Introduction
Penetration testing will never be an exact science where a complete list of all possible issues that should be tested can de defined. Indeed penetration is only an appropriate technique to test the security of web applications under certain circumstances. For information about what these circumstances are, and to learn how to build a testing framework and which testing techniques you should consider, we recommend reading the OWASP Testing Framework Part One (http://www.owasp.org). Risk Management Guide
for Information Technology Systems, NIST 800-30 1 describes vulnerabilities in operational, technical and management categories. Penetration testing alone does not really help identify operational and management vulnerabilities.
Many OWASP followers (especially financial services companies) however have asked OWASP to develop a checklist that they can use when they do undertake penetration testing to promote consistency among both internal testing teams and external vendors.
As such this list has been developed to be used in several ways including;
• RFP Template
• Benchmarks
• Testing Checklist
