[Owasp-testing] [OWASP ASVS] [OWASP-Testing] ASVS and Testing Guide
Mike Boberski
mike.boberski at gmail.com
Mon Oct 19 18:50:38 EDT 2009
Hi Matt. First, thank you for your feedback, and I will update the project
page shortly! Second, you're on the right trail, the ASVS mail list is the
right place to spark discussions. I have admittedly been having more
one-on-one discussions with people rather than using the list, which I need
to get out of the habit of doing. Please also feel free to email me directly
if there is a question that you think hasn't been answered, or answered
completely, and I will work to track it down.
Mike
On Mon, Oct 19, 2009 at 5:50 PM, Matt Terroni <matt.terroni at quince.co.uk>wrote:
> Hi there,
>
>
>
> I have been following with interest the conversations surrounding ASVS and
> the testing guide and have to agree that aligning these would be a great
> idea. I have to admit to having similar problems to Vishal in regards to
> some of the ASVS requirements.
>
>
>
> Our company has created a web application that allows residents of Social
> Landlords (Councils, Housing Associations etc) to view their personal
> information across the web. The software is in use by more than 60 housing
> organisations within the UK and is available to over one million residents.
> Due to the large volume of personal and sensitive information that we hold
> about people we decided to adopt ASVS and the principles of OWASP as part of
> our ongoing security strategy.
>
>
>
> For around six months now we have been updating our processes in order to
> move towards ASVS compliance at level 3 and we are getting close to
> finishing. However, I have to admit that some of the items we find quite
> vague and I am concerned that we may be misunderstanding the requirements.
>
>
>
> I am therefore looking for the best place to discuss the ASVS requirements
> with other people who have gone through the same process. Would this
> mailing list be a suitable place (though the level of traffic here appears
> fairly low at the moment) or is there a forum that I can join in order to
> talk to others who are going through or completed verification?
>
>
>
> I look forward to hearing back from you.
>
>
>
> Best wishes
>
>
>
> Matt
>
>
>
> Ps to Mike. Having seen your comment to Vishal please feel free to also
> add us as a ASVS user. Our company name is Quince Associates Limited and
> the software that we develop is named SeeMyData.
>
>
>
>
>
>
>
> *Matt Terroni*
>
> Quince Associates Limited
>
> Email: matt.terroni at quince.co.uk
>
>
>
>
>
> *From:* Vishal Garg [mailto:vishalgrg at gmail.com]
> *Sent:* 15 October 2009 22:28
> *To:* matteo.meucci at gmail.com
> *Cc:* daniel cuthbert;
> Owasp-Application-Security-Verification-Standard at lists.owasp.org;
> Owasp-codereview at lists.owasp.org; owasp-testing; Eoin
> *Subject:* Re: [OWASP ASVS] [Owasp-testing] [OWASP-Testing] ASVS and
> Testing Guide
>
>
>
> Matt,
>
> It looks like everyone has liked the idea. I have already started working
> on this for my company, therefore I can do this for the wiki as well. If you
> could please let me know how would you like this for the Wiki. I believe
> creating an appendix would be a great idea.
>
> At the moment, I am working on the level 2A of the standard, but I can
> extend it to other levels as well for the wiki.
>
> - Vishal
>
> On Thu, Oct 15, 2009 at 7:55 PM, daniel cuthbert <
> daniel.cuthbert at owasp.org> wrote:
>
> Love this idea! ASV and Testing guide would be ideal
>
> 2009/10/15 Eoin <eoin.keary at owasp.org>
>
>
>
> FYI,
>
> I intend to do this for the Code review guide also.
>
> We also need to X ref CRG and TG and ASVS
>
>
>
>
>
> 2009/10/15 Matteo Meucci <matteo.meucci at gmail.com>
>
>
>
> Hi Kevin,
> yep you are right, we can work on adding the ASVS controls to the testing
> guide.
> We also can add a matrix in the Appendix to cross reference the
> testing guide with other standards.
>
> Mat
>
>
> On Thu, Oct 15, 2009 at 6:04 PM, Kevin Horvath <kevin.horvath at gmail.com>
> wrote:
> > Hi Mat,
> >
> > It would probably be a good idea to map the testing guides categories
> > to the ASVS guide and vice versa by just adding the ASVS control that
> > it corresponds to in each of the testing points "reference" sections.
> > It might make more sense to have a separate Appendix in the testing
> > guide to cross reference the contols to this guide and potentially
> > other well known ones such as NIST800-53, PCI, etc. Although this
> > could also be addressed as a seperate OWASP project such as in the
> > format of a matrix to cross reference the detailed testing controls of
> > the OWASP testing guide to a few of the most widely used guides (NIST,
> > PCI, ASVS, etc)?
> >
> > Kevin
> >
> >
> >
> > On Thu, Oct 15, 2009 at 10:43 AM, Matteo Meucci <matteo.meucci at gmail.com>
> wrote:
> >> Hi Vishal,
> >> yes you are right about the 2 guides, that's a really interesting and
> >> propositional question.
> >> I talked about it with Mike some time ago and I think we have to join
> >> the same vision regarding the testing phase for the 2 projects.
> >> I think we should go in this direction for the next release of the
> >> guides, Mike what do you think?
> >>
> >> Thanks,
> >> Mat
> >>
> >> --
> >> Matteo Meucci
> >> OWASP Testing Guide lead
> >> http://www.owasp.org/index.php/Testing_Guide
> >> Come to the next OWASP-Italy Days!
> >> http://www.owasp.org/index.php/Italy_OWASP_Day_4
> >> http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09
> >>
> >>
> >> On Thu, Oct 15, 2009 at 4:25 PM, Vishal Garg <vishalgrg at gmail.com>
> wrote:
> >>> Hi All,
> >>>
> >>> In my organization, we are currently using OWASP testing guide for
> carrying
> >>> web application security testing and are now planning to adopt to OWASP
> ASVS
> >>> standard as well now.
> >>>
> >>> My understanding of these two documents is that the OWASP ASVS standard
> is a
> >>> requirements document which sets verification requirements at differnt
> >>> levels, while OWASP testing guide acts as a testing framework and
> describes
> >>> which tests need to be conducted and how.
> >>>
> >>> Some of the verification requirements are very broadly specified in the
> ASVS
> >>> document and thus it is not very clear what needs to be done or tested
> to
> >>> pass a particular requirement, e.g. "V2.8 Verify that all account
> management
> >>> functions are at least as resistant to attack as the primary
> authentication
> >>> mechanism." Now it does not tell what account management functions need
> to
> >>> be tested here and thus everyone is open for their own interpretation
> of
> >>> this requirement.
> >>>
> >>> My question here is if the ASVS team or the Testing Guide team have any
> >>> plans to create a mapping between the two. One of the benefits of doing
> this
> >>> would be that it will clearly define what needs to be tested to meet
> the
> >>> requirements of the standard document.
> >>>
> >>> We have already thought of doing this in our organisation and I would
> not
> >>> mind sharing this if people here think that it can be a useful
> exercise.
> >>>
> >>> Regards
> >>> Vishal
> >>>
> >>> _______________________________________________
> >>> Owasp-testing mailing list
> >>> Owasp-testing at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>
> >>>
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>
> >
>
>
> --
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
>
> http://www.owasp.org/index.php/Italy
>
> OWASP Testing Guide lead
> http://www.owasp.org/index.php/Testing_Guide
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
> --
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 4523 (20091019) __________
>
>
>
> The message was checked by ESET Smart Security.
>
>
>
> http://www.eset.com
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 4523 (20091019) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
> _______________________________________________
> Owasp-application-security-verification-standard mailing list
> Owasp-application-security-verification-standard at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20091019/64828df3/attachment.html
More information about the Owasp-testing
mailing list