[Owasp-testing] top 10 & testing guide

Eoin eoinkeary at gmail.com
Wed Jan 6 12:26:44 EST 2010


My €10:

The ASDR (Not sure what happened it ) was meant to tie up TG, CGR and DG
Top 10 Refs CRG, TG (Not sure about Dev Guide)
If we consolidate the "trinity of guides" Top 10 ref to any of the guides
should be forward and reverse navigable.



2010/1/6 Brad Causey <bradcausey at gmail.com>

> First of all, sorry for the x-posting, but it seemed appropriate.
>
> For those of you that don't know, I work in the financial sector and
> developed our organization's WAS testing procedures, documentation, and
> probably 80% of our whole WAS program from OWASP materials. Great stuff.
>
> As matter of fact, each of our analysts has a LULU printed copy of the
> testing guide on their desks. When we write reports up, we use the
> OWASP-XX-XX as our classification mapping. For example:
>
> Finding 1 - rXSS - OWASP-DV-001 - hxxp://www.vulnsite.com?msg=<blah blah,
> you get it> - screenshot1.png
>
> When we write our long form reports, we use the text from the testing
> guide. It has really proven great for us and we've been doing this since v2
> came out. In addition, we have previously used the top ten literature as
> supplementary in proving higher risk, higher priority items. That has worked
> great until now.....
>
> A8 on the RC version of the Top Ten throws a nice shiny wrench into it all.
> Reason being, there isn't a corresponding OWASP-xx-xx classification that
> matches up to A8. Now I've been writing A8 up for some time, but it never
> had a nice-neat home in any of the Testing guide classifications.
>
> Now that I've gotten past all that. I'd like to maybe discuss how, possibly
> in the future, the two projects could be somewhat more in sync. I'm not sure
> there is a good way to do that today, but it sure makes sense in my mind
> that all owaspy stuff have some overlap, and should avoid gaps such as the
> A8 vs OWASP-XX-XX situation.
>
> Also I see some gaps here:
>
>
> http://2.bp.blogspot.com/_JdybrokZBAk/S0Nt5DVYHWI/AAAAAAAABvU/HXQSzzoRJu0/s1600-h/WASC.png
>
> That aren't covered in any OWASP documentation, and should be. I'd like to
> get everyones' thoughts, and probably flames, on this stuff.
>
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will expend
> to break a code. (Robert Morris)
> --
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100106/ac3c3c2e/attachment.html 


More information about the Owasp-testing mailing list