[Owasp-leaders] Penetration Testing Guidance

Dinis Cruz dinis.cruz at owasp.org
Mon Mar 30 11:13:54 UTC 2015


I think the latest version of the ASVS is a great improvement, and my
(humble) opinion is that dropping the last S from its name (ie the Standard
part) would do wonders for its adoption.

ASV (Application Security Verification) is what it aims to provide, and
it's a much better name (from my point of view)
On 27 Mar 2015 20:18, "Jim Manico" <jim.manico at owasp.org> wrote:

>  Thanks for pointing this out.
>
> A few notes:
>
> 1) A slight de-emphasis in the OWASP Top Ten, a sign of maturity I think.
>
> " ...It was during this step that testing of the applications for issues
> related to the OWASP Top 10 *and other web application frameworks* took
> place. "
>
> "... Discussion of the penetration tester’s familiarity with testing to
> validate the OWASP Top 10 *and other similar application secure-coding
> standards* and examples of application penetration testing efforts
> conducted by the organization may be warranted. "
>
> 2) More emphasis on the OWASP Testing Guide (a much more comprehensive
> guide to assessment that any other OWASP resource).
>
> "... An examination of this type could be conducted in accordance with
> information system security assessment best practices such as described by
> the Open Source Security Testing Methodology Manual (“OSSTMM”), The
> National Institute of Standards and Technology (“NIST”) Special
> Publication 800-115, Technical Guide to Information Security Testing and
> Assessment, or the *Open Web Application Security Project (OWASP) testing
> methodology as defined in the **OWASP Testing Guide v.3.0**.* "
>
> Pretty cool. A good step. I look forward to the day when PCI and other
> standards start referencing ASVS  - it's probably one of the more important
> standards that addresses what PCI is really looking for, I dare say.
>
> Aloha,
> Jim
>
>
>
>  On 3/27/15 1:43 PM, Tom Brennan wrote:
>
> Congratulations to the many persons that have contributed in one way or
> another to OWASP projects that have been referenced in the revised standard
> that was issued from the PCI Standards Council
>
>
> https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
>
>  The full scope document will IMHO help organizations better understand
> and scope projects and that is a win-win for everyone involved with being
> proactive about risk.
>
>  It will also bring additional positive visibility to the OWASP
> Foundation worldwide including the OWASP PCI Toolkit
> https://www.owasp.org/index.php/Category:OWASP_PCI_Project and many
> others.
>
>  #TGIF well done!
>
>  Semper Fi,
> Tom Brennan
> https://www.linkedin.com/in/tombrennan
> <https://www.linkedin.com/in/tombrennan>
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150330/e7957e01/attachment.html>


More information about the OWASP-Leaders mailing list