[Owasp-testing] Fwd: [OWASP Testing] [OWASP ASVS] ASVS and Testing Guide
vishalgrg at gmail.com
Thu Oct 15 10:32:36 EDT 2009
In my organization, we are currently using OWASP testing guide for carrying
web application security testing and are now planning to adopt to OWASP ASVS
standard as well now.
My understanding of these two documents is that the OWASP ASVS standard is a
requirements document which sets verification requirements at differnt
levels, while OWASP testing guide acts as a testing framework and describes
which tests need to be conducted and how.
Some of the verification requirements are very broadly specified in the ASVS
document and thus it is not very clear what needs to be done or tested to
pass a particular requirement, e.g. "V2.8 Verify that all account management
functions are at least as resistant to attack as the primary authentication
mechanism." Now it does not tell what account management functions need to
be tested here and thus everyone is open for their own interpretation of
My question here is if the ASVS team or the Testing Guide team have any
plans to create a mapping between the two. One of the benefits of doing this
would be that it will clearly define what needs to be tested to meet the
requirements of the standard document.
We have already thought of doing this in our organisation and I would not
mind sharing this if people here think that it can be a useful exercise.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing