[Owasp-testing] (no subject)

Matt Tesauro matt.tesauro at owasp.org
Wed Jan 6 13:40:10 EST 2010


I'd think aligning the numbers would have huge benefit to OWASP and the
greater App Sec community.  Get OWASP's IDs straight and we can create a
map between OWASP <-> CWE <-> WASC.  If you're vendor or product reports
in CWE, no problem.  Use the map to look up how to test (Testing Guide &
Code Review Guide) or how to fix it (Developer Guide) - that would be
huge.  Then, ASVS is right there to bring it all together.

Considering how long the Testing Guide has been out and frequent
references to it in things like the DISA Application Security and
Development Checklist [1], I like the idea below of starting with the
Testing Guide references, sync'ing with the Code Review Guide and using
ASVS as the umbrella to unify them all.

<joke>Does that make ASVS the one Guide to rule them all? </joke>

[1]
http://iase.disa.mil/stigs/checklist/application_security_checklist_v2r1-5.pdf

(search for 'owasp' in that PDF, be surprised)

-- 
-
-- Matt Tesauro
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


More information about the Owasp-testing mailing list