[Owasp-testing] [OWASP-Testing] ASVS and Testing Guide
eoin.keary at owasp.org
Thu Oct 15 14:00:48 EDT 2009
I intend to do this for the Code review guide also.
We also need to X ref CRG and TG and ASVS
2009/10/15 Matteo Meucci <matteo.meucci at gmail.com>
> Hi Kevin,
> yep you are right, we can work on adding the ASVS controls to the testing
> We also can add a matrix in the Appendix to cross reference the
> testing guide with other standards.
> On Thu, Oct 15, 2009 at 6:04 PM, Kevin Horvath <kevin.horvath at gmail.com>
> > Hi Mat,
> > It would probably be a good idea to map the testing guides categories
> > to the ASVS guide and vice versa by just adding the ASVS control that
> > it corresponds to in each of the testing points "reference" sections.
> > It might make more sense to have a separate Appendix in the testing
> > guide to cross reference the contols to this guide and potentially
> > other well known ones such as NIST800-53, PCI, etc. Although this
> > could also be addressed as a seperate OWASP project such as in the
> > format of a matrix to cross reference the detailed testing controls of
> > the OWASP testing guide to a few of the most widely used guides (NIST,
> > PCI, ASVS, etc)?
> > Kevin
> > On Thu, Oct 15, 2009 at 10:43 AM, Matteo Meucci <matteo.meucci at gmail.com>
> >> Hi Vishal,
> >> yes you are right about the 2 guides, that's a really interesting and
> >> propositional question.
> >> I talked about it with Mike some time ago and I think we have to join
> >> the same vision regarding the testing phase for the 2 projects.
> >> I think we should go in this direction for the next release of the
> >> guides, Mike what do you think?
> >> Thanks,
> >> Mat
> >> --
> >> Matteo Meucci
> >> OWASP Testing Guide lead
> >> http://www.owasp.org/index.php/Testing_Guide
> >> Come to the next OWASP-Italy Days!
> >> http://www.owasp.org/index.php/Italy_OWASP_Day_4
> >> http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09
> >> On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com>
> >>> Hi All,
> >>> In my organization, we are currently using OWASP testing guide for
> >>> web application security testing and are now planning to adopt to OWASP
> >>> standard as well now.
> >>> My understanding of these two documents is that the OWASP ASVS standard
> is a
> >>> requirements document which sets verification requirements at differnt
> >>> levels, while OWASP testing guide acts as a testing framework and
> >>> which tests need to be conducted and how.
> >>> Some of the verification requirements are very broadly specified in the
> >>> document and thus it is not very clear what needs to be done or tested
> >>> pass a particular requirement, e.g. "V2.8 Verify that all account
> >>> functions are at least as resistant to attack as the primary
> >>> mechanism." Now it does not tell what account management functions need
> >>> be tested here and thus everyone is open for their own interpretation
> >>> this requirement.
> >>> My question here is if the ASVS team or the Testing Guide team have any
> >>> plans to create a mapping between the two. One of the benefits of doing
> >>> would be that it will clearly define what needs to be tested to meet
> >>> requirements of the standard document.
> >>> We have already thought of doing this in our organisation and I would
> >>> mind sharing this if people here think that it can be a useful
> >>> Regards
> >>> Vishal
> >>> _______________________________________________
> >>> Owasp-testing mailing list
> >>> Owasp-testing at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> OWASP Testing Guide lead
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
Eoin Keary CISSP CISA
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing