[Owasp-testing] Common numbering scheme/convention (formerly "top 10 & testing guide" thread)

Eoin eoin.keary at owasp.org
Wed Jan 6 12:36:21 EST 2010


Whats wrong with the Testing guide convention?
I am planning to correlate the CRG with this convention.

-ek

2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>

>  Hi Brad. I'm game for figuring out a common identifier scheme/convention,
> ideally before the end of the month or so, which is the current ETA to
> putting out a call for contributors to work on the next rev of the dev
> guide, which as Dave mentioned will be reorganized according to ASVS.
>
> Maybe a first step is to take a look at this:
> http://code.google.com/p/owasp-development-guide/wiki/Introduction?tm=6  I
> just replaced the ASVS' "A#" with "D#" but kept the title.  The "D#" is a
> Mike-ism/first cut at a dev guide numbering scheme, so 100% open to working
> with you on this, since obviously the thought crossed my mind something had
> to be figured out. We're also in the early stages of planning a next release
> of ASVS as Dave alludes to below as well, so now's a good time to talk about
> this, i.e. we could potentially also markup
> http://code.google.com/p/owasp-asvs/wiki/ASVS?tm=6  in a similar fashion.
>
> Based on your email below, I generally think we should have a major/minor
> kinda scheme that starts with ASVS and goes to whatever:
>
> OWASP-V[1-14]-[1-n,A,D,T,other]-[1-m,A,D,T,other]
>
> i.e., as if one were expanding a tree control that when one got to a
> detailed verification requirement, would then have children nodes for e.g.
> development guide, testing guide, perhaps threats that the requirements map
> to like T10/CWE/WASC.
>
> Let me know your thoughts, the above is just a first proposal, I may not be
> understanding what you need. We can use the above dev guide wiki to flesh
> this out, see how much things make sense as we go, thing look different from
> email/paper to clickable trees/widgets.
>
> Best,
>
> Mike B.
>
>
>  ------------------------------
> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Dave Wichers
> *Sent:* Wednesday, January 06, 2010 12:34 AM
> *To:* Brad Causey; owasp-testing at lists.owasp.org;
> owasp-topten at lists.owasp.org
> *Cc:* mike.boberski at gmail.com
> *Subject:* Re: [Owasp-topten] top 10 & testing guide
>
>  Brad,
>
>
>
> OWASP is just starting a synchronization effort between the Top 10, ASVS,
> and all the Guides. We are trying to use the ASVS requirements as the
> baseline and then developing the dev guide and testing guide and code review
> against that outline.  However, we don’t want to wreck what you guys have
> been doing with the testing guide #’s
>
>
>
> Mike Boberski is working with Andrew van der Stock to launch an update
> effort to the Dev Guide. Can you work with Mike so he understands how you
> are using the OWASP finding #’s to see if we can move forward in a way that
> is not massively disruptive? Mike may not even be aware of the testing guide
> numbering scheme.
>
>
>
> And we can also make sure that the dev guide covers everything you think
> needs to be covered (which hopefully already is covered in ASVS), and if
> not, maybe it needs to be updated too.
>
>
>
> -Dave
>
>
>
> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Brad Causey
> *Sent:* Tuesday, January 05, 2010 8:59 PM
> *To:* owasp-testing at lists.owasp.org; owasp-topten at lists.owasp.org
> *Subject:* [Owasp-topten] top 10 & testing guide
>
>
>
> First of all, sorry for the x-posting, but it seemed appropriate.
>
> For those of you that don't know, I work in the financial sector and
> developed our organization's WAS testing procedures, documentation, and
> probably 80% of our whole WAS program from OWASP materials. Great stuff.
>
> As matter of fact, each of our analysts has a LULU printed copy of the
> testing guide on their desks. When we write reports up, we use the
> OWASP-XX-XX as our classification mapping. For example:
>
> Finding 1 - rXSS - OWASP-DV-001 - hxxp://www.vulnsite.com?msg=<blah blah,
> you get it> - screenshot1.png
>
> When we write our long form reports, we use the text from the testing
> guide. It has really proven great for us and we've been doing this since v2
> came out. In addition, we have previously used the top ten literature as
> supplementary in proving higher risk, higher priority items. That has worked
> great until now.....
>
> A8 on the RC version of the Top Ten throws a nice shiny wrench into it all.
> Reason being, there isn't a corresponding OWASP-xx-xx classification that
> matches up to A8. Now I've been writing A8 up for some time, but it never
> had a nice-neat home in any of the Testing guide classifications.
>
> Now that I've gotten past all that. I'd like to maybe discuss how, possibly
> in the future, the two projects could be somewhat more in sync. I'm not sure
> there is a good way to do that today, but it sure makes sense in my mind
> that all owaspy stuff have some overlap, and should avoid gaps such as the
> A8 vs OWASP-XX-XX situation.
>
> Also I see some gaps here:
>
>
> http://2.bp.blogspot.com/_JdybrokZBAk/S0Nt5DVYHWI/AAAAAAAABvU/HXQSzzoRJu0/s1600-h/WASC.png
>
> That aren't covered in any OWASP documentation, and should be. I'd like to
> get everyones' thoughts, and probably flames, on this stuff.
>
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100106/28631d7b/attachment-0001.html 


More information about the Owasp-testing mailing list