[Owasp-testing] Testing Guide V4 - Start up

David Fern dfern at verizon.net
Sat Sep 8 22:39:49 UTC 2012


I agree here are some process items I have from v3:
 
Section 1 – Testing Techniques Explained
– Page 19
            Although Black, Grey, white Box
testing is addressed in the document and are
            common terms should they be defined?
                      
            Should the concept of Automated
Static and dynamic testing be addressed?
Section 1 – Testing Techniques Explained
- Page 20 Threat Modeling
            
Should
this link to the OWASP Threat Risk Modeling page?
https://www.owasp.org/index.php/Threat_Risk_Modeling
 
Section 1 –
Testing Techniques Explained – Page 26 – Security Requirements Validation
Could it be mentioned that the list
of controls in Section 4 Could be used as “Global” requirements in addition to
the “specific” requirements specified in the application requirements. All may
not be applicable for all applications. 
 
Section 1 – Testing Techniques Explained
– Page 36
 
            Would this be a good place to
discuss the OWASP Risk Rating
            https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
            Which is included in page 325 in
detail
 
Section 3 – The OWASP Testing Framework
– Page 40
 
            Should Open SAMM be mentioned here
            https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model
 
Section 3 – The OWASP Testing Framework
– Phase 2: During Definition and Design - Page 41
 
            Should ESAPI be mentioned here as a
best practice?
            https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
 
            Should the references to coding
standards be given, for example:
CERT - https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards;jsessionid=A9B9B2080B83DEEB21CE15B1415CEDD9
 
            https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard
 
            https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices
Section 3 – The OWASP Testing Framework
– The Phases especially 4 and 5 page 43
 
            I would like to see some more
details, guidance and checklists or what exactly to do and
check
 
Section 3 – The OWASP Testing Framework
– OWASP Testing Framework Work Flow – Page 45
 
All work tasks do not seem to be
included in this section, for example the section details do not include “Unit
and System Tests” and “Acceptance Tests” in the Deployment part of this section
on page 43 or 44. 
 
Section 4 - Web Application Penetration
Testing – Chart - page 47
 
            Would it be possible to add another column  linking to the specific OWASP top 10. My
reasoning is that someone may say they will test to the OWASP top 10. So they
need a good list.
 
Section 4 - Web Application Penetration
Testing 
 
            It seems like the test types have Grey box, White
box and Black Box but it is not consistent. I think all should probably include
all 3 types and if it is not applicable state it.
 
Appendix A: Testing Tools
 
            Should WebInspect be added to the
Commercial Black Box Testing Tools?
            
Should
there be an acceptance Testing Tools – Commercial section for tools such as:
            HP Quick Test Professional
                        IBM Rational Robot
                        Etc.
 
            Should the BuildSecurityin web site
be added to the “Useful Websites” section?
                        https://buildsecurityin.us-cert.gov/bsi/home.html
            
            Should Web Service testing tool
soapUI be added?
                        http://www.soapui.org/Security/getting-started.html
            
Thanks,
David :)  

________________________________
 From: Ismael Rocha <ismaelrocha.projetos at gmail.com>
To: Matteo Meucci <matteo.meucci at owasp.org> 
Cc: owasp-testing at lists.owasp.org 
Sent: Friday, September 7, 2012 6:26 PM
Subject: Re: [Owasp-testing] Testing Guide V4 - Start up
  

Hello.
I know we've been focused on testing list but I have some comments for other sections.
a) About the Web Application Penetration Testing
Talking about the Web Application Penetration Testing (chapter 4), I suggest we improve the section with some explanations. 
4. Web Application Penetration testing
4.1 Introduction and Objectives
 -> Introduce about typical penetration test phases 
  Here we would have an overview of a typical pen-test, divided into 4 phases.
  1) Plan
   This part basically talks about how to plan a penetration test
   -> Types of the Test (maybe the explanation about types of test could be fit in a section in the beginning of the testing guide)
    -> Black Box
    -> White Box
    -> Gray Box
   -> Viewpoint
    -> External
    -> Internal
   -> Scope
    -> http://www.targetedapp.com
   -> Restrictions
    -> List of all restrictions (e.g. do not perform DoS, social engineering)
  2) Discovery
   -> Information Gathering
   -> Vulnerability Analysis
  3) Attack
   -> Attack itself
  4) Report
   -> Last Phase of a penetration test (chapter 5 writing report)
 

b) About the paragraph of the testing cases:
One of the goals of this version is to make the Testing Guide more readable. I think we need to define commons subsections present in all testing cases.
Then, all testing cases would have the same sections and formats. I already suggest to have the checklist (questions) in a pre-defined subsection inside each 
testing case. If we have a checklist in a table format, we could get them and put them into a big table that could be printed and checked. 
For example:
4.5.4 Testing for Exposed Session Variables (OWASP-SM-004)
 4.5.4.2   Brief Summary
 4.5.4.3   Description of the issue
 4.5.4.4   Related security activities
 4.5.4.5   Threats
 4.5.4.6   Countermesures
 4.5.4.7   Testing
    -> Black Box 
            -> Technique 1
            -> Results expected
    -> Gray Box
             ....
    -> White Box
             ....
 4.5.4.8   Checklist
   -------------------------------------------------------------------------------------------------------
   | OWASP-SM-004                                      | Black Box | White Box | Gray Box |
   -------------------------------------------------------------------------------------------------------
   | 1. Cache-control definied to no-cache      |           |           |          |                    |
   -------------------------------------------------------------------------------------------------------
   | 2. Different session token after login        |           |           |          |                    |
   -------------------------------------------------------------------------------------------------------
 4.5.4.9    References
 4.5.4.10  Tools
We can also have a box called tips in each section with some tips highlighted.

Regards.

Ismael Gonçalves


On Thu, Sep 6, 2012 at 4:22 AM, Matteo Meucci <matteo.meucci at owasp.org> wrote:

Great Luca!
>
>Thanks,
>Mat
>
>
>On 09/04/2012 07:29 PM, Luca Carettoni wrote:
>> On Thu, 2012-08-30 at 22:44 +0200, Matteo Meucci wrote:
>>> My idea is also to contact the authors of the new testing techniques
>>> asking for their contributes.
>>>
>>> So for example I wish that for HTTP Verb Tampering, Arshan could help
>>> and for HTTP Parameter pollution, Stefano and Luca can give us the
>>> better contents.
>>
>> Sure! Feel free to add my name on the list.
>> Actually, me and Stefano have already something drafted on HPP that has
>> been written during our research.
>>
>> Cheers,
>> Luca
>>
>
>
>_______________________________________________
>Owasp-testing mailing list
>Owasp-testing at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-testing
>


-- 
Ismael Gonçalves

_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20120908/27b31dea/attachment-0001.html>


More information about the Owasp-testing mailing list