[Owasp-testing] Testing Guide 3 dot OH!

Daniel Cuthbert daniel.cuthbert at owasp.org
Fri May 18 19:53:48 EDT 2007


> Hi folks,
>
> I’m about to get going on the OWASP Guide 3.0 – I’ve sent a message  
> a few weeks ago and have a few volunteers. For the next version,  
> I’d like to have parity in both, and to do that is a bit of work.  
> One of the things to help progress is to set a date. I propose the  
> following schedule:
>
> OWASP US Conference is October this year. Gives us six months
> OWASP EU Conference is May next year. Gives us twelve months
>
> I think we can have a 2.5 edition by October, and a 3.0 by next  
> year. What do folks think? I personally do not have the time I once  
> did, so basically I’d prefer the 12 month schedule and get things  
> right the first time.
>
Agreed, this time-scale seems acheivable

> There’s a lot of testing material in the OWASP Guide, which I would  
> like to selectively dump into the Testing Guide. This will give you  
> feature parity with the Guide, and in turn, I need to pick up a few  
> of the things in the Testing Guide for the Guide.
>
Spring cleanout!

> In the Testing Guide 3.0, please make room for an authorization  
> section. This was missed (how?) in 2.0. The basics will include a  
> few things in already in the Testing Guide 2.0, and a few things  
> from the OWASP Guide, but will at the very least encompass:
>


> Complete mediation – everything is access controlled
> Forced Browsing. We’re settling on this term as WASC are also  
> starting to use it. This is where a pre-constructed request (GET,  
> POST, whatever) is sent to the browser and it works. This is  
> typical of hidden / optional links and buttons common in most programs
> CSRF
> Course grained authorization - isAuthenticated(), which is  
> typically all products like SiteMinder and WebSeal tell you unless  
> you start using their advanced features. This is insufficient
> Medium grained authorization (isUserInRole()). Could be considered  
> business logic access control
> Fine grained authorization (is the current secured resource record  
> or current secured function sub-feature OK for the current user).  
> Could be considered data layer access control.
> Architecture to incorporate authZ checks at the client,  
> presentation, business and data layers. This is important with Ajax  
> applications (I’ve seen this issue this very week. I can’t go into  
> details, but it is end of application class of attack).
>
Will add this to the page

> Dave Wichers wants all the Guides to be in what I call “SFA”  
> format. When I complete the injection chapter, I’ll demonstrate  
> what needs to happen here. Luckily, your content is closer to this  
> format than the Guide. However, SFA favors Wiki than documents. For  
> many, the Wiki is the way to go, and I agree ... When you’re  
> online. But many folks like it being in printed form and that also  
> helps when you’re doing a review where you’re not allowed to use  
> your own computer or the Internet.
>

I'm in Australia this week, so will create the wiki entry and also  
start the process

> Dinis and myself are looking for a decent publisher now. I’ve set a  
> few minimum standards to ensure that OWASP materials in published  
> form do not lose us our copyright and gain us maximum funds whilst  
> allowing us to keep the Wiki / PDF versions around for free. Most  
> publishers will not touch this and therefore, we need to choose  
> from the remaining publishers carefully.
>
> Thanks,
> Andrew
>>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-testing/attachments/20070519/c86adfc6/attachment.html 


More information about the Owasp-testing mailing list