[Owasp-testing] Common numbering scheme/convention (formerly "top 10 & testing guide" thread)

Eoin eoin.keary at owasp.org
Wed Jan 6 12:40:27 EST 2010


So we'll have OWASP TG and CRG refs + ASVS refs also?


2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>

>  Nothing. But, the proposal is to align numbering schemes, using ASVS as
> the common denominator.
>
> From Dave's email below:
>
> OWASP is just starting a synchronization effort between the Top 10, ASVS,
> and all the Guides. We are trying to use the ASVS requirements as the
> baseline and then developing the dev guide and testing guide and code review
> against that outline.  However, we don’t want to wreck what you guys have
> been doing with the testing guide #’s
>
> Mike B.
>
>
>  ------------------------------
> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On Behalf Of *
> Eoin
> *Sent:* Wednesday, January 06, 2010 12:36 PM
> *To:* Boberski, Michael [USA]
> *Cc:* Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> owasp-topten at lists.owasp.org;
> owasp-application-security-verification-standard at lists.owasp.org
> *Subject:* Re: [Owasp-testing] Common numbering scheme/convention
> (formerly "top 10 & testing guide" thread)
>
> Whats wrong with the Testing guide convention?
> I am planning to correlate the CRG with this convention.
>
> -ek
>
> 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
>
>>  Hi Brad. I'm game for figuring out a common identifier
>> scheme/convention, ideally before the end of the month or so, which is the
>> current ETA to putting out a call for contributors to work on the next rev
>> of the dev guide, which as Dave mentioned will be reorganized according to
>> ASVS.
>>
>> Maybe a first step is to take a look at this:
>> http://code.google.com/p/owasp-development-guide/wiki/Introduction?tm=6  I
>> just replaced the ASVS' "A#" with "D#" but kept the title.  The "D#" is a
>> Mike-ism/first cut at a dev guide numbering scheme, so 100% open to working
>> with you on this, since obviously the thought crossed my mind something had
>> to be figured out. We're also in the early stages of planning a next release
>> of ASVS as Dave alludes to below as well, so now's a good time to talk about
>> this, i.e. we could potentially also markup
>> http://code.google.com/p/owasp-asvs/wiki/ASVS?tm=6  in a similar fashion.
>>
>> Based on your email below, I generally think we should have a major/minor
>> kinda scheme that starts with ASVS and goes to whatever:
>>
>> OWASP-V[1-14]-[1-n,A,D,T,other]-[1-m,A,D,T,other]
>>
>> i.e., as if one were expanding a tree control that when one got to a
>> detailed verification requirement, would then have children nodes for e.g.
>> development guide, testing guide, perhaps threats that the requirements map
>> to like T10/CWE/WASC.
>>
>> Let me know your thoughts, the above is just a first proposal, I may not
>> be understanding what you need. We can use the above dev guide wiki to flesh
>> this out, see how much things make sense as we go, thing look different from
>> email/paper to clickable trees/widgets.
>>
>> Best,
>>
>> Mike B.
>>
>>
>>  ------------------------------
>> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
>> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Dave Wichers
>> *Sent:* Wednesday, January 06, 2010 12:34 AM
>> *To:* Brad Causey; owasp-testing at lists.owasp.org;
>> owasp-topten at lists.owasp.org
>> *Cc:* mike.boberski at gmail.com
>> *Subject:* Re: [Owasp-topten] top 10 & testing guide
>>
>>  Brad,
>>
>>
>>
>> OWASP is just starting a synchronization effort between the Top 10, ASVS,
>> and all the Guides. We are trying to use the ASVS requirements as the
>> baseline and then developing the dev guide and testing guide and code review
>> against that outline.  However, we don’t want to wreck what you guys have
>> been doing with the testing guide #’s
>>
>>
>>
>> Mike Boberski is working with Andrew van der Stock to launch an update
>> effort to the Dev Guide. Can you work with Mike so he understands how you
>> are using the OWASP finding #’s to see if we can move forward in a way that
>> is not massively disruptive? Mike may not even be aware of the testing guide
>> numbering scheme.
>>
>>
>>
>> And we can also make sure that the dev guide covers everything you think
>> needs to be covered (which hopefully already is covered in ASVS), and if
>> not, maybe it needs to be updated too.
>>
>>
>>
>> -Dave
>>
>>
>>
>> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
>> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
>> *Sent:* Tuesday, January 05, 2010 8:59 PM
>> *To:* owasp-testing at lists.owasp.org; owasp-topten at lists.owasp.org
>> *Subject:* [Owasp-topten] top 10 & testing guide
>>
>>
>>
>> First of all, sorry for the x-posting, but it seemed appropriate.
>>
>> For those of you that don't know, I work in the financial sector and
>> developed our organization's WAS testing procedures, documentation, and
>> probably 80% of our whole WAS program from OWASP materials. Great stuff.
>>
>> As matter of fact, each of our analysts has a LULU printed copy of the
>> testing guide on their desks. When we write reports up, we use the
>> OWASP-XX-XX as our classification mapping. For example:
>>
>> Finding 1 - rXSS - OWASP-DV-001 - hxxp://www.vulnsite.com?msg=<blah blah,
>> you get it> - screenshot1.png
>>
>> When we write our long form reports, we use the text from the testing
>> guide. It has really proven great for us and we've been doing this since v2
>> came out. In addition, we have previously used the top ten literature as
>> supplementary in proving higher risk, higher priority items. That has worked
>> great until now.....
>>
>> A8 on the RC version of the Top Ten throws a nice shiny wrench into it
>> all. Reason being, there isn't a corresponding OWASP-xx-xx classification
>> that matches up to A8. Now I've been writing A8 up for some time, but it
>> never had a nice-neat home in any of the Testing guide classifications.
>>
>> Now that I've gotten past all that. I'd like to maybe discuss how,
>> possibly in the future, the two projects could be somewhat more in sync. I'm
>> not sure there is a good way to do that today, but it sure makes sense in my
>> mind that all owaspy stuff have some overlap, and should avoid gaps such as
>> the A8 vs OWASP-XX-XX situation.
>>
>> Also I see some gaps here:
>>
>>
>> http://2.bp.blogspot.com/_JdybrokZBAk/S0Nt5DVYHWI/AAAAAAAABvU/HXQSzzoRJu0/s1600-h/WASC.png
>>
>> That aren't covered in any OWASP documentation, and should be. I'd like to
>> get everyones' thoughts, and probably flames, on this stuff.
>>
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will expend
>> to break a code. (Robert Morris)
>> --
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100106/4cbfe0cb/attachment.html 


More information about the Owasp-testing mailing list