[Owasp-testing] Testing Guide V4 - Start up

Roberto Suggi Liverani robertosl at owasp.org
Sun Sep 9 23:22:15 UTC 2012


Hi Matteo/all,

Good to see a lot of activity for the Testing Guide v4!

I went quickly through all comments made so far.

Here are some observations I have regarding the ToC structure and future
content:

- Web services testing: I have noticed there is a comprehensive methodology
which covers more aspects than the v3 does:
http://clawslab.nds.rub.de/wiki/index.php/Main_Page - I wonder if such
methodology should be included and/or mentioned in v4?

- Anti-CSRF mechanism testing - should that fit into the new CSRF section
or as a separate item?

- Framework application testing: dedicated section about attacks against
specific technology used in frameworks: e.g. .NET/Spring or frameworks
which require a different testing approach:  e..g Adobe Flex or Google Web
ToolKit (GWT). Do you see those as separate mini-projects or potentially to
be included in the testing guide v4?

- Client-side testing: imho we should cover testing for: Java applets,
Silverlight and ActiveX controls as well.

- Browser addons/extension testing: in the past, there was some discussion
about browser addons/plugins, e.g. Firefox addons or Chrome extensions but
I am unsure whether they should fit into the testing guide or into a
separate project, as it has been done for the mobile application testing.

My 2 cents,

Roberto Suggi Liverani (@malerisch)

- http://blog.malerisch.net

On Thu, Aug 30, 2012 at 5:40 PM, Matteo Meucci <matteo.meucci at owasp.org>wrote:

> Hi all Testing Guide contributors.
>
> Testing Guide v4 has been approved as Projects Reboot 2012!
> https://www.owasp.org/index.php/Projects_Reboot_2012
>
> Here is the list of contributors I've collected:
>
> Pavol Luptak
> Marco Morana
> Giorgio Fedon
> Stefano Di Paola
> Gianrico Ingrosso
> Giuseppe Bonfà
> Roberto Suggi Liverani
> Robert Smith
> Andrew Muller
> Robert Winkel
> tripurari rai
> Thomas Ryan
> tim bertels
> Cecil Su
> Aung KhAnt
> Norbert Szetei
> michael.boman
> Wagner Elias
> Kevin Horvat
> Juan Galiana Lara
> Kenan Gursoy
> Jason Flood
> Javier Marcos de Prado
> Sumit Siddharth
> Mike Hryekewicz
> psiinon
> Ray Schippers
> Raul Siles
> Jayanta Karmakar
> Brad Causey
> Vicente Aguilera
> Ismael Gonçalves
>
> Reviewers team:
>
> Paolo Perego
> Daniel Cuthbert
> Matthew Churcher
> Lode Vanstechelman
> Sebastien Gioria
>
>
> Introduction and Project purpose for v4:
> ============================ =============
> The OWASP Testing Guide v3 includes a "best practice" penetration
> testing framework which users can implement in their own organizations
> and a "low level" penetration testing guide that describes techniques
> for testing most common web application and web service security
> issues. Nowadays the Testing Guide has become the standard to perform
> a Web Application Penetration Testing and many Companies all around
> the world have adopted it.
> It is vital for the project mantaining an updated project that
> represents the state of the art for WebAppSec.
>
> Project Roadmap
> =============
>
> - (1) 1st phase: Brainstorming and create a new table of contents
>
> Objective: creating a new table of contents of the OTGv4
> assigning a task for each contributor.
> I created a new OWASP Testing Guide v4 table of Contents here:
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
>
> - (2) 2nd phase:  Writing
> 20th September 2012: Start writing the articles
> 1st November 2012: 1st Draft
> 30th November: end of writing phase
>
> - (3) 3rd phase: Reviewing
>
> - 1st December 2012: Starting the review phase,
> - 15th December 2012: Create the RC1,
> - 31st January 2013: Release the version 4.
>
> Timeline November 2012 1st Draft, January 2013 Final Release
>
> So, let's start discussion about phase (1)!
>
> Thanks!
> Mat
>
> --
> Matteo Meucci
> OWASP Testing Guide Lead
> OWASP-Italy President
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120910/0d031bbe/attachment.html>


More information about the Owasp-testing mailing list