[Owasp-testing] Testing Guide 3 dot OH!

Andrew van der Stock vanderaj at owasp.org
Fri May 18 14:55:46 EDT 2007

Hi folks,

I¹m about to get going on the OWASP Guide 3.0 ­ I¹ve sent a message a few
weeks ago and have a few volunteers. For the next version, I¹d like to have
parity in both, and to do that is a bit of work. One of the things to help
progress is to set a date. I propose the following schedule:

OWASP US Conference is October this year. Gives us six months
OWASP EU Conference is May next year. Gives us twelve months

I think we can have a 2.5 edition by October, and a 3.0 by next year. What
do folks think? I personally do not have the time I once did, so basically
I¹d prefer the 12 month schedule and get things right the first time.

There¹s a lot of testing material in the OWASP Guide, which I would like to
selectively dump into the Testing Guide. This will give you feature parity
with the Guide, and in turn, I need to pick up a few of the things in the
Testing Guide for the Guide.

In the Testing Guide 3.0, please make room for an authorization section.
This was missed (how?) in 2.0. The basics will include a few things in
already in the Testing Guide 2.0, and a few things from the OWASP Guide, but
will at the very least encompass:

* Complete mediation ­ everything is access controlled
* Forced Browsing. We¹re settling on this term as WASC are also starting to
use it. This is where a pre-constructed request (GET, POST, whatever) is
sent to the browser and it works. This is typical of hidden / optional links
and buttons common in most programs
* Course grained authorization - isAuthenticated(), which is typically all
products like SiteMinder and WebSeal tell you unless you start using their
advanced features. This is insufficient
* Medium grained authorization (isUserInRole()). Could be considered
business logic access control
* Fine grained authorization (is the current secured resource record or
current secured function sub-feature OK for the current user). Could be
considered data layer access control.
* Architecture to incorporate authZ checks at the client, presentation,
business and data layers. This is important with Ajax applications (I¹ve
seen this issue this very week. I can¹t go into details, but it is end of
application class of attack).

Dave Wichers wants all the Guides to be in what I call ³SFA² format. When I
complete the injection chapter, I¹ll demonstrate what needs to happen here.
Luckily, your content is closer to this format than the Guide. However, SFA
favors Wiki than documents. For many, the Wiki is the way to go, and I agree
... When you¹re online. But many folks like it being in printed form and
that also helps when you¹re doing a review where you¹re not allowed to use
your own computer or the Internet.

Dinis and myself are looking for a decent publisher now. I¹ve set a few
minimum standards to ensure that OWASP materials in published form do not
lose us our copyright and gain us maximum funds whilst allowing us to keep
the Wiki / PDF versions around for free. Most publishers will not touch this
and therefore, we need to choose from the remaining publishers carefully.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070518/bae77479/attachment.html 

More information about the Owasp-testing mailing list