[Owasp-guide] [Owasp-testing] [Owasp-topten] RFC: Common numbering proposal # 1

Eoin eoin.keary at owasp.org
Fri Jan 8 07:25:17 EST 2010


I am Totally behind a common identification nomenclature (or whatever you
want to call it).
I have also seen refs to the OWASP TG in industry in the pat year or so.
It's something I've wanted to do since the summit in portugal



2010/1/7 Matteo Meucci <matteo.meucci at gmail.com>

> Hi,
> I totally agree, that should be a great added value for the OWASP Guides.
> I think we can create a page on our wiki for that purpose, tracking
> our brainstorming and the links between the Guides.
>
> As Mike said, we can start from here:
> http://www.owasp.org/index.php/Testing_Checklist
>
> So we can create the OWASP naming convention (e.g. OWASP-DV-001 -
> Reflected XSS) and mapping that with all the Guides.
> In that way we can reach 2 goals in my opinion:
> - update the Guides and understand what the DG,CRG,TG, Top10, ASVS are
> missing and what we can improve in each guide (also if some controls
> are specific to certain guides).
> - create a more accessible starting point for the exploration of the
> wiki from a user perspective.
>
> Thanks,
> Mat
>
> On Wed, Jan 6, 2010 at 11:59 PM, Mike Boberski <mike.boberski at gmail.com>
> wrote:
> > Right, the next step if there were agreement would be to basically take
> the
> > table from the TG that summarizes the IDs, add a couple columns, and
> start
> > mapping.
> >
> > Then, each doc would be updated in turn, and yes each would then have to
> > address any holes. Not an issue from the ASVS or dev guide perspective.
> >
> > Mike
> >
> >
> > On Wed, Jan 6, 2010 at 5:09 PM, Brad Causey <bradcausey at gmail.com>
> wrote:
> >>
> >> Thinking from the perspective of a purely ignorant person, this is
> >> rather confusing. Problem is, it totally makes sense as to why you did
> >> what you did, to me. So which of those numbers would be final one? And
> >> with that number alone, could I find what I needed in each guide?
> >>
> >> *thinking aloud*
> >> Ideally, we have 2 ultimate goals in my mind. (bear with me here)
> >> 1. create a central ID number, and provide a mapping to each project.
> >> (maybe a good interim goal)
> >> 2. Actually _change_ each OWASP guide to match the TG or some agreed
> >> upon numbering system.
> >>
> >> Now, you are probably all asking "why are we chosing to go with the
> >> TG?". Well I wasn't sold either, and I'm still not 100%. But it does
> >> appear to provide detailed numberin for specific vulnerabilities, and
> >> has a pretty good following. (and I'm partial because I currently rely
> >> on it)
> >> Here is the catch! There are going to be holes no matter which
> >> direction we take, for example, the TG has items the ASVS doesn't.
> >> Which is why I'm voting for a super detailed comprehensive "master
> >> list" and match them up for now, item #1. And allow each project to
> >> catch up to the list, ultimately leading to a truly complete #2.
> >>
> >> I'm literally thinking out loud here guys, so fire back full force.
> >> */thinking aloud*
> >>
> >>
> >> -Brad Causey
> >> CISSP, MCSE, C|EH, CIFI, CGSP
> >>
> >> http://www.owasp.org
> >> --
> >> Never underestimate the time, expense, and effort an opponent will
> >> expend to break a code. (Robert Morris)
> >> --
> >>
> >>
> >>
> >> On Wed, Jan 6, 2010 at 1:44 PM, Boberski, Michael [USA]
> >> <boberski_michael at bah.com> wrote:
> >> > Let us work on this using a specific example, SQL Injection:
> >> >
> >> > Here is a proposal for your consideration:
> >> >
> >> > ASVS Ref. Number
> >> > OWASP-V0604
> >> >
> >> > TG Ref. Number
> >> > OWASP-T0604-DV-005
> >> > (compared to currently: OWASP-DV-005)
> >> >
> >> > CRG Ref. Number
> >> > OWASP-C0604-DV-005
> >> >
> >> > Guide Ref. Number
> >> > OWASP-D0604
> >> > (goes into guidance at this level, in the next release)
> >> >
> >> > Where,
> >> >
> >> > OWASP-V0604 == V6.4  Verify that all untrusted data that is output to
> >> > SQL interpreters use parameterized interfaces, prepared statements, or
> are
> >> > escaped properly.
> >> >
> >> > Mike B.
> >> > _______________________________________________
> >> > Owasp-topten mailing list
> >> > Owasp-topten at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-topten
> >> >
> >> _______________________________________________
> >> Owasp-testing mailing list
> >> Owasp-testing at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> >
>
>
>
> --
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> http://www.owasp.org/index.php/Italy
> OWASP Testing Guide lead
> http://www.owasp.org/index.php/Testing_Guide
>  _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100108/133362d1/attachment.html 


More information about the Owasp-guide mailing list