[Owasp-testing] [OWASP-Testing] ASVS and Testing Guide
Matteo Meucci
matteo.meucci at gmail.com
Thu Oct 15 12:30:03 EDT 2009
Hi Kevin,
yep you are right, we can work on adding the ASVS controls to the testing guide.
We also can add a matrix in the Appendix to cross reference the
testing guide with other standards.
Mat
On Thu, Oct 15, 2009 at 6:04 PM, Kevin Horvath <kevin.horvath at gmail.com> wrote:
> Hi Mat,
>
> It would probably be a good idea to map the testing guides categories
> to the ASVS guide and vice versa by just adding the ASVS control that
> it corresponds to in each of the testing points "reference" sections.
> It might make more sense to have a separate Appendix in the testing
> guide to cross reference the contols to this guide and potentially
> other well known ones such as NIST800-53, PCI, etc. Although this
> could also be addressed as a seperate OWASP project such as in the
> format of a matrix to cross reference the detailed testing controls of
> the OWASP testing guide to a few of the most widely used guides (NIST,
> PCI, ASVS, etc)?
>
> Kevin
>
>
>
> On Thu, Oct 15, 2009 at 10:43 AM, Matteo Meucci <matteo.meucci at gmail.com> wrote:
>> Hi Vishal,
>> yes you are right about the 2 guides, that's a really interesting and
>> propositional question.
>> I talked about it with Mike some time ago and I think we have to join
>> the same vision regarding the testing phase for the 2 projects.
>> I think we should go in this direction for the next release of the
>> guides, Mike what do you think?
>>
>> Thanks,
>> Mat
>>
>> --
>> Matteo Meucci
>> OWASP Testing Guide lead
>> http://www.owasp.org/index.php/Testing_Guide
>> Come to the next OWASP-Italy Days!
>> http://www.owasp.org/index.php/Italy_OWASP_Day_4
>> http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09
>>
>>
>> On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com> wrote:
>>> Hi All,
>>>
>>> In my organization, we are currently using OWASP testing guide for carrying
>>> web application security testing and are now planning to adopt to OWASP ASVS
>>> standard as well now.
>>>
>>> My understanding of these two documents is that the OWASP ASVS standard is a
>>> requirements document which sets verification requirements at differnt
>>> levels, while OWASP testing guide acts as a testing framework and describes
>>> which tests need to be conducted and how.
>>>
>>> Some of the verification requirements are very broadly specified in the ASVS
>>> document and thus it is not very clear what needs to be done or tested to
>>> pass a particular requirement, e.g. "V2.8 Verify that all account management
>>> functions are at least as resistant to attack as the primary authentication
>>> mechanism." Now it does not tell what account management functions need to
>>> be tested here and thus everyone is open for their own interpretation of
>>> this requirement.
>>>
>>> My question here is if the ASVS team or the Testing Guide team have any
>>> plans to create a mapping between the two. One of the benefits of doing this
>>> would be that it will clearly define what needs to be tested to meet the
>>> requirements of the standard document.
>>>
>>> We have already thought of doing this in our organisation and I would not
>>> mind sharing this if people here think that it can be a useful exercise.
>>>
>>> Regards
>>> Vishal
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
--
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide
More information about the Owasp-testing
mailing list