[Owasp-testing] [Owasp-topten] RFC: Common numbering proposal # 1

Mike Boberski mike.boberski at gmail.com
Wed Jan 6 17:59:21 EST 2010


Right, the next step if there were agreement would be to basically take the
table from the TG that summarizes the IDs, add a couple columns, and start
mapping.

Then, each doc would be updated in turn, and yes each would then have to
address any holes. Not an issue from the ASVS or dev guide perspective.

Mike


On Wed, Jan 6, 2010 at 5:09 PM, Brad Causey <bradcausey at gmail.com> wrote:

> Thinking from the perspective of a purely ignorant person, this is
> rather confusing. Problem is, it totally makes sense as to why you did
> what you did, to me. So which of those numbers would be final one? And
> with that number alone, could I find what I needed in each guide?
>
> *thinking aloud*
> Ideally, we have 2 ultimate goals in my mind. (bear with me here)
> 1. create a central ID number, and provide a mapping to each project.
> (maybe a good interim goal)
> 2. Actually _change_ each OWASP guide to match the TG or some agreed
> upon numbering system.
>
> Now, you are probably all asking "why are we chosing to go with the
> TG?". Well I wasn't sold either, and I'm still not 100%. But it does
> appear to provide detailed numberin for specific vulnerabilities, and
> has a pretty good following. (and I'm partial because I currently rely
> on it)
> Here is the catch! There are going to be holes no matter which
> direction we take, for example, the TG has items the ASVS doesn't.
> Which is why I'm voting for a super detailed comprehensive "master
> list" and match them up for now, item #1. And allow each project to
> catch up to the list, ultimately leading to a truly complete #2.
>
> I'm literally thinking out loud here guys, so fire back full force.
> */thinking aloud*
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will
> expend to break a code. (Robert Morris)
> --
>
>
>
> On Wed, Jan 6, 2010 at 1:44 PM, Boberski, Michael [USA]
> <boberski_michael at bah.com> wrote:
> > Let us work on this using a specific example, SQL Injection:
> >
> > Here is a proposal for your consideration:
> >
> > ASVS Ref. Number
> > OWASP-V0604
> >
> > TG Ref. Number
> > OWASP-T0604-DV-005
> > (compared to currently: OWASP-DV-005)
> >
> > CRG Ref. Number
> > OWASP-C0604-DV-005
> >
> > Guide Ref. Number
> > OWASP-D0604
> > (goes into guidance at this level, in the next release)
> >
> > Where,
> >
> > OWASP-V0604 == V6.4  Verify that all untrusted data that is output to SQL
> interpreters use parameterized interfaces, prepared statements, or are
> escaped properly.
> >
> > Mike B.
> > _______________________________________________
> > Owasp-topten mailing list
> > Owasp-topten at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-topten
> >
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20100106/23754f75/attachment.html 


More information about the Owasp-testing mailing list