[Owasp-testing] [OWASP-Testing] ASVS and Testing Guide

Eoin eoin.keary at owasp.org
Thu Oct 15 14:00:48 EDT 2009 

FYI,
I intend to do this for the Code review guide also.
We also need to X ref CRG and TG and ASVS



2009/10/15 Matteo Meucci <matteo.meucci at gmail.com>

> Hi Kevin,
> yep you are right, we can work on adding the ASVS controls to the testing
> guide.
> We also can add a matrix in the Appendix to cross reference the
> testing guide with other standards.
>
> Mat
>
> On Thu, Oct 15, 2009 at 6:04 PM, Kevin Horvath <kevin.horvath at gmail.com>
> wrote:
> > Hi Mat,
> >
> > It would probably be a good idea to map the testing guides categories
> > to the ASVS guide and vice versa by just adding the ASVS control that
> > it corresponds to in each of the testing points "reference" sections.
> > It might make more sense to have a separate Appendix in the testing
> > guide to cross reference the contols to this guide and potentially
> > other well known ones such as NIST800-53, PCI, etc.  Although this
> > could also be addressed as a seperate OWASP project such as in the
> > format of a matrix to cross reference the detailed testing controls of
> > the OWASP testing guide to a few of the most widely used guides (NIST,
> > PCI, ASVS, etc)?
> >
> > Kevin
> >
> >
> >
> > On Thu, Oct 15, 2009 at 10:43 AM, Matteo Meucci <matteo.meucci at gmail.com>
> wrote:
> >> Hi Vishal,
> >> yes you are right about the 2 guides, that's a really interesting and
> >> propositional question.
> >> I talked about it with Mike some time ago and I think we have to join
> >> the same vision regarding the testing phase for the 2 projects.
> >> I think we should go in this direction for the next release of the
> >> guides, Mike what do you think?
> >>
> >> Thanks,
> >> Mat
> >>
> >> --
> >> Matteo Meucci
> >> OWASP Testing Guide lead
> >> http://www.owasp.org/index.php/Testing_Guide
> >> Come to the next OWASP-Italy Days!
> >> http://www.owasp.org/index.php/Italy_OWASP_Day_4
> >> http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09
> >>
> >>
> >> On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com>
> wrote:
> >>> Hi All,
> >>>
> >>> In my organization, we are currently using OWASP testing guide for
> carrying
> >>> web application security testing and are now planning to adopt to OWASP
> ASVS
> >>> standard as well now.
> >>>
> >>> My understanding of these two documents is that the OWASP ASVS standard
> is a
> >>> requirements document which sets verification requirements at differnt
> >>> levels, while OWASP testing guide acts as a testing framework and
> describes
> >>> which tests need to be conducted and how.
> >>>
> >>> Some of the verification requirements are very broadly specified in the
> ASVS
> >>> document and thus it is not very clear what needs to be done or tested
> to
> >>> pass a particular requirement, e.g. "V2.8 Verify that all account
> management
> >>> functions are at least as resistant to attack as the primary
> authentication
> >>> mechanism." Now it does not tell what account management functions need
> to
> >>> be tested here and thus everyone is open for their own interpretation
> of
> >>> this requirement.
> >>>
> >>> My question here is if the ASVS team or the Testing Guide team have any
> >>> plans to create a mapping between the two. One of the benefits of doing
> this
> >>> would be that it will clearly define what needs to be tested to meet
> the
> >>> requirements of the standard document.
> >>>
> >>> We have already thought of doing this in our organisation and I would
> not
> >>> mind sharing this if people here think that it can be a useful
> exercise.
> >>>
> >>> Regards
> >>> Vishal
> >>>
> >>> _______________________________________________
> >>> Owasp-testing mailing list
> >>> Owasp-testing at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>
> >>>
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>
> >
>
>
>
> --
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> http://www.owasp.org/index.php/Italy
> OWASP Testing Guide lead
> http://www.owasp.org/index.php/Testing_Guide
>  _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>



-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20091015/e697e3de/attachment.html

More information about the Owasp-testing mailing list