[Owasp-testing] [OWASP-Testing] ASVS and Testing Guide

Thu Oct 15 17:28:06 EDT 2009

Matt,

It looks like everyone has liked the idea. I have already started working on
this for my company, therefore I can do this for the wiki as well. If you
could please let me know how would you like this for the Wiki. I believe
creating an appendix would be a great idea.

At the moment, I am working on the level 2A of the standard, but I can
extend it to other levels as well for the wiki.

- Vishal

On Thu, Oct 15, 2009 at 7:55 PM, daniel cuthbert
<daniel.cuthbert at owasp.org>wrote:

> Love this idea! ASV and Testing guide would be ideal
>
> 2009/10/15 Eoin <eoin.keary at owasp.org>
>
> FYI,
>> I intend to do this for the Code review guide also.
>> We also need to X ref CRG and TG and ASVS
>>
>>
>>
>> 2009/10/15 Matteo Meucci <matteo.meucci at gmail.com>
>>
>> Hi Kevin,
>>> yep you are right, we can work on adding the ASVS controls to the testing
>>> guide.
>>> We also can add a matrix in the Appendix to cross reference the
>>> testing guide with other standards.
>>>
>>> Mat
>>>
>>> On Thu, Oct 15, 2009 at 6:04 PM, Kevin Horvath <kevin.horvath at gmail.com>
>>> wrote:
>>> > Hi Mat,
>>> >
>>> > It would probably be a good idea to map the testing guides categories
>>> > to the ASVS guide and vice versa by just adding the ASVS control that
>>> > it corresponds to in each of the testing points "reference" sections.
>>> > It might make more sense to have a separate Appendix in the testing
>>> > guide to cross reference the contols to this guide and potentially
>>> > other well known ones such as NIST800-53, PCI, etc.  Although this
>>> > could also be addressed as a seperate OWASP project such as in the
>>> > format of a matrix to cross reference the detailed testing controls of
>>> > the OWASP testing guide to a few of the most widely used guides (NIST,
>>> > PCI, ASVS, etc)?
>>> >
>>> > Kevin
>>> >
>>> >
>>> >
>>> > On Thu, Oct 15, 2009 at 10:43 AM, Matteo Meucci <
>>> matteo.meucci at gmail.com> wrote:
>>> >> Hi Vishal,
>>> >> yes you are right about the 2 guides, that's a really interesting and
>>> >> propositional question.
>>> >> I talked about it with Mike some time ago and I think we have to join
>>> >> the same vision regarding the testing phase for the 2 projects.
>>> >> I think we should go in this direction for the next release of the
>>> >> guides, Mike what do you think?
>>> >>
>>> >> Thanks,
>>> >> Mat
>>> >>
>>> >> --
>>> >> Matteo Meucci
>>> >> OWASP Testing Guide lead
>>> >> http://www.owasp.org/index.php/Testing_Guide
>>> >> Come to the next OWASP-Italy Days!
>>> >> http://www.owasp.org/index.php/Italy_OWASP_Day_4
>>> >> http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09
>>> >>
>>> >>
>>> >> On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com>
>>> wrote:
>>> >>> Hi All,
>>> >>>
>>> >>> In my organization, we are currently using OWASP testing guide for
>>> carrying
>>> >>> web application security testing and are now planning to adopt to
>>> OWASP ASVS
>>> >>> standard as well now.
>>> >>>
>>> >>> My understanding of these two documents is that the OWASP ASVS
>>> standard is a
>>> >>> requirements document which sets verification requirements at
>>> differnt
>>> >>> levels, while OWASP testing guide acts as a testing framework and
>>> describes
>>> >>> which tests need to be conducted and how.
>>> >>>
>>> >>> Some of the verification requirements are very broadly specified in
>>> the ASVS
>>> >>> document and thus it is not very clear what needs to be done or
>>> tested to
>>> >>> pass a particular requirement, e.g. "V2.8 Verify that all account
>>> management
>>> >>> functions are at least as resistant to attack as the primary
>>> authentication
>>> >>> mechanism." Now it does not tell what account management functions
>>> need to
>>> >>> be tested here and thus everyone is open for their own interpretation
>>> of
>>> >>> this requirement.
>>> >>>
>>> >>> My question here is if the ASVS team or the Testing Guide team have
>>> any
>>> >>> plans to create a mapping between the two. One of the benefits of
>>> doing this
>>> >>> would be that it will clearly define what needs to be tested to meet
>>> the
>>> >>> requirements of the standard document.
>>> >>>
>>> >>> We have already thought of doing this in our organisation and I would
>>> not
>>> >>> mind sharing this if people here think that it can be a useful
>>> exercise.
>>> >>>
>>> >>> Regards
>>> >>> Vishal
>>> >>>
>>> >>> _______________________________________________
>>> >>> Owasp-testing mailing list
>>> >>> Owasp-testing at lists.owasp.org
>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >>>
>>> >>>
>>> >> _______________________________________________
>>> >> Owasp-testing mailing list
>>> >> Owasp-testing at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>> >>
>>> >
>>>
>>>
>>>
>>> --
>>> Matteo Meucci
>>> OWASP-Italy Chair, CISSP, CISA
>>> http://www.owasp.org/index.php/Italy
>>> OWASP Testing Guide lead
>>> http://www.owasp.org/index.php/Testing_Guide
>>>  _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>
>>
>>
>> --
>> Eoin Keary CISSP CISA
>> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>>
>> OWASP Code Review Guide Lead Author
>> OWASP Ireland Chapter Lead
>> OWASP Global Committee Member (Industry)
>>
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20091015/1402f145/attachment.html 