[Owasp-testing] Owasp-testing Digest, Vol 32, Issue 4

Boberski, Michael [USA] boberski_michael at bah.com
Wed Jan 6 13:37:07 EST 2010


Just a side note, cutting my head off with a sword a la Highlander does not yield one's self any additional web app sec powers, just saying.
 
Mike B.

-----Original Message-----
From: Matt Tesauro [mailto:mtesauro at gmail.com] 
Sent: Wednesday, January 06, 2010 1:34 PM
To: owasp-testing at lists.owasp.org
Cc: Boberski, Michael [USA]; Brad Causey
Subject: Re: Owasp-testing Digest, Vol 32, Issue 4

I'd think aligning the numbers would have huge benefit to OWASP and the greater App Sec community.  Get OWASP's IDs straight and we can create a map between OWASP <-> CWE <-> WASC.  If you're vendor or product reports in CWE, no problem.  Use the map to look up how to test (Testing Guide & Code Review Guide) or how to fix it (Developer Guide) - that would be huge.  Then, ASVS is right there to bring it all together.

Considering how long the Testing Guide has been out and frequent references to it in things like the DISA Application Security and Development Checklist [1], I like the idea below of starting with the Testing Guide references, sync'ing with the Code Review Guide and using ASVS as the umbrella to unify them all.

<joke>Does that make ASVS the one Guide to rule them all? </joke>

[1]
http://iase.disa.mil/stigs/checklist/application_security_checklist_v2r1-5.pdf

(search for 'owasp' in that PDF, be surprised)

--
-- Matt Tesauro
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


On Wed, 2010-01-06 at 13:09 -0500, owasp-testing-request at lists.owasp.org
wrote:
[big snip]
> Date: Wed, 6 Jan 2010 12:04:22 -0600
> From: Brad Causey <bradcausey at gmail.com>
> Subject: Re: [Owasp-testing] Common numbering scheme/convention
> 	(formerly	"top 10 & testing guide" thread)
> To: "Boberski, Michael [USA]" <boberski_michael at bah.com>
> Cc: "owasp-application-security-verification-standard at lists.owasp.org"
> 	<owasp-application-security-verification-standard at lists.owasp.org>,
> 	"owasp-testing at lists.owasp.org" <owasp-testing at lists.owasp.org>,	Dave
> 	Wichers <dave.wichers at aspectsecurity.com>,
> 	"owasp-topten at lists.owasp.org" <owasp-topten at lists.owasp.org>
> Message-ID:
> 	<89f89941001061004p49a13442y791595b42dff20da at mail.gmail.com>
> Content-Type: text/plain; charset=windows-1252
> 
> I think that Mike is headed the right direction. We should start with
> the TG refs and sync it with the CRG. Then combine these refs with the
> ASVS, and use the ASVS to glue all else. Thoughts?
> 
> 
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
> 
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will
> expend to break a code. (Robert Morris)
> --
> 
> 
> 
> On Wed, Jan 6, 2010 at 11:58 AM, Boberski, Michael [USA]
> <boberski_michael at bah.com> wrote:
> > Maybe, let me put together a proposal, then we can speak to that. My
> > accomplishments so far on this task include responding to these emails and
> > eating a burger. Not there yet, for the proposal :-)
> >
> > Mike?B.
> >
> > ________________________________
> > From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
> > Sent: Wednesday, January 06, 2010 12:56 PM
> > To: Boberski, Michael [USA]
> > Cc: Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> > owasp-topten at lists.owasp.org;
> > owasp-application-security-verification-standard at lists.owasp.org
> > Subject: Re: [Owasp-testing] Common numbering scheme/convention (formerly
> > "top 10 & testing guide" thread)
> >
> > ok but if the TG and CRG use the same numbers, as is envisaged, it is really
> > very simple rather than introducing additional reference convention or am I
> > barking up the wrong tree here?
> >
> >
> > 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
> >>
> >> The goal in my mind should make it obvious by inspection how numbers in
> >> any given document relate back to the ASVS, and for e.g. the testing guide,
> >> make it obvious by inspection how it relates back to the existing TG
> >> numbering.
> >>
> >> Mike?B.
> >>
> >> ________________________________
> >> From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
> >> Sent: Wednesday, January 06, 2010 12:40 PM
> >> To: Boberski, Michael [USA]
> >> Cc: Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> >> owasp-topten at lists.owasp.org;
> >> owasp-application-security-verification-standard at lists.owasp.org
> >> Subject: Re: [Owasp-testing] Common numbering scheme/convention (formerly
> >> "top 10 & testing guide" thread)
> >>
> >> So we'll have OWASP TG and CRG refs + ASVS refs also?
> >>
> >>
> >> 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
> >>>
> >>> Nothing. But, the proposal is to align numbering schemes, using ASVS as
> >>> the common denominator.
> >>> From Dave's email below:
> >>>
> >>> OWASP is just starting a synchronization effort between the Top 10, ASVS,
> >>> and all the Guides. We are trying to use the ASVS requirements as the
> >>> baseline and then developing the dev guide and testing guide and code review
> >>> against that outline.? However, we don?t want to wreck what you guys have
> >>> been doing with the testing guide #?s
> >>>
> >>> Mike?B.
> >>>
> >>> ________________________________
> >>> From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
> >>> Sent: Wednesday, January 06, 2010 12:36 PM
> >>> To: Boberski, Michael [USA]
> >>> Cc: Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> >>> owasp-topten at lists.owasp.org;
> >>> owasp-application-security-verification-standard at lists.owasp.org
> >>> Subject: Re: [Owasp-testing] Common numbering scheme/convention (formerly
> >>> "top 10 & testing guide" thread)
> >>>
> >>> Whats wrong with the Testing guide convention?
> >>> I am planning to correlate the CRG with this convention.
> >>>
> >>> -ek
> >>>
> >>> 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
> >>>>
> >>>> Hi Brad. I'm game for figuring out a common identifier
> >>>> scheme/convention, ideally before the end of the month or so, which is the
> >>>> current ETA to putting out a call for contributors to work on the next rev
> >>>> of the dev guide, which as Dave mentioned will be reorganized according to
> >>>> ASVS.
> >>>>
> >>>> Maybe a first step is to take a look at this:
> >>>> http://code.google.com/p/owasp-development-guide/wiki/Introduction?tm=6? I
> >>>> just replaced the ASVS' "A#" with "D#" but kept the title.? The "D#" is a
> >>>> Mike-ism/first cut at a dev guide numbering scheme, so 100% open to working
> >>>> with you on this, since obviously the thought crossed my mind something had
> >>>> to be figured out. We're also in the early stages of planning a next release
> >>>> of ASVS as Dave alludes to below as well, so now's a good time to talk about
> >>>> this, i.e. we could potentially also markup
> >>>> http://code.google.com/p/owasp-asvs/wiki/ASVS?tm=6? in a similar fashion.
> >>>>
> >>>> Based on your email below, I generally think we should have a
> >>>> major/minor kinda scheme that starts with ASVS and goes to whatever:
> >>>>
> >>>> OWASP-V[1-14]-[1-n,A,D,T,other]-[1-m,A,D,T,other]
> >>>>
> >>>> i.e., as if one were expanding a tree control that when one got to a
> >>>> detailed verification requirement, would then have children nodes for e.g.
> >>>> development guide, testing guide, perhaps threats that the requirements map
> >>>> to like T10/CWE/WASC.
> >>>>
> >>>> Let me know your thoughts, the above is just a first proposal, I may not
> >>>> be understanding what you need. We can use the above dev guide wiki to flesh
> >>>> this out, see how much things make sense as we go, thing look different from
> >>>> email/paper to clickable trees/widgets.
> >>>>
> >>>> Best,
> >>>>
> >>>> Mike?B.
> >>>>
> >>>> ________________________________
> >>>> From: owasp-topten-bounces at lists.owasp.org
> >>>> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Dave Wichers
> >>>> Sent: Wednesday, January 06, 2010 12:34 AM
> >>>> To: Brad Causey; owasp-testing at lists.owasp.org;
> >>>> owasp-topten at lists.owasp.org
> >>>> Cc: mike.boberski at gmail.com
> >>>> Subject: Re: [Owasp-topten] top 10 & testing guide
> >>>>
> >>>> Brad,
> >>>>
> >>>>
> >>>>
> >>>> OWASP is just starting a synchronization effort between the Top 10,
> >>>> ASVS, and all the Guides. We are trying to use the ASVS requirements as the
> >>>> baseline and then developing the dev guide and testing guide and code review
> >>>> against that outline.? However, we don?t want to wreck what you guys have
> >>>> been doing with the testing guide #?s
> >>>>
> >>>>
> >>>>
> >>>> Mike Boberski is working with Andrew van der Stock to launch an update
> >>>> effort to the Dev Guide. Can you work with Mike so he understands how you
> >>>> are using the OWASP finding #?s to see if we can move forward in a way that
> >>>> is not massively disruptive? Mike may not even be aware of the testing guide
> >>>> numbering scheme.
> >>>>
> >>>>
> >>>>
> >>>> And we can also make sure that the dev guide covers everything you think
> >>>> needs to be covered (which hopefully already is covered in ASVS), and if
> >>>> not, maybe it needs to be updated too.
> >>>>
> >>>>
> >>>>
> >>>> -Dave
> >>>>
> >>>>
> >>>>
> >>>> From: owasp-topten-bounces at lists.owasp.org
> >>>> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Brad Causey
> >>>> Sent: Tuesday, January 05, 2010 8:59 PM
> >>>> To: owasp-testing at lists.owasp.org; owasp-topten at lists.owasp.org
> >>>> Subject: [Owasp-topten] top 10 & testing guide
> >>>>
> >>>>
> >>>>
> >>>> First of all, sorry for the x-posting, but it seemed appropriate.
> >>>>
> >>>> For those of you that don't know, I work in the financial sector and
> >>>> developed our organization's WAS testing procedures, documentation, and
> >>>> probably 80% of our whole WAS program from OWASP materials. Great stuff.
> >>>>
> >>>> As matter of fact, each of our analysts has a LULU printed copy of the
> >>>> testing guide on their desks. When we write reports up, we use the
> >>>> OWASP-XX-XX as our classification mapping. For example:
> >>>>
> >>>> Finding 1 - rXSS - OWASP-DV-001 - hxxp://www.vulnsite.com?msg=<blah
> >>>> blah, you get it> - screenshot1.png
> >>>>
> >>>> When we write our long form reports, we use the text from the testing
> >>>> guide. It has really proven great for us and we've been doing this since v2
> >>>> came out. In addition, we have previously used the top ten literature as
> >>>> supplementary in proving higher risk, higher priority items. That has worked
> >>>> great until now.....
> >>>>
> >>>> A8 on the RC version of the Top Ten throws a nice shiny wrench into it
> >>>> all. Reason being, there isn't a corresponding OWASP-xx-xx classification
> >>>> that matches up to A8. Now I've been writing A8 up for some time, but it
> >>>> never had a nice-neat home in any of the Testing guide classifications.
> >>>>
> >>>> Now that I've gotten past all that. I'd like to maybe discuss how,
> >>>> possibly in the future, the two projects could be somewhat more in sync. I'm
> >>>> not sure there is a good way to do that today, but it sure makes sense in my
> >>>> mind that all owaspy stuff have some overlap, and should avoid gaps such as
> >>>> the A8 vs OWASP-XX-XX situation.
> >>>>
> >>>> Also I see some gaps here:
> >>>>
> >>>>
> >>>> http://2.bp.blogspot.com/_JdybrokZBAk/S0Nt5DVYHWI/AAAAAAAABvU/HXQSzzoRJu0/s1600-h/WASC.png
> >>>>
> >>>> That aren't covered in any OWASP documentation, and should be. I'd like
> >>>> to get everyones' thoughts, and probably flames, on this stuff.
> >>>>
> >>>>
> >>>>
> >>>> -Brad Causey
> >>>> CISSP, MCSE, C|EH, CIFI, CGSP
> >>>>
> >>>> http://www.owasp.org
> >>>> --
> >>>> Never underestimate the time, expense, and effort an opponent will
> >>>> expend to break a code. (Robert Morris)
> >>>> --
> >>>>
> >>>> _______________________________________________
> >>>> Owasp-testing mailing list
> >>>> Owasp-testing at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Eoin Keary
> >>> OWASP Global Board Member
> >>> OWASP Code Review Guide Lead Author
> >>>
> >>> http://asg.ie/
> >>> https://twitter.com/EoinKeary
> >>
> >>
> >>
> >> --
> >> Eoin Keary
> >> OWASP Global Board Member
> >> OWASP Code Review Guide Lead Author
> >>
> >> http://asg.ie/
> >> https://twitter.com/EoinKeary
> >
> >
> >
> > --
> > Eoin Keary
> > OWASP Global Board Member
> > OWASP Code Review Guide Lead Author
> >
> > http://asg.ie/
> > https://twitter.com/EoinKeary
> >
> 
> 
> ------------------------------
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
> 
> 
> End of Owasp-testing Digest, Vol 32, Issue 4
> ********************************************



More information about the Owasp-testing mailing list