[Owasp-testing] Testing Guide V4 - Start up

Juan Galiana jgaliana at owasp.org
Thu Sep 13 08:46:33 UTC 2012


I've moved "Directory traversal/file include" from Authentication to
Authorization as this sections is more appropriate.

And I've added HTML5 as a subsection of Client Side Testing to cover
specific vulnerabilities of HTML5 like XMLHttpRequest Level 2
cross-domain security issues.

I wrote my name under some sections too.

On 12/09/2012 12:53, Ismael Rocha wrote:
> Hello all.
>
> That's exactly what I've tried to point out.
> The risk I presented on that table is based on business impact and not
> only on technical impact. Then it's not easy to add it to Cheat Sheet.
> It's an example from a report I've presented.
> Even the likelihood is different according to the application assessed
> and it makes the risk different from customer to customer.
> Our thoughts are alligned.
>
> Jim.
>
> Maybe we can add a Cheat Sheet talking about how to classify risks
> based on OWASP Risk Rating Methodology. We can also discuss this cheat
> sheet in other forum.
>
> Best Regards.
>
> Ismael Gonçalves
>
> On Wed, Sep 12, 2012 at 7:59 AM, Dirk Wetter <dirk.wetter at owasp.org
> <mailto:dirk.wetter at owasp.org>> wrote:
>
>
>     Hi there,
>
>     Am 09/12/2012 12:30 PM, schrieb Ismael Rocha:
>     > Hello Jim.
>     >
>     > I'm thinking about a good way to add it because the risk I've
>     put in the
>     > table is also calculated based on business impact, then a XSS
>     flaw once
>     > exploited for example has a different impact according to the
>     business.
>
>     you folks mean probably technical impact?
>
>     "The business impact stems from the technical impact, but requires a
>     deep understanding of what is important to the company running the
>     application. " according to OWASP risk rating methology.
>
>     For one company availabity or reputation can have a huge impact
>     and they care less about SQL injection because (e.g. no information
>     of users are affected) whereas for others the opposite is true.
>
>     If you don't understand the buiness model of a particular institution,
>     you cannot estimate their business risks, only technical ones.
>
>     Best, Dirk
>
>
>
>     >
>     > Regards.
>     >
>     > Ismael Gonçalves
>     >
>     > On Sun, Sep 9, 2012 at 5:02 PM, Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>
>     > <mailto:jim.manico at owasp.org <mailto:jim.manico at owasp.org>>> wrote:
>     >
>     >     Can you add the risk column to the cheat sheet?? :)
>     >
>     >     --
>     >     Jim Manico
>     >     VP, Security Architecture
>     >     WhiteHat Security
>     >     (808) 652-3805 <tel:%28808%29%20652-3805>
>     <tel:%28808%29%20652-3805>
>     >
>     >     On Sep 9, 2012, at 7:52 AM, Ismael Rocha
>     >     <ismaelrocha.projetos at gmail.com
>     <mailto:ismaelrocha.projetos at gmail.com>
>     >     <mailto:ismaelrocha.projetos at gmail.com
>     <mailto:ismaelrocha.projetos at gmail.com>>> wrote:
>     >
>     >>     Hello David.
>     >>
>     >>     I worked in the Top Ten Cheatsheet to make the link between Top
>     >>     Ten and Testing Guide.
>     >>     https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
>     >>
>     >>     Here is a table I've been providing in reports about analysis
>     >>     based on Top Ten. The calculations of the risk are also
>     based on
>     >>     OWASP Testing Guide - Risk Methodology and the business impact
>     >>     factors are adapted according to the customer.
>     >>
>     >>
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing


-- 
Juan Galiana

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120913/7783e56c/attachment.html>


More information about the Owasp-testing mailing list