[Owasp-testing] Hello :)

Matteo Meucci matteo.meucci at owasp.org
Fri Feb 25 05:28:55 EST 2011

Hi Nuno,
thank you for your email.

The stable version of the Testing Guide is v3 and widely adopted worldwide.
As you can read from the email below, we are at the starting phase of
the project v4.
I've presented a draft of the testing checklist at the last Summit, it
will be available soon.
I'd like to finish the first 2 steps of the roadmap, then starting with
the project.
Please keep in touch on the OWASP Testing guide ml: as for version 3 you
can follow the draft pages of project on the wiki.

Best regards,

Il 25/02/2011 11:10, Nuno Teodoro ha scritto:
> Hi all, I was wondering if is there any draft version of testing guide
> V4 including OWASP testing checkList.
> I am aware significant changes need to be made and I would like to
> read any draft version and check it's status as I am trying my company
> to assume owasp's testing guide as the de facto methodology for web
> app testing.
> Best regards
> 2011/1/28 Matteo Meucci <matteo.meucci at gmail.com
> <mailto:matteo.meucci at gmail.com>>
>     I Jim,
>     you are correct, we are in late.
>     This is the roadmap of v4:
>     - Create a new comprehensive list of all the possible vulnerabilities.
>     - Review all the control numbers to adhere to the OWASP Common
>     numbering,
>     - Review all the sections in v3,
>     - Create a more readable guide, eliminating some sections that are not
>     really useful,
>     - Insert new testing techniques: HTTP Verb tampering, HTTP Parameter
>     Pollutions, etc.,
>     - Rationalize some sections as Session Management Testing,
>     - Debate if create a new section: Client side security and Firefox
>     extensions testing.
>     I think that step I is really important because v3 is a stable
>     version, really wide adopted because it describes a comprehensive
>     methodology based of a set of vulnerability list:
>     http://www.owasp.org/index.php/Testing_Checklist
>     We need to update this list before start with a new version.
>     Then I see another problem: we need that all the OWASP Guides (Top10,
>     DevGuide, CodeRG, TestingG) talk the same language.
>     For example: OWASP Top10 2010 talks about "Failure to Restrict URL
>     Access" and we do not have that in the TG list.
>     So I think we need a common basis for all the guides and with Anurag
>     and Eoin we started the OWASP Common Vulnerability List.
>     http://www.owasp.org/index.php/OWASP_Common_Vulnerability_List
>     We are debating the list for 3 months, so now it's time to close the
>     project and public the first version.
>     I think OWASP Summit is the right place for that.
>     Summarizing, at the OWASP Summit:
>     -  We will have to define the first list of OWASP Common Vulnerability
>     list, and decide how to manage it for the future (a board could
>     receive all the new request of new type of vuln, then we can process
>     it, publish it and decide wich guide will implement it)
>     - Once defined that we can decide how to go on with the new issues of
>     the Testing Guide and plan the new version.
>     So please folks, put your name to the WS participants list and let
>     discuss it:
>     -
>     http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session052
>     - OWASP Common vuln list WS will opening asap
>     Thanks,
>     Mat
>     --
>     OWASP Testing Guide lead
>     http://www.owasp.org/index.php/Testing_Guide
>     On Fri, Jan 28, 2011 at 12:49 AM, Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>     > Hello Testers! :)
>     >
>     > I was just looking at:
>     >
>     > http://www.owasp.org/index.php/OWASP_Testing_Project
>     >
>     > And noticed the front page says "next version ready in January 2011"
>     >
>     > May I ask what is the status of the next release?
>     >
>     > ALOHA,
>     > Jim Manico
>     > _______________________________________________
>     > Owasp-testing mailing list
>     > Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-testing
>     >
>     _______________________________________________
>     Owasp-testing mailing list
>     Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20110225/3deec930/attachment.html 

More information about the Owasp-testing mailing list