[Owasp-testing] [OWASP-Testing] ASVS and Testing Guide

Kevin Horvath kevin.horvath at gmail.com
Thu Oct 15 12:04:37 EDT 2009 

Hi Mat,

It would probably be a good idea to map the testing guides categories
to the ASVS guide and vice versa by just adding the ASVS control that
it corresponds to in each of the testing points "reference" sections.
It might make more sense to have a separate Appendix in the testing
guide to cross reference the contols to this guide and potentially
other well known ones such as NIST800-53, PCI, etc.  Although this
could also be addressed as a seperate OWASP project such as in the
format of a matrix to cross reference the detailed testing controls of
the OWASP testing guide to a few of the most widely used guides (NIST,
PCI, ASVS, etc)?

Kevin



On Thu, Oct 15, 2009 at 10:43 AM, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> Hi Vishal,
> yes you are right about the 2 guides, that's a really interesting and
> propositional question.
> I talked about it with Mike some time ago and I think we have to join
> the same vision regarding the testing phase for the 2 projects.
> I think we should go in this direction for the next release of the
> guides, Mike what do you think?
>
> Thanks,
> Mat
>
> --
> Matteo Meucci
> OWASP Testing Guide lead
> http://www.owasp.org/index.php/Testing_Guide
> Come to the next OWASP-Italy Days!
> http://www.owasp.org/index.php/Italy_OWASP_Day_4
> http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09
>
>
> On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com> wrote:
>> Hi All,
>>
>> In my organization, we are currently using OWASP testing guide for carrying
>> web application security testing and are now planning to adopt to OWASP ASVS
>> standard as well now.
>>
>> My understanding of these two documents is that the OWASP ASVS standard is a
>> requirements document which sets verification requirements at differnt
>> levels, while OWASP testing guide acts as a testing framework and describes
>> which tests need to be conducted and how.
>>
>> Some of the verification requirements are very broadly specified in the ASVS
>> document and thus it is not very clear what needs to be done or tested to
>> pass a particular requirement, e.g. "V2.8 Verify that all account management
>> functions are at least as resistant to attack as the primary authentication
>> mechanism." Now it does not tell what account management functions need to
>> be tested here and thus everyone is open for their own interpretation of
>> this requirement.
>>
>> My question here is if the ASVS team or the Testing Guide team have any
>> plans to create a mapping between the two. One of the benefits of doing this
>> would be that it will clearly define what needs to be tested to meet the
>> requirements of the standard document.
>>
>> We have already thought of doing this in our organisation and I would not
>> mind sharing this if people here think that it can be a useful exercise.
>>
>> Regards
>> Vishal
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>

More information about the Owasp-testing mailing list