[Owasp-testing] Test Guide changes

Colin Watson colin.watson at owasp.org
Wed Jun 19 10:16:01 UTC 2013


Andrew

> 1) Common Numbering - I've leveraged work done by Dave Wichers and Andrew vd Stock in relation to this and started migrating OWASP test cases into a new numbering scheme that aligns with their earlier work.

Could you provide the schema and some examples of how these look please?

Colin



On 14 June 2013 04:51, Andrew Muller <andrew.muller at owasp.org> wrote:
> Hi folks,
>
>   As I've recently been appointed as Matteo's Test Guide wingman I thought I
> would introduce some things I've been working on in relation to the Test
> Guide.
>
>
>
> The brainstorming is largely complete and we've started reviewing the
> efficacy of test cases. You'll see some suggested ones have disappeared or
> changed categories. There were some very cool suggestions that I'd recommend
> folks consider during testing (e.g. prod data in pre-prod) but reflect
> procedural vulnerabilities rather than software vulnerabilities. Where
> possible I've retained the existing test case wording to reduce the stress
> of transitioning from v3 to v4, but there are some significant changes. The
> major changes include:
>
>
>
> 1) Common Numbering - I've leveraged work done by Dave Wichers and Andrew vd
> Stock in relation to this and started migrating OWASP test cases into a new
> numbering scheme that aligns with their earlier work. The new scheme is
> based on defining security control categories and then defining test cases
> that test for vulnerabilities related to each control category. However,
> you'll find that some of these categories relate to technology rather than a
> security control. The inconsistent application of this principle was done in
> the interests of usability and familiarity.
>
>
>
> 2) Test Case template - I've been working on creating a test case template
> that makes understanding, executing, responding to and reporting tests
> easier and more consistent.
>
> For example, it would be helpful if test cases were titled according to:
>
> [Verb] [Object] for [Vulnerability] (e.g. "Test Inputs for SQL Injection")
>
> It would also be helpful to describe a test case by addressing:
>
> a) summary of vulnerability,
>
> b) summary of test,
>
> c) objective of test,
>
> d) how to test,
>
> e) example of test,
>
> f) tools,
>
> g) references to the Dev Guide for fixing the issue, and
>
> h) vulnerability references.
>
> I'm not inclined to change the legacy test case titles just yet, but I ask
> for contributors to consider formatting the content test cases in this way.
>
>
>
> 3) New control categories - Identity Management, Error Handling,
> Cryptography, Logging and Client-side security have emerged that either
> better categorise existing and new test cases. As with the existing test
> cases, not all will apply to every engagement, but we should aim to be as
> comprehensive as possible.
>
>
>
> 4) Above all, we're not suggesting you stick to the OWASP list of test
> cases. Generic test cases will only get us so far, and it is imperative that
> security testers develop their own test cases for functionality that is
> either highly specific or absent from the OWASP test case list. The Test
> Guide is the starting point, not the finishing point. But we hope that
> you'll be able to apply the methodology and templates to these as yet
> unknown test cases. If you develop a test case you think is particularly
> relevant then please consider submitting it to the Test Guide.
>
>
>
> Many thanks to the army of contributors for giving their knowledge and
> experience. There is an incredible amount of expertise out there and It
> shows in the very high quality updates to the test cases.
>
> I believe many of the changes will serve to improve the quality of the
> Guide, but I'm open to feedback on any of the changes to the Test Guide.
>
>
>
> regards,
>
>
>
>   Andrew
>
>
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>


More information about the Owasp-testing mailing list