[Owasp-leaders] Penetration Testing Guidance

Yune Sung yune.sung at owasp.org
Tue Mar 31 07:57:42 UTC 2015


Hi, this is Yune.

It looks great when making pen tests.

Thanks a lot, and I will share this in Korea.

Best,

Yune

On Mon, Mar 30, 2015 at 8:13 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> I think the latest version of the ASVS is a great improvement, and my
> (humble) opinion is that dropping the last S from its name (ie the Standard
> part) would do wonders for its adoption.
>
> ASV (Application Security Verification) is what it aims to provide, and
> it's a much better name (from my point of view)
> On 27 Mar 2015 20:18, "Jim Manico" <jim.manico at owasp.org> wrote:
>
>>  Thanks for pointing this out.
>>
>> A few notes:
>>
>> 1) A slight de-emphasis in the OWASP Top Ten, a sign of maturity I think.
>>
>> " ...It was during this step that testing of the applications for issues
>> related to the OWASP Top 10 *and other web application frameworks* took
>> place. "
>>
>> "... Discussion of the penetration tester’s familiarity with testing to
>> validate the OWASP Top 10 *and other similar application secure-coding
>> standards* and examples of application penetration testing efforts
>> conducted by the organization may be warranted. "
>>
>> 2) More emphasis on the OWASP Testing Guide (a much more comprehensive
>> guide to assessment that any other OWASP resource).
>>
>> "... An examination of this type could be conducted in accordance with
>> information system security assessment best practices such as described by
>> the Open Source Security Testing Methodology Manual (“OSSTMM”), The
>> National Institute of Standards and Technology (“NIST”) Special
>> Publication 800-115, Technical Guide to Information Security Testing and
>> Assessment, or the *Open Web Application Security Project (OWASP)
>> testing methodology as defined in the **OWASP Testing Guide v.3.0**.* "
>>
>> Pretty cool. A good step. I look forward to the day when PCI and other
>> standards start referencing ASVS  - it's probably one of the more important
>> standards that addresses what PCI is really looking for, I dare say.
>>
>> Aloha,
>> Jim
>>
>>
>>
>>  On 3/27/15 1:43 PM, Tom Brennan wrote:
>>
>> Congratulations to the many persons that have contributed in one way or
>> another to OWASP projects that have been referenced in the revised standard
>> that was issued from the PCI Standards Council
>>
>>
>> https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
>>
>>  The full scope document will IMHO help organizations better understand
>> and scope projects and that is a win-win for everyone involved with being
>> proactive about risk.
>>
>>  It will also bring additional positive visibility to the OWASP
>> Foundation worldwide including the OWASP PCI Toolkit
>> https://www.owasp.org/index.php/Category:OWASP_PCI_Project and many
>> others.
>>
>>  #TGIF well done!
>>
>>  Semper Fi,
>> Tom Brennan
>> https://www.linkedin.com/in/tombrennan
>> <https://www.linkedin.com/in/tombrennan>
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150331/0fb60954/attachment.html>


More information about the OWASP-Leaders mailing list