[Owasp-testing] OWASP Testing Guide v4: start-up

Andre Gironda andre at operations.net
Mon Jul 19 15:54:43 EDT 2010


On Mon, Jul 19, 2010 at 1:44 PM,  <rick.mitchell at bell.ca> wrote:
> I totally agree that all guides need to be compliant with each other. I kind
> of see Common Numbering as a way to accomplish this.>

So we have
1) Common Numbering
2) ASVS
3) O2 examples

I'm all for those.

What I'd like to see in addition to the above is some sort of actual
methodology instead of mappings of activities (ASVS) to tools (O2) and
compatibility to other guides (Common Numbering).

In TAOSSA, there are code auditing strategies, and I know what you're
all thinking "yeah that's code review, you stupid Andre punk", but no,
no they are not just code review techniques -- the authors talk about
black-box and threat-modeling approaches in these strategies as well.

It would also be interesting to talk about where worlds meet here,
such as how to map URLs to source code depending on the target app
platform. Which brings me to another issue: app routing and URL
rewriting i.e. where a target website location contains more than one
web application, perhaps on different varieties of web servers with
different technologies in place.

Cheers,
Andre


More information about the Owasp-testing mailing list