[Owasp-testing] [Owasp-leaders] OWASP Testing Guide v4: start-up
Dave van Stein
dvstein at gmail.com
Mon Jul 19 06:34:22 EDT 2010
something like that is already attempted in the CAPEC.
I think it is a shame that hardly any updates on that project has been done
the last year(s) because I very much like the approach.
Maybe it's an idea to revive that project and combine it with the testing
2010/7/19 Stephen de Vries <stephen at twisteddelight.org>
> I love the idea of test cases, but not thrilled to have them tied to any
> one platform. Could they be defined in a tool independent manner such as
> pseudo code? E.g.:
> 1. Send response XYZ
> 2. If response contains "blah"
> 2.1 Test fails
> 3. If response does not contain "blah"
> 3.1 Test passes
> On Jul 19, 2010, at 9:47 AM, daniel cuthbert wrote:
> > "- Create a test case for each test to perform using O2 platform"
> > I think this could be a massive project on its own, whilst I love the
> > O2 platform as much as Dinis, I'm wondering why the need to have a
> > test case for each approach?
> > On 18 July 2010 14:43, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> >> Hi all,
> >> thanks to the OWASP Foundation, it's time to start-up with a new OWASP
> >> Testing Guide project!
> >> Introduction and Project purpose for v4:
> >> ============================
> >> The OWASP Testing Guide v3 includes a "best practice" penetration
> >> testing framework which users can implement in their own organizations
> >> and a "low level" penetration testing guide that describes techniques
> >> for testing most common web application and web service security
> >> issues. Nowadays the Testing Guide has become the standard to perform
> >> a Web Application Penetration Testing and many Companies all around
> >> the world have adopted it.
> >> It is vital for the project mantaining an updated project that
> >> represents the state of the art for WebAppSec.
> >> Project Roadmap
> >> =============
> >> - 1st phase: Brainstorming
> >> 18th July 2010: starting a brainstorming with the OWASP Leaders and
> >> project contributors to share goals and project's objectives.
> >> The following are the main improvements we have to realize:
> >> - Inserting new testing techniques, OWASP Top10 update: HTTP Verb
> >> tampering, HTTP Parameter Pollutions, URL Redirection, Insecure Direct
> >> Object References, Insecure Cryptographic Storage, Failure to Restrict
> >> URL Access, Insufficient Transport Layer Protection, Unvalidated
> >> Redirects and Forwards.
> >> - Review and improve all the sections in v3,
> >> - Create a more readable guide, eliminating some sections that are not
> >> really useful, Rationalize some sections as Session Management
> >> Testing,
> >> - Create a new section: Client side security and Firefox extensions
> >> - Create a test case for each test to perform using O2 platform
> >> - 2nd phase: Set-up the team
> >> 15th August: Introduce the new project to the OWASP mailing list
> >> seeking for contributors. We need to involve also the final users of
> >> the Testing Guide (for example Banking Companies to understand how
> >> they would like to improve that).
> >> - 3rd phase: Create a new Index
> >> 15th September: creating a new table of contents of the OTGv4
> >> assigning a task for each contributor.
> >> Here is the v3 Index:
> >> http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
> >> - 4th phase: Writing and reviewing
> >> 1st October 2010: Starting writing
> >> 1st November 2010:Starting the first review phase,
> >> 15th November 2010: Starting writing articles II phase,
> >> 1st December 2010: Starting the second review phase,
> >> 15th December 2010: Create the RC1,
> >> 15th January 2011: Release the version 4.
> >> 1st phase
> >> =======
> >> Now, we are at the 1st phase, and I think this phase it's the most
> >> important to create a solid project as we saw from the last versions.
> >> This time I found really important to open a debate about the following
> >> - OWASP vulnerabilities -
> >> The OWASP Testing Guide checklist represents the set of controls to
> >> test: http://www.owasp.org/index.php/Testing_Checklist
> >> We divided it into 10 categories (Information Gath, Config. Mng,
> >> Authentication, etc...). For each category we tell what test to
> >> perfom.
> >> The last column tells you what vulnerability you can find if the test
> >> demonstrate a weakness of the application.
> >> Now I see that the list of vulnerabilities is not alligned with all
> >> the OWASP Guides.
> >> Imo the point is that is foundamental to create a list of OWASP
> >> Vulnerabilities shared between the OWASP projects. Why?
> >> Because the OWASP DevGuide, Code Review and Testing Guide should be
> >> linked to this common KB: in this way the 3 projects are linked
> >> between the others and Companies can uderstand for each vuln how to
> >> protect from this vuln (Dev), how to review that code (CR), and how to
> >> test the app running (TG). Then because it is very important for the
> >> Companies have a full list of the possible WebAppSec vulns (I think
> >> there is a lack now).
> >> At this time we have:
> >> But this list does not represents what I mean.
> >> I would like to start from the OWASP Testing Guide checklist and
> >> collect all the vulnerabiities we can find from the last column, add
> >> the new ones. Then maybe Eoin's team should add the white box
> >> vulnerabilities: we know some are the same of the black box
> >> assessment, but others can be found only perfoming a Code Review, for
> >> example "Backdoor in the code". Then the Dev Guide team should point
> >> to this set of vulnerabilities telling how to write code to protect
> >> the application for each vulnerability.
> >> What do you think about that?
> >> Thanks,
> >> Mat
> >> --
> >> Matteo Meucci
> >> OWASP-Italy Chair, CISSP, CISA
> >> http://www.owasp.org/index.php/Italy
> >> OWASP Testing Guide lead
> >> http://www.owasp.org/index.php/Testing_Guide
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing