[Owasp-testing] [Owasp-topten] RFC: Common numbering proposal # 1

Matteo Meucci matteo.meucci at gmail.com
Thu Jan 7 12:07:05 EST 2010


Hi,
I totally agree, that should be a great added value for the OWASP Guides.
I think we can create a page on our wiki for that purpose, tracking
our brainstorming and the links between the Guides.

As Mike said, we can start from here:
http://www.owasp.org/index.php/Testing_Checklist

So we can create the OWASP naming convention (e.g. OWASP-DV-001 -
Reflected XSS) and mapping that with all the Guides.
In that way we can reach 2 goals in my opinion:
- update the Guides and understand what the DG,CRG,TG, Top10, ASVS are
missing and what we can improve in each guide (also if some controls
are specific to certain guides).
- create a more accessible starting point for the exploration of the
wiki from a user perspective.

Thanks,
Mat

On Wed, Jan 6, 2010 at 11:59 PM, Mike Boberski <mike.boberski at gmail.com> wrote:
> Right, the next step if there were agreement would be to basically take the
> table from the TG that summarizes the IDs, add a couple columns, and start
> mapping.
>
> Then, each doc would be updated in turn, and yes each would then have to
> address any holes. Not an issue from the ASVS or dev guide perspective.
>
> Mike
>
>
> On Wed, Jan 6, 2010 at 5:09 PM, Brad Causey <bradcausey at gmail.com> wrote:
>>
>> Thinking from the perspective of a purely ignorant person, this is
>> rather confusing. Problem is, it totally makes sense as to why you did
>> what you did, to me. So which of those numbers would be final one? And
>> with that number alone, could I find what I needed in each guide?
>>
>> *thinking aloud*
>> Ideally, we have 2 ultimate goals in my mind. (bear with me here)
>> 1. create a central ID number, and provide a mapping to each project.
>> (maybe a good interim goal)
>> 2. Actually _change_ each OWASP guide to match the TG or some agreed
>> upon numbering system.
>>
>> Now, you are probably all asking "why are we chosing to go with the
>> TG?". Well I wasn't sold either, and I'm still not 100%. But it does
>> appear to provide detailed numberin for specific vulnerabilities, and
>> has a pretty good following. (and I'm partial because I currently rely
>> on it)
>> Here is the catch! There are going to be holes no matter which
>> direction we take, for example, the TG has items the ASVS doesn't.
>> Which is why I'm voting for a super detailed comprehensive "master
>> list" and match them up for now, item #1. And allow each project to
>> catch up to the list, ultimately leading to a truly complete #2.
>>
>> I'm literally thinking out loud here guys, so fire back full force.
>> */thinking aloud*
>>
>>
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>>
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will
>> expend to break a code. (Robert Morris)
>> --
>>
>>
>>
>> On Wed, Jan 6, 2010 at 1:44 PM, Boberski, Michael [USA]
>> <boberski_michael at bah.com> wrote:
>> > Let us work on this using a specific example, SQL Injection:
>> >
>> > Here is a proposal for your consideration:
>> >
>> > ASVS Ref. Number
>> > OWASP-V0604
>> >
>> > TG Ref. Number
>> > OWASP-T0604-DV-005
>> > (compared to currently: OWASP-DV-005)
>> >
>> > CRG Ref. Number
>> > OWASP-C0604-DV-005
>> >
>> > Guide Ref. Number
>> > OWASP-D0604
>> > (goes into guidance at this level, in the next release)
>> >
>> > Where,
>> >
>> > OWASP-V0604 == V6.4  Verify that all untrusted data that is output to
>> > SQL interpreters use parameterized interfaces, prepared statements, or are
>> > escaped properly.
>> >
>> > Mike B.
>> > _______________________________________________
>> > Owasp-topten mailing list
>> > Owasp-topten at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>> >
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>



-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide


More information about the Owasp-testing mailing list