[Owasp-leaders] Penetration Testing Guidance

Aurelijus Stanislovaitis aurelijus.stanislovaitis at owasp.org
Tue Mar 31 13:28:35 UTC 2015


it's a shame they refer to OWASP Testing Guide v.3.0 though. Full and
complete v 4.0 was released September 2014.

br
Aurelijus

On Tue, Mar 31, 2015 at 10:57 AM, Yune Sung <yune.sung at owasp.org> wrote:

> Hi, this is Yune.
>
> It looks great when making pen tests.
>
> Thanks a lot, and I will share this in Korea.
>
> Best,
>
> Yune
>
> On Mon, Mar 30, 2015 at 8:13 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>
>> I think the latest version of the ASVS is a great improvement, and my
>> (humble) opinion is that dropping the last S from its name (ie the Standard
>> part) would do wonders for its adoption.
>>
>> ASV (Application Security Verification) is what it aims to provide, and
>> it's a much better name (from my point of view)
>> On 27 Mar 2015 20:18, "Jim Manico" <jim.manico at owasp.org> wrote:
>>
>>>  Thanks for pointing this out.
>>>
>>> A few notes:
>>>
>>> 1) A slight de-emphasis in the OWASP Top Ten, a sign of maturity I think.
>>>
>>> " ...It was during this step that testing of the applications for
>>> issues related to the OWASP Top 10 *and other web application
>>> frameworks* took place. "
>>>
>>> "... Discussion of the penetration tester’s familiarity with testing to
>>> validate the OWASP Top 10 *and other similar application secure-coding
>>> standards* and examples of application penetration testing efforts
>>> conducted by the organization may be warranted. "
>>>
>>> 2) More emphasis on the OWASP Testing Guide (a much more comprehensive
>>> guide to assessment that any other OWASP resource).
>>>
>>> "... An examination of this type could be conducted in accordance with
>>> information system security assessment best practices such as described by
>>> the Open Source Security Testing Methodology Manual (“OSSTMM”), The
>>> National Institute of Standards and Technology (“NIST”) Special
>>> Publication 800-115, Technical Guide to Information Security Testing and
>>> Assessment, or the *Open Web Application Security Project (OWASP)
>>> testing methodology as defined in the **OWASP Testing Guide v.3.0**.* "
>>>
>>> Pretty cool. A good step. I look forward to the day when PCI and other
>>> standards start referencing ASVS  - it's probably one of the more important
>>> standards that addresses what PCI is really looking for, I dare say.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>>
>>>  On 3/27/15 1:43 PM, Tom Brennan wrote:
>>>
>>> Congratulations to the many persons that have contributed in one way or
>>> another to OWASP projects that have been referenced in the revised standard
>>> that was issued from the PCI Standards Council
>>>
>>>
>>> https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
>>>
>>>  The full scope document will IMHO help organizations better understand
>>> and scope projects and that is a win-win for everyone involved with being
>>> proactive about risk.
>>>
>>>  It will also bring additional positive visibility to the OWASP
>>> Foundation worldwide including the OWASP PCI Toolkit
>>> https://www.owasp.org/index.php/Category:OWASP_PCI_Project and many
>>> others.
>>>
>>>  #TGIF well done!
>>>
>>>  Semper Fi,
>>> Tom Brennan
>>> https://www.linkedin.com/in/tombrennan
>>> <https://www.linkedin.com/in/tombrennan>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150331/89b51903/attachment.html>


More information about the OWASP-Leaders mailing list