[Owasp-testing] [OWASP-Testing] ASVS and Testing Guide
daniel cuthbert
daniel.cuthbert at owasp.org
Thu Oct 15 14:55:08 EDT 2009
Love this idea! ASV and Testing guide would be ideal
2009/10/15 Eoin <eoin.keary at owasp.org>
> FYI,
> I intend to do this for the Code review guide also.
> We also need to X ref CRG and TG and ASVS
>
>
>
> 2009/10/15 Matteo Meucci <matteo.meucci at gmail.com>
>
> Hi Kevin,
>> yep you are right, we can work on adding the ASVS controls to the testing
>> guide.
>> We also can add a matrix in the Appendix to cross reference the
>> testing guide with other standards.
>>
>> Mat
>>
>> On Thu, Oct 15, 2009 at 6:04 PM, Kevin Horvath <kevin.horvath at gmail.com>
>> wrote:
>> > Hi Mat,
>> >
>> > It would probably be a good idea to map the testing guides categories
>> > to the ASVS guide and vice versa by just adding the ASVS control that
>> > it corresponds to in each of the testing points "reference" sections.
>> > It might make more sense to have a separate Appendix in the testing
>> > guide to cross reference the contols to this guide and potentially
>> > other well known ones such as NIST800-53, PCI, etc. Although this
>> > could also be addressed as a seperate OWASP project such as in the
>> > format of a matrix to cross reference the detailed testing controls of
>> > the OWASP testing guide to a few of the most widely used guides (NIST,
>> > PCI, ASVS, etc)?
>> >
>> > Kevin
>> >
>> >
>> >
>> > On Thu, Oct 15, 2009 at 10:43 AM, Matteo Meucci <
>> matteo.meucci at gmail.com> wrote:
>> >> Hi Vishal,
>> >> yes you are right about the 2 guides, that's a really interesting and
>> >> propositional question.
>> >> I talked about it with Mike some time ago and I think we have to join
>> >> the same vision regarding the testing phase for the 2 projects.
>> >> I think we should go in this direction for the next release of the
>> >> guides, Mike what do you think?
>> >>
>> >> Thanks,
>> >> Mat
>> >>
>> >> --
>> >> Matteo Meucci
>> >> OWASP Testing Guide lead
>> >> http://www.owasp.org/index.php/Testing_Guide
>> >> Come to the next OWASP-Italy Days!
>> >> http://www.owasp.org/index.php/Italy_OWASP_Day_4
>> >> http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09
>> >>
>> >>
>> >> On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com>
>> wrote:
>> >>> Hi All,
>> >>>
>> >>> In my organization, we are currently using OWASP testing guide for
>> carrying
>> >>> web application security testing and are now planning to adopt to
>> OWASP ASVS
>> >>> standard as well now.
>> >>>
>> >>> My understanding of these two documents is that the OWASP ASVS
>> standard is a
>> >>> requirements document which sets verification requirements at differnt
>> >>> levels, while OWASP testing guide acts as a testing framework and
>> describes
>> >>> which tests need to be conducted and how.
>> >>>
>> >>> Some of the verification requirements are very broadly specified in
>> the ASVS
>> >>> document and thus it is not very clear what needs to be done or tested
>> to
>> >>> pass a particular requirement, e.g. "V2.8 Verify that all account
>> management
>> >>> functions are at least as resistant to attack as the primary
>> authentication
>> >>> mechanism." Now it does not tell what account management functions
>> need to
>> >>> be tested here and thus everyone is open for their own interpretation
>> of
>> >>> this requirement.
>> >>>
>> >>> My question here is if the ASVS team or the Testing Guide team have
>> any
>> >>> plans to create a mapping between the two. One of the benefits of
>> doing this
>> >>> would be that it will clearly define what needs to be tested to meet
>> the
>> >>> requirements of the standard document.
>> >>>
>> >>> We have already thought of doing this in our organisation and I would
>> not
>> >>> mind sharing this if people here think that it can be a useful
>> exercise.
>> >>>
>> >>> Regards
>> >>> Vishal
>> >>>
>> >>> _______________________________________________
>> >>> Owasp-testing mailing list
>> >>> Owasp-testing at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>>
>> >>>
>> >> _______________________________________________
>> >> Owasp-testing mailing list
>> >> Owasp-testing at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>> >>
>> >
>>
>>
>>
>> --
>> Matteo Meucci
>> OWASP-Italy Chair, CISSP, CISA
>> http://www.owasp.org/index.php/Italy
>> OWASP Testing Guide lead
>> http://www.owasp.org/index.php/Testing_Guide
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>
>
>
> --
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20091015/a142082c/attachment-0001.html
More information about the Owasp-testing
mailing list