[Owasp-leaders] Penetration Testing Guidance

johanna curiel curiel johanna.curiel at owasp.org
Tue Mar 31 13:43:25 UTC 2015


I'm working on a complete OWASP training for PCI with OWASP tools

see attachments

I'm also planning to submit this training for the coming APPSEC's

All the materials of this training will be donated to OWASP through the
OWASP PCI project

Chapters interested in this training , feel free to contact me ;-)

doc==> Shorter version of the traing
PDF==> longer version

regards

Johanna

On Tue, Mar 31, 2015 at 9:28 AM, Aurelijus Stanislovaitis <
aurelijus.stanislovaitis at owasp.org> wrote:

> it's a shame they refer to OWASP Testing Guide v.3.0 though. Full and
> complete v 4.0 was released September 2014.
>
> br
> Aurelijus
>
> On Tue, Mar 31, 2015 at 10:57 AM, Yune Sung <yune.sung at owasp.org> wrote:
>
>> Hi, this is Yune.
>>
>> It looks great when making pen tests.
>>
>> Thanks a lot, and I will share this in Korea.
>>
>> Best,
>>
>> Yune
>>
>> On Mon, Mar 30, 2015 at 8:13 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>
>>> I think the latest version of the ASVS is a great improvement, and my
>>> (humble) opinion is that dropping the last S from its name (ie the Standard
>>> part) would do wonders for its adoption.
>>>
>>> ASV (Application Security Verification) is what it aims to provide, and
>>> it's a much better name (from my point of view)
>>> On 27 Mar 2015 20:18, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>
>>>>  Thanks for pointing this out.
>>>>
>>>> A few notes:
>>>>
>>>> 1) A slight de-emphasis in the OWASP Top Ten, a sign of maturity I
>>>> think.
>>>>
>>>> " ...It was during this step that testing of the applications for
>>>> issues related to the OWASP Top 10 *and other web application
>>>> frameworks* took place. "
>>>>
>>>> "... Discussion of the penetration tester’s familiarity with testing
>>>> to validate the OWASP Top 10 *and other similar application
>>>> secure-coding standards* and examples of application penetration
>>>> testing efforts conducted by the organization may be warranted. "
>>>>
>>>> 2) More emphasis on the OWASP Testing Guide (a much more comprehensive
>>>> guide to assessment that any other OWASP resource).
>>>>
>>>> "... An examination of this type could be conducted in accordance with
>>>> information system security assessment best practices such as described by
>>>> the Open Source Security Testing Methodology Manual (“OSSTMM”), The
>>>> National Institute of Standards and Technology (“NIST”) Special
>>>> Publication 800-115, Technical Guide to Information Security Testing and
>>>> Assessment, or the *Open Web Application Security Project (OWASP)
>>>> testing methodology as defined in the **OWASP Testing Guide v.3.0**.* "
>>>>
>>>> Pretty cool. A good step. I look forward to the day when PCI and other
>>>> standards start referencing ASVS  - it's probably one of the more important
>>>> standards that addresses what PCI is really looking for, I dare say.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>>  On 3/27/15 1:43 PM, Tom Brennan wrote:
>>>>
>>>> Congratulations to the many persons that have contributed in one way or
>>>> another to OWASP projects that have been referenced in the revised standard
>>>> that was issued from the PCI Standards Council
>>>>
>>>>
>>>> https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
>>>>
>>>>  The full scope document will IMHO help organizations better
>>>> understand and scope projects and that is a win-win for everyone involved
>>>> with being proactive about risk.
>>>>
>>>>  It will also bring additional positive visibility to the OWASP
>>>> Foundation worldwide including the OWASP PCI Toolkit
>>>> https://www.owasp.org/index.php/Category:OWASP_PCI_Project and many
>>>> others.
>>>>
>>>>  #TGIF well done!
>>>>
>>>>  Semper Fi,
>>>> Tom Brennan
>>>> https://www.linkedin.com/in/tombrennan
>>>> <https://www.linkedin.com/in/tombrennan>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150331/c054296a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Achieve PCI-courseoutline.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 23367 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150331/c054296a/attachment-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Achieve PCI-courseoutlineJC.pdf
Type: application/pdf
Size: 353882 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150331/c054296a/attachment-0001.pdf>


More information about the OWASP-Leaders mailing list