[Owasp-testing] [OWASP-Testing] ASVS and Testing Guide

Matteo Meucci matteo.meucci at gmail.com
Thu Oct 15 10:43:04 EDT 2009 

Hi Vishal,
yes you are right about the 2 guides, that's a really interesting and
propositional question.
I talked about it with Mike some time ago and I think we have to join
the same vision regarding the testing phase for the 2 projects.
I think we should go in this direction for the next release of the
guides, Mike what do you think?

Thanks,
Mat

-- 
Matteo Meucci
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide
Come to the next OWASP-Italy Days!
http://www.owasp.org/index.php/Italy_OWASP_Day_4
http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09


On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com> wrote:
> Hi All,
>
> In my organization, we are currently using OWASP testing guide for carrying
> web application security testing and are now planning to adopt to OWASP ASVS
> standard as well now.
>
> My understanding of these two documents is that the OWASP ASVS standard is a
> requirements document which sets verification requirements at differnt
> levels, while OWASP testing guide acts as a testing framework and describes
> which tests need to be conducted and how.
>
> Some of the verification requirements are very broadly specified in the ASVS
> document and thus it is not very clear what needs to be done or tested to
> pass a particular requirement, e.g. "V2.8 Verify that all account management
> functions are at least as resistant to attack as the primary authentication
> mechanism." Now it does not tell what account management functions need to
> be tested here and thus everyone is open for their own interpretation of
> this requirement.
>
> My question here is if the ASVS team or the Testing Guide team have any
> plans to create a mapping between the two. One of the benefits of doing this
> would be that it will clearly define what needs to be tested to meet the
> requirements of the standard document.
>
> We have already thought of doing this in our organisation and I would not
> mind sharing this if people here think that it can be a useful exercise.
>
> Regards
> Vishal
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>

More information about the Owasp-testing mailing list