[Owasp-testing] OWASP Testing Guide v4: start-up

Matteo Meucci matteo.meucci at gmail.com
Fri Jul 23 11:14:41 EDT 2010


Hi,
thanks for the answers.

I've updated the Project roadmap collecting all our ideas:
http://www.owasp.org/index.php/Projects/OWASP_Testing_Project/Releases/Testing_Guide_V_4.0/Roadmap

1) Review all the control numbers to adhere to the OWASP Common numbering.

The Testing Guide have to allign to the OWASP CN but I would like to
discuss the problem that the list nowadays is derived by the set of
OTG controls.
I'd like to update it based on all the possible vulnerabilities an
application can suffer.
So my idea is to update the OWASP list of vulnerabilities first, then
update OWAP CN, and finally we can build the new index for the OWASP
TG.

2) The idea of the 02 test cases for the black box testing

The test cases are only for the set of controls described from the
testing guide, O2 is not only a Source Code Analizer tool.
I agree to Michael thoughts:
>The idea of creating O2 examples for each item should be an addendum project led by the O2 team. (And that would be an awesome set of docs
>too, I just wouldn't want it to slow down the overall creation of the testing guide)

We are a community, so we have to understand what the community wants
for improving our projects. The idea of Dinis to create the test cases
for each OTG controls is challenging and interesting (we should add a
paragraph at the end of each test description). What if we can
demonstrate what O2 can do just for 1 test, so we can decide if that
is appropriate or not?

3) Allignment with ASVS

Yes this was in my mind talking with Mike months ago. This will be
another challenging task of the project.

Thanks,
Mat

-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide


On Mon, Jul 19, 2010 at 7:54 PM,  <rick.mitchell at bell.ca> wrote:
> If v4 fully adopts Common OWASP Numbering, won't all the guides be aligned?
> (Unless we purposefully or accidentally leave an item out...)
>
> http://www.owasp.org/index.php/Common_OWASP_Numbering
>
> If all OWASP projects use the same numbering scheme then it should be pretty
> difficult for any project to miss something.
>
> Rick
>
> ________________________________
> From: owasp-testing-bounces at lists.owasp.org
> [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: July 18, 2010 5:22 PM
> To: Vishal Garg
> Cc: Anurag Agarwal; Owasp leaders; owasp-testing
> Subject: Re: [Owasp-testing] OWASP Testing Guide v4: start-up
>
> Hi all,
> that is something that has always been on my mind.
> Converging guides and methodology is the way to go but may incur overhead on
> future releases.
> I'd like to do this with the code review guide also.
> Eoin
>
> On 18 Jul 2010 20:31, "Vishal Garg" <vishalgrg at gmail.com> wrote:
>
> Have you thought of aligning the new testing guide to the ASVS standard?
>
> The new development guide is in progress and we are aligning this with the
> ASVS standard. The link for the new dev guide is below:
>
> http://code.google.com/p/owasp-development-guide/wiki/Introduction
>
> Vishal
>
>
> On Sun, Jul 18, 2010 at 1:43 PM, Matteo Meucci <matteo.meucci at gmail.com>
> wrote:
>>
>> >
>> > Hi all,
>> > thanks to the OWASP Foundation, it's time to start-up with a new OWASP
>> > Testing Guide...
>>
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
> --
> Vishal Garg
> Web Security Specialist
>
> Blog: http://www.ethicalhack.co.uk
> Twitter: http://www.twitter.com/vishalgrg
> Linkedin: http://www.linkedin.com/in/vishalgrg
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>


More information about the Owasp-testing mailing list