[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-testing
Subject: Re: [Owasp-testing] Reviewing Phase
From: "Mark Roxberry" <me () markroxberry ! net>
Date: 2006-11-13 17:03:45
Message-ID: 005201c70745$aeda04d0$2215a8c0 () chathamfinancial ! com
[Download RAW message or body]
Mat,
I have a lot of comments for my reviews so far. I think they will make the
review page difficult to read - can we upload a text document to the page
instead - or some other method?
Mark Roxberry, CISSP, CE|H
www.markroxberry.net
-----Original Message-----
From: owasp-testing-bounces@lists.owasp.org
[mailto:owasp-testing-bounces@lists.owasp.org] On Behalf Of Matteo Meucci
Sent: Monday, November 13, 2006 6:09 AM
To: Eoin
Cc: owasp-testing@lists.owasp.org
Subject: Re: [Owasp-testing] Reviewing Phase
Hi,
I think that everyone can add himself on the review panel page.
I answer inline.
On 11/13/06, Eoin <eoinkeary@gmail.com> wrote:
> The Review panel is as follows:
>
> Mark Roxberry
> Revelli Alberto
> Daniel Cuthbert
> Matteo G.P. Flora
> Matteo Meucci
> Eoin Keary
> Stefano Di Paola
> James Kist
> Vicente Aguilera
> Mario Bregolin
Syed Mohamed A
> Matteo, how do you want to break up the work?
I think that everyone can add his name on the panel:
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Review_Panel
Please, can you add your name on the panel?
> I believe all reviewers should make notes of issues encountered and we can
> submit them to the list when done for comment and suggestions.
I agree, we can use this page to add comment and suggestions.
> Also a time line for per reviewed section should be defined is possible.
Deadline is 15th November. Are you agree?
> any ideas?
> Eoin
>
Thanks,
Mat
>
>
> On 12/11/06, Matteo Meucci <matteo.meucci@gmail.com> wrote:
> >
> > Hi all,
> > the Testing Guide now contains 72 articles.
> > If we freeze the Testing Guide in this moment, we have 63 articles to
> > be reviewed.
> >
> > **********************************************
> > We are waiting for the following articles
> > **********************************************
> >
> > 4.2.2 Spidering and googling (0%, Tom Brennan, Tom Ryan)
> > 4.2.4.2 DB Listener Testing (0%, Alexander Kornbrust)
> > 4.5.5 HTTP Exploit (0%, Arian J.Evans)
> > 4.6.2.1 Stored procedure injection (0%,TD)
> > 4.6.2.2 Oracle testing (0%,Alexander Kornbrust)
> > 4.6.4 ORM Injection (0%,TD)
> > 5. Writing Reports: value the real risk
> > 5.1 How to value the real risk (50%, Daniel Cuthbert, Matteo Meucci,
> > Sebastien Deleersnyder, Marco Morana)
> > 5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom
> > Brennan, Tom Ryan)
> >
> >
> >
> ***********************************************************
> > Here is the complete list of articles to be reviewed:
> >
> ***********************************************************
> > * Introduction
> > 1 of 1 article to be reviewed
> >
> > * The OWASP Testing Framework
> > 1 of 1 article to be reviewed
> >
> > * 4.1 Introduction and objectives
> > 1 of 1 article to be reviewed (no Meucci, Reviewed by EK)
> >
> > * 4.2 Information Gathering (Reviewed by EK)
> > 9 of 10 articles to be reviewed
> >
> > *4.3 Business logic testing
> > 1 of 1 article to be reviewed
> >
> > * 4.4 Authentication Testing
> > 5 of 5 articles to be reviewed (No Meucci, no Revelli)
> >
> > * 4.5 Session Management Testing
> > 5 of 6 articles to be reviewed (No Meucci)
> >
> > * 4.6 Data Validation Testing --> Meucci
> > 18 of 21 articles to be reviewed
> >
> > * 4.7 Denial of Service Testing
> > 8 of 8 articles to be reviewed
> >
> > * 4.8 Web Services Testing
> > 6 of 6 articles to be reviewed (No Keary)
> >
> > * 4.9 AJAX Testing
> > 6 of 6 articles to be reviewed (No Di Paola)
> >
> > * Writing Reports: value the real risk
> > We have to write about it. I consider it not yet finished.
> > O of 3 articles to be reviewed.
> >
> > * Appendix A: Testing Tools
> > 1 article of 1: need to update it searching all the guide for paragraps:
> tools
> >
> > * Appendix B: Suggested Reading
> > 1 article of 1: need to update it searching all the guide for paragraps:
> tools
> >
> > * Appendix C: Fuzz Vectors
> > 1 article of 1: need to be updated
> >
> >
> > *************************
> > Reviewers Rules
> > *************************
> > 1) Check the english language
> > 2) Check the template: the articles on chapter 4 should have the
> following:
> >
> > ***Template***
> > [[
> http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC
> > Up]]<br>
> > {{Template:OWASP Testing Guide v2}}
> >
> > == Brief Summary ==
> > <br>
> > ..here: we describe in "natural language" what we want to test.
> > <br>
> > == Description of the Issue ==
> > <br>
> > ...here: Short Description of the Issue: Topic and Explanation
> > <br>
> > == Black Box testing and example ==
> > '''Testing for Topic X vulnerabilities:''' <br>
> > ...<br>
> > '''Result Expected:'''<br>
> > ...<br><br>
> > == Gray Box testing and example ==
> > '''Testing for Topic X vulnerabilities:'''<br>
> > ...<br>
> > '''Result Expected:'''<br>
> > ...<br><br>
> > == References ==
> > '''Whitepapers'''<br>
> > ...<br>
> > '''Tools'''<br>
> > ...<br>
> >
> > {{Category:OWASP Testing Project AoC}}
> > ***/Template***
> >
> > In some articles we don't need to talk about Gray Box Testing or
> > other, so we can eliminate it.
> >
> > 3) Check the reference style. (I'd like to have all the referenced
> > URLs visible because I have to produce also a pdf document of the
> > Guide).
> > I agree with Stefano, we have to use a reference like that:
> >
> > == References ==
> > '''Whitepapers'''<br>
> > * [1] Author1, Author2: "Title" -
> http://www.ietf.org/rfc/rfc2254.txt<br>
> > * [2]...<br>
> >
> >
> > '''Tools'''<br>
> > * Francois Larouche: "Multiple DBMS Sql Injection tool" -
> > http://www.sqlpowerinjector.com/index.htm <br>
> >
> > 4) Check the reference with the other articles of the guide or with
> > the other OWASP Project.
> >
> > 5) Other?
> >
> > **********************
> > Reviewing planning
> > **********************
> > The reviewers are:
> > Daniel Cuthbert
> > Eoin Keary
> > Mauro Bregolin
> > Stefano Di Paola
> > Matteo Meucci
> >
> > We can begin the 1st reviewing phase by review all 63 articles (nearly
> > 13 articles per person). The deadline is 15th November at 20.00
> > (GMT+1) because we have 15th November as 1st deadline for the Autumn
> > of Code Project.
> >
> > I've created the Review Panel URL:
> >
> http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Review_Panel
> > We can update our review status here.
> >
> > I'll begin to review:
> > * 4.6 Data Validation Testing
> >
> > Thanks,
> > Mat
> >
> >
> > --
> > Matteo Meucci
> > OWASP-Italy Chair, CISSP, CISA
> > http://www.owasp.org/index.php/Italy
> > OWASP Testing Guide AoC lead
> >
>
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing
_Guide
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing@lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-testing
> >
>
>
>
> --
> Eoin Keary OWASP - Ireland
> http://www.owasp.org/local/ireland.html
> http://www.owasp.org/index.php/OWASP_Testing_Project
> http://www.owasp.org/index.php/OWASP_Code_Review_Project
--
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide AoC lead
http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing
_Guide
_______________________________________________
Owasp-testing mailing list
Owasp-testing@lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing
_______________________________________________
Owasp-testing mailing list
Owasp-testing@lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic