[Owasp-testing] Testing Guide V4 - Start up

Kevin Horvath kevin.horvath at gmail.com
Fri Aug 31 18:55:49 UTC 2012


There is a separate OWASP guide for mobile testing.

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project


On Fri, Aug 31, 2012 at 1:01 PM, Eoin <eoin.keary at owasp.org> wrote:
> Are we covering mobile testing at all?
> Sorry if this was mentioned already.
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 31 Aug 2012, at 11:28, Matteo Meucci <matteo.meucci at owasp.org> wrote:
>
>> Hi Simon,
>> yep I agree.
>>
>> Maybe we can distinguish as follow for each paragraph:
>> - OWASP Tools:
>> (Flagship, Labs, Incubator, Archive)
>> - Other Open Source tools:
>>
>> I think that a contributor should be dedicated to verifies which tests
>> are suitable using ZAP (maybe Amro who writes the Appendix A "Testing
>> Tools")?
>>
>> Thanks,
>> Mat
>>
>>
>>
>> On 08/31/2012 09:56 AM, psiinon wrote:
>>> I think its right for us to suggest an open source tool (or tools) for
>>> using in each section, however I dont think we should view this as a ZAP
>>> vs WebScarab contest.
>>> We want to suggest the best possible tool, but I also think that its
>>> reasonable for us to /prefer /OWASP ones.
>>> But we should also favour tools that are more mature and/or more
>>> frequently updated.
>>> For OWASP tools I think we can rely on the new classifications:
>>> Flagship, Labs, Incubator, Archive.
>>> So I think its really a sliding scale.
>>> If theres a Flagship OWASP project that is great at finding a specific
>>> type of vulnerability then we should definitely use that as the example.
>>> If not then we have to balance how relevant that tool is likely to remain.
>>> A brand new Incubator project might be great in one specific case, but
>>> may also not really be in a fit state for most people to use, or the
>>> project may quickly wither and die.
>>> And if a well regarded non OWASP open source tool is the best option
>>> then we should use that.
>>>
>>> Going back to ZAP, I obviously hope it will be the ideal tool in many
>>> cases :)
>>> And helping to establish if this is the case and explaining exactly how
>>> ZAP can be used may be the most effective way I can contribute to this
>>> guide.
>>>
>>> But I also want to use this process to learn where ZAP's weaknesses are.
>>> And depending on how long it takes to produce the guide we (the ZAP
>>> developers) may be able to enhance specific areas of ZAP as the work on
>>> the guide develops.
>>> So please let me know asap if/when you work on an area of the guide that
>>> you dont think ZAP is effective in helping with, or if you would like
>>> advice and guidance on how to use ZAP as effectively as possible.
>>>
>>> Cheers,
>>>
>>> Simon (ZAP Project Lead)
>>>
>>> On Thu, Aug 30, 2012 at 10:18 PM, Matteo Meucci <matteo.meucci at owasp.org
>>> <mailto:matteo.meucci at owasp.org>> wrote:
>>>
>>>    Perfect!
>>>    I've updated the wiki, thanks!
>>>
>>>    Mat
>>>
>>>    On 08/30/2012 11:15 PM, Amro wrote:
>>>> Thanks Mat,
>>>>
>>>> Please assign this task to me and I will make sure that our tool
>>>    sets are updated.
>>>>
>>>> Regards,
>>>> Amro
>>>> Sent from BlackBerry®. Excuse typo's and brevity.
>>>>
>>>> -----Original Message-----
>>>> From: Matteo Meucci <matteo.meucci at owasp.org
>>>    <mailto:matteo.meucci at owasp.org>>
>>>> Date: Thu, 30 Aug 2012 23:11:41
>>>> To: <amro at owasp.org <mailto:amro at owasp.org>>
>>>> Cc: <owasp-testing-bounces at lists.owasp.org
>>>    <mailto:owasp-testing-bounces at lists.owasp.org>>;
>>>    <owasp-testing at lists.owasp.org <mailto:owasp-testing at lists.owasp.org>>
>>>> Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>>>>
>>>> Hi Amro,
>>>> good question related to the tools. Here we have to update many
>>>    references.
>>>>
>>>> Usually at the end of each article we suggest to use a particular open
>>>> source tool to perform the test. I think we can use and suggest
>>>    both the
>>>> tools in many situations.
>>>> Also the Appendix A "Testing Tools" should pick all the testing tools
>>>> cited in the Testing Guide and give more details.
>>>>
>>>> Thanks,
>>>> Mat
>>>>
>>>> On 08/30/2012 10:58 PM, Amro wrote:
>>>>> Please count me in as well .. Are we gonna use ZAP instead of
>>>    WebScarab in the new version?
>>>>>
>>>>> Regards,
>>>>> Amro
>>>>> Sent from BlackBerry®. Excuse typo's and brevity.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Matteo Meucci <matteo.meucci at owasp.org
>>>    <mailto:matteo.meucci at owasp.org>>
>>>>> Sender: owasp-testing-bounces at lists.owasp.org
>>>    <mailto:owasp-testing-bounces at lists.owasp.org>
>>>>> Date: Thu, 30 Aug 2012 17:40:29
>>>>> To: <owasp-testing at lists.owasp.org
>>>    <mailto:owasp-testing at lists.owasp.org>>
>>>>> Subject: [Owasp-testing] Testing Guide V4 - Start up
>>>>>
>>>>> Hi all Testing Guide contributors.
>>>>>
>>>>> Testing Guide v4 has been approved as Projects Reboot 2012!
>>>>> https://www.owasp.org/index.php/Projects_Reboot_2012
>>>>>
>>>>> Here is the list of contributors I've collected:
>>>>>
>>>>> Pavol Luptak
>>>>> Marco Morana
>>>>> Giorgio Fedon
>>>>> Stefano Di Paola
>>>>> Gianrico Ingrosso
>>>>> Giuseppe Bonfà
>>>>> Roberto Suggi Liverani
>>>>> Robert Smith
>>>>> Andrew Muller
>>>>> Robert Winkel
>>>>> tripurari rai
>>>>> Thomas Ryan
>>>>> tim bertels
>>>>> Cecil Su
>>>>> Aung KhAnt
>>>>> Norbert Szetei
>>>>> michael.boman
>>>>> Wagner Elias
>>>>> Kevin Horvat
>>>>> Juan Galiana Lara
>>>>> Kenan Gursoy
>>>>> Jason Flood
>>>>> Javier Marcos de Prado
>>>>> Sumit Siddharth
>>>>> Mike Hryekewicz
>>>>> psiinon
>>>>> Ray Schippers
>>>>> Raul Siles
>>>>> Jayanta Karmakar
>>>>> Brad Causey
>>>>> Vicente Aguilera
>>>>> Ismael Gonçalves
>>>>>
>>>>> Reviewers team:
>>>>>
>>>>> Paolo Perego
>>>>> Daniel Cuthbert
>>>>> Matthew Churcher
>>>>> Lode Vanstechelman
>>>>> Sebastien Gioria
>>>>>
>>>>>
>>>>> Introduction and Project purpose for v4:
>>>>> ============================ =============
>>>>> The OWASP Testing Guide v3 includes a "best practice" penetration
>>>>> testing framework which users can implement in their own
>>>    organizations
>>>>> and a "low level" penetration testing guide that describes techniques
>>>>> for testing most common web application and web service security
>>>>> issues. Nowadays the Testing Guide has become the standard to perform
>>>>> a Web Application Penetration Testing and many Companies all around
>>>>> the world have adopted it.
>>>>> It is vital for the project mantaining an updated project that
>>>>> represents the state of the art for WebAppSec.
>>>>>
>>>>> Project Roadmap
>>>>> =============
>>>>>
>>>>> - (1) 1st phase: Brainstorming and create a new table of contents
>>>>>
>>>>> Objective: creating a new table of contents of the OTGv4
>>>>> assigning a task for each contributor.
>>>>> I created a new OWASP Testing Guide v4 table of Contents here:
>>>>>
>>>    https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>>>>>
>>>>> - (2) 2nd phase:  Writing
>>>>> 20th September 2012: Start writing the articles
>>>>> 1st November 2012: 1st Draft
>>>>> 30th November: end of writing phase
>>>>>
>>>>> - (3) 3rd phase: Reviewing
>>>>>
>>>>> - 1st December 2012: Starting the review phase,
>>>>> - 15th December 2012: Create the RC1,
>>>>> - 31st January 2013: Release the version 4.
>>>>>
>>>>> Timeline November 2012 1st Draft, January 2013 Final Release
>>>>>
>>>>> So, let's start discussion about phase (1)!
>>>>>
>>>>> Thanks!
>>>>> Mat
>>>>>
>>>>> --
>>>>> Matteo Meucci
>>>>> OWASP Testing Guide Lead
>>>>> OWASP-Italy President
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-testing mailing list
>>>>> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>>>
>>>>
>>>
>>>    --
>>>    --
>>>    Matteo Meucci
>>>    OWASP Testing Guide Lead
>>>    OWASP Italy President
>>>    _______________________________________________
>>>    Owasp-testing mailing list
>>>    Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>>>    https://lists.owasp.org/mailman/listinfo/owasp-testing
>>>
>>>
>>>
>>>
>>> --
>>> OWASP ZAP: Toolsmith Tool of the Year 2011
>>> <http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
>>>
>>
>> --
>> --
>> Matteo Meucci
>> OWASP Testing Guide Lead
>> OWASP Italy President
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list