for any place that sends paramaters to
an application ?
How do you find where application reside ?
What about web services and WDSL ? Do you look at a UDDI ?
Should you test an application issolation (ie a single cgi) or all
applications
on that site ?

These are just a few thoughts, really just a few...

So does anyone want to share the way they approach deciding what should
be tested with the list ?

__________________________________________________
FREE voicemail, email, and fax...all in one place.
Sign Up Now! http://www.onebox.com

--------------------
NOTICE - This communication contains information which is confidential and
the copyright of Ernst & Young or a third party.

If you are not the intended recipient of this communication please delete
and destroy all copies and telephone Ernst & Young on 1800 655 717
immediately. If you are the intended recipient of this communication you
should not copy, disclose or distribute this communication without the
authority of Ernst & Young.

Any views expressed in this Communication are those of the individual
sender, except where the sender specifically states them to be the views of
Ernst & Young.

Except as required at law, Ernst & Young does not represent, warrant and/or
guarantee that the integrity of this communication has been maintained nor
that the communication is free of errors, virus, interception or
interference.

Liability limited by the Accountants Scheme, approved under the
Professional Standards Act 1994 (NSW)
--------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]