OWASP Testing Guide v2 Review Panel

[Table of Contents]

Update: 13th November, 11.00 (GMT+1)

Reviewing planning

The reviewers are: Mark Roxberry Revelli Alberto Daniel Cuthbert Matteo G.P. Flora Matteo Meucci Eoin Keary Stefano Di Paola James Kist Vicente Aguilera Mauro Bregolin Syed Mohamed A

We can begin the 1st reviewing phase by review all 63 articles (nearly 13 articles per person). The deadline is 15th November at 20.00 (GMT+1) because we have 15th November as 1st deadline for the Autumn of Code Project.

We are waiting for the following articles

4.2.2 Spidering and googling (0%, Tom Brennan, Tom Ryan) 4.2.4.2 DB Listener Testing (0%, Alexander Kornbrust) 4.5.5 HTTP Exploit (0%, Arian J.Evans) 4.6.2.1 Stored procedure injection (0%,TD) 4.6.2.2 Oracle testing (0%,Alexander Kornbrust) 4.6.4 ORM Injection (0%,TD) 5. Writing Reports: value the real risk 5.1 How to value the real risk (50%, Daniel Cuthbert, Matteo Meucci, Sebastien Deleersnyder, Marco Morana) 5.2 How to write the report of the testing (0%, Daniel Cuthbert, Tom Brennan, Tom Ryan)

Here is the complete list of articles to be reviewed: 1 of 1 article to be reviewed -> reviewed by Eoin Keary
 * Introduction -->...

1 of 1 article to be reviewed
 * The OWASP Testing Framework -->...

1 of 1 article to be reviewed (no Meucci, Reviewed by EK)
 * 4.1 Introduction and objectives -->...

9 of 10 articles to be reviewed ->  Application Discovery: Reviewed + updated(EK) (Maybe we should include HTTP methods for application descovery, such as HTTP HEAD command?) Analysis of error codes: Reviewed + updated(EK) 
 * 4.2 Information Gathering (Reviewed by EK) -->...

1 of 1 article to be reviewed
 * 4.3 Business logic testing -->...

5 of 5 articles to be reviewed (No Meucci, no Revelli)
 * 4.4 Authentication Testing -->...

5 of 6 articles to be reviewed (No Meucci)
 * 4.5 Session Management Testing --> Syed Mohamed A

18 of 21 articles to be reviewed
 * 4.6 Data Validation Testing --> Meucci

8 of 8 articles to be reviewed
 * 4.7 Denial of Service Testing -->...

6 of 6 articles to be reviewed (No Keary)
 * 4.8 Web Services Testing -->...

6 of 6 articles to be reviewed (No Di Paola)
 * 4.9 AJAX Testing -->...

We have to write about it. I consider it not yet finished. O of 3 articles to be reviewed.
 * Writing Reports: value the real risk

1 article of 1: need to update it searching all the guide for paragraps: tools
 * Appendix A: Testing Tools -->...

1 article of 1: need to update it searching all the guide for paragraps: tools
 * Appendix B: Suggested Reading -->...

1 article of 1: Need to be updated
 * Appendix C: Fuzz Vectors -->...

Reviewers Rules

1) Check the english language 2) Check the template: the articles on chapter 4 should have the following:


 * Template (http://www.owasp.org/index.php/Template_Paragraph_Testing_AoC)

In some articles we don't need to talk about Gray Box Testing or other, so we can eliminate it.

3) Check the reference style. (I'd like to have all the referenced URLs visible because I have to produce also a pdf document of the Guide). I agree with Stefano, we have to use a reference like that:

== References ==

Whitepapers

* [1] Author1, Author2: "Title" - http://www.ietf.org/rfc/rfc2254.txt

* [2]...

Tools

* Francois Larouche: "Multiple DBMS Sql Injection tool" - http://www.sqlpowerinjector.com/index.htm

4) Check the reference with the other articles of the guide or with the other OWASP Project.

5) Other?