[Owasp-testing] Hello :)
nuno.filipe.teodoro at gmail.com
Fri Feb 25 05:10:48 EST 2011
Hi all, I was wondering if is there any draft version of testing guide V4
including OWASP testing checkList.
I am aware significant changes need to be made and I would like to read any
draft version and check it's status as I am trying my company to assume
owasp's testing guide as the de facto methodology for web app testing.
2011/1/28 Matteo Meucci <matteo.meucci at gmail.com>
> I Jim,
> you are correct, we are in late.
> This is the roadmap of v4:
> - Create a new comprehensive list of all the possible vulnerabilities.
> - Review all the control numbers to adhere to the OWASP Common numbering,
> - Review all the sections in v3,
> - Create a more readable guide, eliminating some sections that are not
> really useful,
> - Insert new testing techniques: HTTP Verb tampering, HTTP Parameter
> Pollutions, etc.,
> - Rationalize some sections as Session Management Testing,
> - Debate if create a new section: Client side security and Firefox
> extensions testing.
> I think that step I is really important because v3 is a stable
> version, really wide adopted because it describes a comprehensive
> methodology based of a set of vulnerability list:
> We need to update this list before start with a new version.
> Then I see another problem: we need that all the OWASP Guides (Top10,
> DevGuide, CodeRG, TestingG) talk the same language.
> For example: OWASP Top10 2010 talks about "Failure to Restrict URL
> Access" and we do not have that in the TG list.
> So I think we need a common basis for all the guides and with Anurag
> and Eoin we started the OWASP Common Vulnerability List.
> We are debating the list for 3 months, so now it's time to close the
> project and public the first version.
> I think OWASP Summit is the right place for that.
> Summarizing, at the OWASP Summit:
> - We will have to define the first list of OWASP Common Vulnerability
> list, and decide how to manage it for the future (a board could
> receive all the new request of new type of vuln, then we can process
> it, publish it and decide wich guide will implement it)
> - Once defined that we can decide how to go on with the new issues of
> the Testing Guide and plan the new version.
> So please folks, put your name to the WS participants list and let discuss
> - http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session052
> - OWASP Common vuln list WS will opening asap
> OWASP Testing Guide lead
> On Fri, Jan 28, 2011 at 12:49 AM, Jim Manico <jim.manico at owasp.org> wrote:
> > Hello Testers! :)
> > I was just looking at:
> > http://www.owasp.org/index.php/OWASP_Testing_Project
> > And noticed the front page says "next version ready in January 2011"
> > May I ask what is the status of the next release?
> > ALOHA,
> > Jim Manico
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing