Fix typo #437
Fix typo #437
Conversation
|
Failure is due to 503 returned from abuseipdb; seems silly to have a pull request fail because one of the sites is having a maintenance issue:
|
|
No worries, the links if not related to the PR at hand are not blockers :) |
| @@ -101,7 +101,7 @@ Make a workshop that includes people with the following profiles: | |||
|
|
|||
| - **Business analyst**: Will be the business key people that will describe each feature from a business point of view. | |||
| - **Risk analyst**: Will be the company's risk personnel that will evaluate the business risk from a proposed attack (sometimes it is the **Business analyst** depending on the company). | |||
| - **Offsensives (Pentester or Application Security people with offensive mindset)**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 offensives people (ex: 1 Pentester + 1 AppSec) in order to increase the number of possible attacks that will be identified and considered. | |||
| - **Offensives (Pentester or Application Security people with offensive mindset)**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 offensives people (ex: 1 Pentester + 1 AppSec) in order to increase the number of possible attacks that will be identified and considered. | |||
ThunderSon
Jul 2, 2020
Contributor
What do you think about this?
Suggested change
- **Offensives (Pentester or Application Security people with offensive mindset)**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 offensives people (ex: 1 Pentester + 1 AppSec) in order to increase the number of possible attacks that will be identified and considered.
- **Security officer**: Will be the *attacker* that will propose attacks that they can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist. If possible, include 2 security officers with different backgrounds in order to increase the number of possible attacks that will be identified and considered.
What do you think about this?
| - **Offensives (Pentester or Application Security people with offensive mindset)**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 offensives people (ex: 1 Pentester + 1 AppSec) in order to increase the number of possible attacks that will be identified and considered. | |
| - **Security officer**: Will be the *attacker* that will propose attacks that they can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist. If possible, include 2 security officers with different backgrounds in order to increase the number of possible attacks that will be identified and considered. |
cmcconomy
Jul 6, 2020
Author
Contributor
I think it's an improvement.
Officer? Engineer?
I think it's an improvement.
Officer? Engineer?
rbsec
Jul 6, 2020
Contributor
If you're talking about an attacker, then "penetration tester" or "red team" would make more sense to me.
"security officer" is a bit vague - I don't really know what to expect from someone in that role, but I would think it's more on the defensive and governance side.
If you're talking about an attacker, then "penetration tester" or "red team" would make more sense to me.
"security officer" is a bit vague - I don't really know what to expect from someone in that role, but I would think it's more on the defensive and governance side.
cmcconomy
Jul 6, 2020
Author
Contributor
Good point - the role here is really limited to Attacker. Whether an organization's "Security Officer" fulfills this role as part of a broader mandate is outside the scope of this recommended approach, where targeted/specific roles are required to accomplish the activities.
This role must be capable of brainstorming potential feasible attacks on the application.
Good point - the role here is really limited to Attacker. Whether an organization's "Security Officer" fulfills this role as part of a broader mandate is outside the scope of this recommended approach, where targeted/specific roles are required to accomplish the activities.
This role must be capable of brainstorming potential feasible attacks on the application.
ThunderSon
Jul 6, 2020
Contributor
Please go forward with using "Penetration Tester"
Please go forward with using "Penetration Tester"
cmcconomy
Jul 10, 2020
Author
Contributor
Sorry to be a bother; I submitted this change directly via the github web ui - I'm unfamilar with how to revise the merge request. Could you let me know how best to revise my change? Should I cancel and resubmit or is there a way to add a subsequent revision directly on the site without checking out the repo?
Sorry to be a bother; I submitted this change directly via the github web ui - I'm unfamilar with how to revise the merge request. Could you let me know how best to revise my change? Should I cancel and resubmit or is there a way to add a subsequent revision directly on the site without checking out the repo?
mackowski
Jul 10, 2020
Collaborator
You can go to the „Files changed” in this PR, click on three dots in the upper right corner and choose edit file.
You can go to the „Files changed” in this PR, click on three dots in the upper right corner and choose edit file.
mackowski
Jul 10, 2020
Collaborator
cmcconomy
Jul 10, 2020
Author
Contributor
Thank you; second set of changes submitted.
Thank you; second set of changes submitted.
Updated term "Offensive" / "Offsensive"[sic] with Penetration Tester as per conversation.
|
no need to have penetration testers in capital, they can be used in a similar fashion to this sentence. Only bold words need to be capitalized. |
| @@ -101,7 +101,7 @@ Make a workshop that includes people with the following profiles: | |||
|
|
|||
| - **Business analyst**: Will be the business key people that will describe each feature from a business point of view. | |||
| - **Risk analyst**: Will be the company's risk personnel that will evaluate the business risk from a proposed attack (sometimes it is the **Business analyst** depending on the company). | |||
| - **Offsensives (Pentester or Application Security people with offensive mindset)**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 offensives people (ex: 1 Pentester + 1 AppSec) in order to increase the number of possible attacks that will be identified and considered. | |||
| - **Penetration Tester**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 Penetration Testers from diverse backgrounds in order to increase the number of possible attacks that will be identified and considered. | |||
ThunderSon
Jul 14, 2020
Contributor
Suggested change
- **Penetration Tester**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 Penetration Testers from diverse backgrounds in order to increase the number of possible attacks that will be identified and considered.
- **Penetration Tester**: Will be the *attacker* that will propose attacks that they can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist. If possible, include 2 penetration testers with different backgrounds in order to increase the number of possible attacks that will be identified and considered.
| - **Penetration Tester**: Will be the *attacker* that will propose all attacks that he can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist (Pentester or AppSec consultant from a security firm). If possible, include 2 Penetration Testers from diverse backgrounds in order to increase the number of possible attacks that will be identified and considered. | |
| - **Penetration Tester**: Will be the *attacker* that will propose attacks that they can perform on the business feature(s) in question. If the company does not have a person with this profile then it is possible to request the service of an external specialist. If possible, include 2 penetration testers with different backgrounds in order to increase the number of possible attacks that will be identified and considered. |
Made proposed changed with the exception of stating that a penetration tester is responsible for defining the countermeasure / protection against the attack
Made proposed changed with the exception of stating that a penetration tester is responsible for defining the countermeasure / protection against the attack
|
Thanks @cmcconomy ! |
Offsensives -> Offensives