[WEB SECURITY] Formal Pentesting 'test plan/s' projects?

Vance, Michael Michael.Vance at salliemae.com
Mon Jul 20 17:17:40 EDT 2009


800-53A is intended to cover testing all of the controls in SP 800-53, most of which are not something that can be tested in a "pen test."  It's more like a comprehensive internal audit.

-Michael

-----Original Message-----
From: robert at webappsec.org [mailto:robert at webappsec.org] 
Sent: Monday, July 20, 2009 6:01 PM
To: Vance, Michael
Cc: robert at webappsec.org; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Formal Pentesting 'test plan/s' projects?

That document doesn't cover the assessment plans in much depth however does reference
http://csrc.nist.gov/publications/nistpubs/800-53A/SP800-53A-final-sz.pdf which I've justed started
reading (381 pages!).

Ideally I'm looking for something more lightweight than 381 pages (maybe 20-50) but will review it 
non the less :)

- Robert
> 
> Something more technical, more comprehensive, or in some other way differen=
> t from NIST SP 800-115?
> 
> http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
> 
> -Michael
> 
> -----Original Message-----
> From: robert at webappsec.org [mailto:robert at webappsec.org]=20
> Sent: Monday, July 20, 2009 5:32 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Formal Pentesting 'test plan/s' projects?
> 
> Is anyone aware of a project/initiative for the creation of security test p=
> lans for use by penetration testers?
> Yes threat modeling (in some form) would be utilized to narrow down what sh=
> ould be tested for, but I'm curious if there are any
> formalized approaches to this anywhere. To be clear this would be utilized =
> to ensure a certain minium set of attacks
> and weaknesses were assessed, and not as a set of things ONLY to check for.
> 
> Regards,
> - Robert A.
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> http://www.qasec.com/
> 
> 
> 
> ---------------------------------------------------------------------------=
> -
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:=20
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:=20
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> 
> This E-Mail has been scanned for viruses.
> 


This E-Mail has been scanned for viruses.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list