[Owasp-testing] Test Guide changes

Andrew Muller andrew.muller at owasp.org
Fri Jun 14 03:51:04 UTC 2013


Hi folks,****

  As I've recently been appointed as Matteo's Test Guide wingman I thought
I would introduce some things I've been working on in relation to the Test
Guide.****

** **

The brainstorming is largely complete and we've started reviewing the
efficacy of test cases. You'll see some suggested ones have disappeared or
changed categories. There were some very cool suggestions that I'd
recommend folks consider during testing (e.g. prod data in pre-prod) but
reflect procedural vulnerabilities rather than software vulnerabilities.
Where possible I've retained the existing test case wording to reduce the
stress of transitioning from v3 to v4, but there are some significant
changes. The major changes include:****

** **

1) Common Numbering - I've leveraged work done by Dave Wichers and Andrew
vd Stock in relation to this and started migrating OWASP test cases into a
new numbering scheme that aligns with their earlier work. The new scheme is
based on defining security control categories and then defining test cases
that test for vulnerabilities related to each control category. However,
you'll find that some of these categories relate to technology rather than
a security control. The inconsistent application of this principle was done
in the interests of usability and familiarity.****

** **

2) Test Case template - I've been working on creating a test case template
that makes understanding, executing, responding to and reporting tests
easier and more consistent.  ****

For example, it would be helpful if test cases were titled according to:****

[Verb] [Object] for [Vulnerability] (e.g. "Test Inputs for SQL Injection")**
**

It would also be helpful to describe a test case by addressing:****

a) summary of vulnerability,****

b) summary of test,****

c) objective of test,****

d) how to test,****

e) example of test,****

f) tools,****

g) references to the Dev Guide for fixing the issue, and****

h) vulnerability references.****

I'm not inclined to change the legacy test case titles just yet, but I ask
for contributors to consider formatting the content test cases in this way.*
***

** **

3) New control categories - Identity Management, Error Handling,
Cryptography, Logging and Client-side security have emerged that either
better categorise existing and new test cases. As with the existing test
cases, not all will apply to every engagement, but we should aim to be as
comprehensive as possible.****

** **

4) Above all, we're not suggesting you stick to the OWASP list of test
cases. Generic test cases will only get us so far, and it is imperative
that security testers develop their own test cases for functionality that
is either highly specific or absent from the OWASP test case list. The Test
Guide is the starting point, not the finishing point. But we hope that
you'll be able to apply the methodology and templates to these as yet
unknown test cases. If you develop a test case you think is particularly
relevant then please consider submitting it to the Test Guide.****

** **

Many thanks to the army of contributors for giving their knowledge and
experience. There is an incredible amount of expertise out there and It
shows in the very high quality updates to the test cases.

I believe many of the changes will serve to improve the quality of the
Guide, but I'm open to feedback on any of the changes to the Test Guide.****

** **

regards,****

** **

  Andrew****

** **
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130614/7acfd575/attachment.html>


More information about the Owasp-testing mailing list