[Owasp-testing] Test Guide changes

Andrew Muller andrew.muller at owasp.org
Wed Jun 19 11:10:39 UTC 2013


Hi Colin,
  Its not detailed, and it doesn't include some of the categories we've
included in the Test Guide, but the body of it is captured at
https://www.owasp.org/index.php/OWASP_Common_Numbering_Project


Andrew


On Wed, Jun 19, 2013 at 8:16 PM, Colin Watson <colin.watson at owasp.org>wrote:

> Andrew
>
> > 1) Common Numbering - I've leveraged work done by Dave Wichers and
> Andrew vd Stock in relation to this and started migrating OWASP test cases
> into a new numbering scheme that aligns with their earlier work.
>
> Could you provide the schema and some examples of how these look please?
>
> Colin
>
>
>
> On 14 June 2013 04:51, Andrew Muller <andrew.muller at owasp.org> wrote:
> > Hi folks,
> >
> >   As I've recently been appointed as Matteo's Test Guide wingman I
> thought I
> > would introduce some things I've been working on in relation to the Test
> > Guide.
> >
> >
> >
> > The brainstorming is largely complete and we've started reviewing the
> > efficacy of test cases. You'll see some suggested ones have disappeared
> or
> > changed categories. There were some very cool suggestions that I'd
> recommend
> > folks consider during testing (e.g. prod data in pre-prod) but reflect
> > procedural vulnerabilities rather than software vulnerabilities. Where
> > possible I've retained the existing test case wording to reduce the
> stress
> > of transitioning from v3 to v4, but there are some significant changes.
> The
> > major changes include:
> >
> >
> >
> > 1) Common Numbering - I've leveraged work done by Dave Wichers and
> Andrew vd
> > Stock in relation to this and started migrating OWASP test cases into a
> new
> > numbering scheme that aligns with their earlier work. The new scheme is
> > based on defining security control categories and then defining test
> cases
> > that test for vulnerabilities related to each control category. However,
> > you'll find that some of these categories relate to technology rather
> than a
> > security control. The inconsistent application of this principle was
> done in
> > the interests of usability and familiarity.
> >
> >
> >
> > 2) Test Case template - I've been working on creating a test case
> template
> > that makes understanding, executing, responding to and reporting tests
> > easier and more consistent.
> >
> > For example, it would be helpful if test cases were titled according to:
> >
> > [Verb] [Object] for [Vulnerability] (e.g. "Test Inputs for SQL
> Injection")
> >
> > It would also be helpful to describe a test case by addressing:
> >
> > a) summary of vulnerability,
> >
> > b) summary of test,
> >
> > c) objective of test,
> >
> > d) how to test,
> >
> > e) example of test,
> >
> > f) tools,
> >
> > g) references to the Dev Guide for fixing the issue, and
> >
> > h) vulnerability references.
> >
> > I'm not inclined to change the legacy test case titles just yet, but I
> ask
> > for contributors to consider formatting the content test cases in this
> way.
> >
> >
> >
> > 3) New control categories - Identity Management, Error Handling,
> > Cryptography, Logging and Client-side security have emerged that either
> > better categorise existing and new test cases. As with the existing test
> > cases, not all will apply to every engagement, but we should aim to be as
> > comprehensive as possible.
> >
> >
> >
> > 4) Above all, we're not suggesting you stick to the OWASP list of test
> > cases. Generic test cases will only get us so far, and it is imperative
> that
> > security testers develop their own test cases for functionality that is
> > either highly specific or absent from the OWASP test case list. The Test
> > Guide is the starting point, not the finishing point. But we hope that
> > you'll be able to apply the methodology and templates to these as yet
> > unknown test cases. If you develop a test case you think is particularly
> > relevant then please consider submitting it to the Test Guide.
> >
> >
> >
> > Many thanks to the army of contributors for giving their knowledge and
> > experience. There is an incredible amount of expertise out there and It
> > shows in the very high quality updates to the test cases.
> >
> > I believe many of the changes will serve to improve the quality of the
> > Guide, but I'm open to feedback on any of the changes to the Test Guide.
> >
> >
> >
> > regards,
> >
> >
> >
> >   Andrew
> >
> >
> >
> >
> >
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130619/03d4211e/attachment.html>


More information about the Owasp-testing mailing list