[Owasp-testing] [Owasp-topten] RFC: Common numbering proposal # 1
Boberski, Michael [USA]
boberski_michael at bah.com
Thu Jan 7 12:50:13 EST 2010
I created the following wiki page for us to use:
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo Meucci
Sent: Thursday, January 07, 2010 12:07 PM
To: mike.boberski at gmail.com
Cc: owasp-guide at lists.owasp.org; owasp-application-security-verification-standard at lists.owasp.org; owasp-topten at lists.owasp.org; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] [Owasp-topten] RFC: Common numbering proposal # 1
I totally agree, that should be a great added value for the OWASP Guides.
I think we can create a page on our wiki for that purpose, tracking our brainstorming and the links between the Guides.
As Mike said, we can start from here:
So we can create the OWASP naming convention (e.g. OWASP-DV-001 - Reflected XSS) and mapping that with all the Guides.
In that way we can reach 2 goals in my opinion:
- update the Guides and understand what the DG,CRG,TG, Top10, ASVS are missing and what we can improve in each guide (also if some controls are specific to certain guides).
- create a more accessible starting point for the exploration of the wiki from a user perspective.
On Wed, Jan 6, 2010 at 11:59 PM, Mike Boberski <mike.boberski at gmail.com> wrote:
> Right, the next step if there were agreement would be to basically
> take the table from the TG that summarizes the IDs, add a couple
> columns, and start mapping.
> Then, each doc would be updated in turn, and yes each would then have
> to address any holes. Not an issue from the ASVS or dev guide perspective.
> On Wed, Jan 6, 2010 at 5:09 PM, Brad Causey <bradcausey at gmail.com> wrote:
>> Thinking from the perspective of a purely ignorant person, this is
>> rather confusing. Problem is, it totally makes sense as to why you
>> did what you did, to me. So which of those numbers would be final
>> one? And with that number alone, could I find what I needed in each guide?
>> *thinking aloud*
>> Ideally, we have 2 ultimate goals in my mind. (bear with me here) 1.
>> create a central ID number, and provide a mapping to each project.
>> (maybe a good interim goal)
>> 2. Actually _change_ each OWASP guide to match the TG or some agreed
>> upon numbering system.
>> Now, you are probably all asking "why are we chosing to go with the
>> TG?". Well I wasn't sold either, and I'm still not 100%. But it does
>> appear to provide detailed numberin for specific vulnerabilities, and
>> has a pretty good following. (and I'm partial because I currently
>> rely on it) Here is the catch! There are going to be holes no matter
>> which direction we take, for example, the TG has items the ASVS
>> Which is why I'm voting for a super detailed comprehensive "master
>> list" and match them up for now, item #1. And allow each project to
>> catch up to the list, ultimately leading to a truly complete #2.
>> I'm literally thinking out loud here guys, so fire back full force.
>> */thinking aloud*
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>> Never underestimate the time, expense, and effort an opponent will
>> expend to break a code. (Robert Morris)
>> On Wed, Jan 6, 2010 at 1:44 PM, Boberski, Michael [USA]
>> <boberski_michael at bah.com> wrote:
>> > Let us work on this using a specific example, SQL Injection:
>> > Here is a proposal for your consideration:
>> > ASVS Ref. Number
>> > OWASP-V0604
>> > TG Ref. Number
>> > OWASP-T0604-DV-005
>> > (compared to currently: OWASP-DV-005)
>> > CRG Ref. Number
>> > OWASP-C0604-DV-005
>> > Guide Ref. Number
>> > OWASP-D0604
>> > (goes into guidance at this level, in the next release)
>> > Where,
>> > OWASP-V0604 == V6.4 Verify that all untrusted data that is output
>> > to SQL interpreters use parameterized interfaces, prepared
>> > statements, or are escaped properly.
>> > Mike B.
>> > _______________________________________________
>> > Owasp-topten mailing list
>> > Owasp-topten at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
OWASP-Italy Chair, CISSP, CISA
OWASP Testing Guide lead
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
More information about the Owasp-testing