[Owasp-testing] Common numbering scheme/convention (formerly "top 10 & testing guide" thread)

Eoin eoin.keary at owasp.org
Wed Jan 6 12:56:07 EST 2010


ok but if the TG and CRG use the same numbers, as is envisaged, it is really
very simple rather than introducing additional reference convention or am I
barking up the wrong tree here?


2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>

>  The goal in my mind should make it obvious by inspection how numbers in
> any given document relate back to the ASVS, and for e.g. the testing guide,
> make it obvious by inspection how it relates back to the existing TG
> numbering.
>
> Mike B.
>
>
>  ------------------------------
> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On Behalf Of *
> Eoin
> *Sent:* Wednesday, January 06, 2010 12:40 PM
>
> *To:* Boberski, Michael [USA]
> *Cc:* Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> owasp-topten at lists.owasp.org;
> owasp-application-security-verification-standard at lists.owasp.org
> *Subject:* Re: [Owasp-testing] Common numbering scheme/convention
> (formerly "top 10 & testing guide" thread)
>
> So we'll have OWASP TG and CRG refs + ASVS refs also?
>
>
> 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
>
>>  Nothing. But, the proposal is to align numbering schemes, using ASVS as
>> the common denominator.
>>
>> From Dave's email below:
>>
>> OWASP is just starting a synchronization effort between the Top 10, ASVS,
>> and all the Guides. We are trying to use the ASVS requirements as the
>> baseline and then developing the dev guide and testing guide and code review
>> against that outline.  However, we don’t want to wreck what you guys have
>> been doing with the testing guide #’s
>>
>> Mike B.
>>
>>
>>  ------------------------------
>> *From:* eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] *On Behalf Of *
>> Eoin
>> *Sent:* Wednesday, January 06, 2010 12:36 PM
>> *To:* Boberski, Michael [USA]
>> *Cc:* Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
>> owasp-topten at lists.owasp.org;
>> owasp-application-security-verification-standard at lists.owasp.org
>> *Subject:* Re: [Owasp-testing] Common numbering scheme/convention
>> (formerly "top 10 & testing guide" thread)
>>
>>   Whats wrong with the Testing guide convention?
>> I am planning to correlate the CRG with this convention.
>>
>> -ek
>>
>> 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
>>
>>>  Hi Brad. I'm game for figuring out a common identifier
>>> scheme/convention, ideally before the end of the month or so, which is the
>>> current ETA to putting out a call for contributors to work on the next rev
>>> of the dev guide, which as Dave mentioned will be reorganized according to
>>> ASVS.
>>>
>>> Maybe a first step is to take a look at this:
>>> http://code.google.com/p/owasp-development-guide/wiki/Introduction?tm=6
>>> I just replaced the ASVS' "A#" with "D#" but kept the title.  The "D#" is
>>> a Mike-ism/first cut at a dev guide numbering scheme, so 100% open to
>>> working with you on this, since obviously the thought crossed my mind
>>> something had to be figured out. We're also in the early stages of planning
>>> a next release of ASVS as Dave alludes to below as well, so now's a good
>>> time to talk about this, i.e. we could potentially also markup
>>> http://code.google.com/p/owasp-asvs/wiki/ASVS?tm=6  in a similar
>>> fashion.
>>>
>>> Based on your email below, I generally think we should have a major/minor
>>> kinda scheme that starts with ASVS and goes to whatever:
>>>
>>> OWASP-V[1-14]-[1-n,A,D,T,other]-[1-m,A,D,T,other]
>>>
>>> i.e., as if one were expanding a tree control that when one got to a
>>> detailed verification requirement, would then have children nodes for e.g.
>>> development guide, testing guide, perhaps threats that the requirements map
>>> to like T10/CWE/WASC.
>>>
>>> Let me know your thoughts, the above is just a first proposal, I may not
>>> be understanding what you need. We can use the above dev guide wiki to flesh
>>> this out, see how much things make sense as we go, thing look different from
>>> email/paper to clickable trees/widgets.
>>>
>>> Best,
>>>
>>> Mike B.
>>>
>>>
>>>  ------------------------------
>>> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
>>> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Dave Wichers
>>> *Sent:* Wednesday, January 06, 2010 12:34 AM
>>> *To:* Brad Causey; owasp-testing at lists.owasp.org;
>>> owasp-topten at lists.owasp.org
>>> *Cc:* mike.boberski at gmail.com
>>> *Subject:* Re: [Owasp-topten] top 10 & testing guide
>>>
>>>  Brad,
>>>
>>>
>>>
>>> OWASP is just starting a synchronization effort between the Top 10, ASVS,
>>> and all the Guides. We are trying to use the ASVS requirements as the
>>> baseline and then developing the dev guide and testing guide and code review
>>> against that outline.  However, we don’t want to wreck what you guys have
>>> been doing with the testing guide #’s
>>>
>>>
>>>
>>> Mike Boberski is working with Andrew van der Stock to launch an update
>>> effort to the Dev Guide. Can you work with Mike so he understands how you
>>> are using the OWASP finding #’s to see if we can move forward in a way that
>>> is not massively disruptive? Mike may not even be aware of the testing guide
>>> numbering scheme.
>>>
>>>
>>>
>>> And we can also make sure that the dev guide covers everything you think
>>> needs to be covered (which hopefully already is covered in ASVS), and if
>>> not, maybe it needs to be updated too.
>>>
>>>
>>>
>>> -Dave
>>>
>>>
>>>
>>> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
>>> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
>>> *Sent:* Tuesday, January 05, 2010 8:59 PM
>>> *To:* owasp-testing at lists.owasp.org; owasp-topten at lists.owasp.org
>>> *Subject:* [Owasp-topten] top 10 & testing guide
>>>
>>>
>>>
>>> First of all, sorry for the x-posting, but it seemed appropriate.
>>>
>>> For those of you that don't know, I work in the financial sector and
>>> developed our organization's WAS testing procedures, documentation, and
>>> probably 80% of our whole WAS program from OWASP materials. Great stuff.
>>>
>>> As matter of fact, each of our analysts has a LULU printed copy of the
>>> testing guide on their desks. When we write reports up, we use the
>>> OWASP-XX-XX as our classification mapping. For example:
>>>
>>> Finding 1 - rXSS - OWASP-DV-001 - hxxp://www.vulnsite.com?msg=<blah
>>> blah, you get it> - screenshot1.png
>>>
>>> When we write our long form reports, we use the text from the testing
>>> guide. It has really proven great for us and we've been doing this since v2
>>> came out. In addition, we have previously used the top ten literature as
>>> supplementary in proving higher risk, higher priority items. That has worked
>>> great until now.....
>>>
>>> A8 on the RC version of the Top Ten throws a nice shiny wrench into it
>>> all. Reason being, there isn't a corresponding OWASP-xx-xx classification
>>> that matches up to A8. Now I've been writing A8 up for some time, but it
>>> never had a nice-neat home in any of the Testing guide classifications.
>>>
>>> Now that I've gotten past all that. I'd like to maybe discuss how,
>>> possibly in the future, the two projects could be somewhat more in sync. I'm
>>> not sure there is a good way to do that today, but it sure makes sense in my
>>> mind that all owaspy stuff have some overlap, and should avoid gaps such as
>>> the A8 vs OWASP-XX-XX situation.
>>>
>>> Also I see some gaps here:
>>>
>>>
>>> http://2.bp.blogspot.com/_JdybrokZBAk/S0Nt5DVYHWI/AAAAAAAABvU/HXQSzzoRJu0/s1600-h/WASC.png
>>>
>>> That aren't covered in any OWASP documentation, and should be. I'd like
>>> to get everyones' thoughts, and probably flames, on this stuff.
>>>
>>>
>>>
>>> -Brad Causey
>>> CISSP, MCSE, C|EH, CIFI, CGSP
>>>
>>> http://www.owasp.org
>>> --
>>> Never underestimate the time, expense, and effort an opponent will expend
>>> to break a code. (Robert Morris)
>>> --
>>>
>>> _______________________________________________
>>> Owasp-testing mailing list
>>> Owasp-testing at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>>
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100106/bfcaf9c5/attachment.html 


More information about the Owasp-testing mailing list