[Owasp-testing] Hello :)
matteo.meucci at gmail.com
Fri Jan 28 07:04:49 EST 2011
you are correct, we are in late.
This is the roadmap of v4:
- Create a new comprehensive list of all the possible vulnerabilities.
- Review all the control numbers to adhere to the OWASP Common numbering,
- Review all the sections in v3,
- Create a more readable guide, eliminating some sections that are not
- Insert new testing techniques: HTTP Verb tampering, HTTP Parameter
- Rationalize some sections as Session Management Testing,
- Debate if create a new section: Client side security and Firefox
I think that step I is really important because v3 is a stable
version, really wide adopted because it describes a comprehensive
methodology based of a set of vulnerability list:
We need to update this list before start with a new version.
Then I see another problem: we need that all the OWASP Guides (Top10,
DevGuide, CodeRG, TestingG) talk the same language.
For example: OWASP Top10 2010 talks about "Failure to Restrict URL
Access" and we do not have that in the TG list.
So I think we need a common basis for all the guides and with Anurag
and Eoin we started the OWASP Common Vulnerability List.
We are debating the list for 3 months, so now it's time to close the
project and public the first version.
I think OWASP Summit is the right place for that.
Summarizing, at the OWASP Summit:
- We will have to define the first list of OWASP Common Vulnerability
list, and decide how to manage it for the future (a board could
receive all the new request of new type of vuln, then we can process
it, publish it and decide wich guide will implement it)
- Once defined that we can decide how to go on with the new issues of
the Testing Guide and plan the new version.
So please folks, put your name to the WS participants list and let discuss it:
- OWASP Common vuln list WS will opening asap
OWASP Testing Guide lead
On Fri, Jan 28, 2011 at 12:49 AM, Jim Manico <jim.manico at owasp.org> wrote:
> Hello Testers! :)
> I was just looking at:
> And noticed the front page says "next version ready in January 2011"
> May I ask what is the status of the next release?
> Jim Manico
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
More information about the Owasp-testing