[Owasp-testing] Testing Guide V4 - Start up

Jim Manico jim.manico at owasp.org
Sun Sep 9 20:02:35 UTC 2012


Can you add the risk column to the cheat sheet?? :)

--
Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

On Sep 9, 2012, at 7:52 AM, Ismael Rocha <ismaelrocha.projetos at gmail.com>
wrote:

Hello David.

I worked in the Top Ten Cheatsheet to make the link between Top Ten and
Testing Guide.
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Here is a table I've been providing in reports about analysis based on Top
Ten. The calculations of the risk are also based on OWASP Testing Guide -
Risk Methodology and the business impact factors are adapted according to
the customer.


  *Item OWASP Top Ten*

*Id *

*Vulnerability*

*OWASP Testing Guide Iten
*

*Risk*

A1 – Injection

01

SQL Injection

OWASP-DV-005

Critical

A2 – *Cross-Site-Scripting*

02

*Cross-site-scripting*

OWASP-DV-001

Medium

A6 – Security misconfiguration



03

Old version PHP

OWASP-CM-003

High

04

Server* *vulnerable to *Slow* HTTP

OWASP-CM-003

High

05

Administrative interfaces found

OWASP-CM-007

High

A7 – Insecure cryptographic storage

06

Password stored with hash and without salt

-

Medium

A9 – Insufficient Transport Layer Protection

07

Insecure channel for authentication

OWASP-AT-001

High


Regards.

Ismael Gonçalves

On Sat, Sep 8, 2012 at 7:32 PM, David Fern <dfern at verizon.net> wrote:
> I agree here are some process items I have from v3:
>
> Section 1 – Testing Techniques Explained – Page 19
>             Although Black, Grey, white Box testing is addressed in the
> document and are
>             common terms should they be defined?
>
>             Should the concept of Automated Static and dynamic testing be
> addressed?
> Section 1 – Testing Techniques Explained - Page 20 Threat Modeling
>
> Should this link to the OWASP Threat Risk Modeling page?
> https://www.owasp.org/index.php/Threat_Risk_Modeling
>
> Section 1 – Testing Techniques Explained – Page 26 – Security Requirements
> Validation
> Could it be mentioned that the list of controls in Section 4 Could be used
> as “Global” requirements in addition to the “specific” requirements
> specified in the application requirements. All may not be applicable for
all
> applications.
>
> Section 1 – Testing Techniques Explained – Page 36
>
>             Would this be a good place to discuss the OWASP Risk Rating
>             https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
>             Which is included in page 325 in detail
>
> Section 3 – The OWASP Testing Framework – Page 40
>
>             Should Open SAMM be mentioned here
>
> https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
>
> Section 3 – The OWASP Testing Framework – Phase 2: During Definition and
> Design - Page 41
>
>             Should ESAPI be mentioned here as a best practice?
>
> https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
>             Should the references to coding standards be given, for
example:
> CERT -
>
https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards;jsessionid=A9B9B2080B83DEEB21CE15B1415CEDD9
>
>
>
https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard
>
>
>
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
> Section 3 – The OWASP Testing Framework – The Phases especially 4 and 5
page
> 43
>
>             I would like to see some more details, guidance and checklists
> or what exactly to do and
> check
>
> Section 3 – The OWASP Testing Framework – OWASP Testing Framework Work
Flow
> – Page 45
>
> All work tasks do not seem to be included in this section, for example the
> section details do not include “Unit and System Tests” and “Acceptance
> Tests” in the Deployment part of this section on page 43 or 44.
>
> Section 4 - Web Application Penetration Testing – Chart - page 47
>
>             Would it be possible to add another column  linking to the
> specific OWASP top 10. My reasoning is that someone may say they will test
> to the OWASP top 10. So they need a good list.
>
> Section 4 - Web Application Penetration Testing
>
>             It seems like the test types have Grey box, White box and
Black
> Box but it is not consistent. I think all should probably include all 3
> types and if it is not applicable state it.
>
> Appendix A: Testing Tools
>
>             Should WebInspect be added to the Commercial Black Box Testing
> Tools?
>
> Should there be an acceptance Testing Tools – Commercial section for tools
> such as:
>             HP Quick Test Professional
>                         IBM Rational Robot
>                         Etc.
>
>             Should the BuildSecurityin web site be added to the “Useful
> Websites” section?
>                         https://buildsecurityin.us-cert.gov/bsi/home.html
>
>             Should Web Service testing tool soapUI be added?
>
http://www.soapui.org/Security/getting-started.html
>
> Thanks,
> David :)
>
> From: Ismael Rocha <ismaelrocha.projetos at gmail.com>
> To: Matteo Meucci <matteo.meucci at owasp.org>
> Cc: owasp-testing at lists.owasp.org
> Sent: Friday, September 7, 2012 6:26 PM
>
> Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
>
> Hello.
> I know we've been focused on testing list but I have some comments for
other
> sections.
> a) About the Web Application Penetration Testing
> Talking about the Web Application Penetration Testing (chapter 4), I
suggest
> we improve the section with some explanations.
> 4. Web Application Penetration testing
> 4.1 Introduction and Objectives
>  -> Introduce about typical penetration test phases
>   Here we would have an overview of a typical pen-test, divided into 4
> phases.
>   1) Plan
>    This part basically talks about how to plan a penetration test
>    -> Types of the Test (maybe the explanation about types of test could
be
> fit in a section in the beginning of the testing guide)
>     -> Black Box
>     -> White Box
>     -> Gray Box
>    -> Viewpoint
>     -> External
>     -> Internal
>    -> Scope
>     -> http://www.targetedapp.com
>    -> Restrictions
>     -> List of all restrictions (e.g. do not perform DoS, social
> engineering)
>   2) Discovery
>    -> Information Gathering
>    -> Vulnerability Analysis
>   3) Attack
>    -> Attack itself
>   4) Report
>    -> Last Phase of a penetration test (chapter 5 writing report)
>
>
> b) About the paragraph of the testing cases:
> One of the goals of this version is to make the Testing Guide more
readable.
> I think we need to define commons subsections present in all testing
cases.
> Then, all testing cases would have the same sections and formats. I
already
> suggest to have the checklist (questions) in a pre-defined subsection
inside
> each
> testing case. If we have a checklist in a table format, we could get them
> and put them into a big table that could be printed and checked.
> For example:
> 4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)
>  4.5.4.2   Brief Summary
>  4.5.4.3   Description of the issue
>  4.5.4.4   Related security activities
>  4.5.4.5   Threats
>  4.5.4.6   Countermesures
>  4.5.4.7   Testing
>     -> Black Box
>             -> Technique 1
>             -> Results expected
>     -> Gray Box
>              ....
>     -> White Box
>              ....
>  4.5.4.8   Checklist
>
>
-------------------------------------------------------------------------------------------------------
>    | OWASP-SM-004                                      | Black Box | White
> Box | Gray Box |
>
>
-------------------------------------------------------------------------------------------------------
>    | 1. Cache-control definied to no-cache      |           |           |

> |                    |
>
>
-------------------------------------------------------------------------------------------------------
>    | 2. Different session token after login        |           |
  |
> |                    |
>
>
-------------------------------------------------------------------------------------------------------
>  4.5.4.9    References
>  4.5.4.10  Tools
> We can also have a box called tips in each section with some tips
> highlighted.
> Regards.
>
> Ismael Gonçalves
>
> On Thu, Sep 6, 2012 at 4:22 AM, Matteo Meucci <matteo.meucci at owasp.org>
> wrote:
>
> Great Luca!
>
> Thanks,
> Mat
>
> On 09/04/2012 07:29 PM, Luca Carettoni wrote:
>> On Thu, 2012-08-30 at 22:44 +0200, Matteo Meucci wrote:
>>> My idea is also to contact the authors of the new testing techniques
>>> asking for their contributes.
>>>
>>> So for example I wish that for HTTP Verb Tampering, Arshan could help
>>> and for HTTP Parameter pollution, Stefano and Luca can give us the
>>> better contents.
>>
>> Sure! Feel free to add my name on the list.
>> Actually, me and Stefano have already something drafted on HPP that has
>> been written during our research.
>>
>> Cheers,
>> Luca
>>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
>
>
> --
> Ismael Gonçalves
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>



-- 
Ismael Gonçalves

_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120909/418c27a3/attachment-0001.html>


More information about the Owasp-testing mailing list