[Owasp-testing] Test Guide changes

rick.mitchell at bell.ca rick.mitchell at bell.ca
Wed Jun 19 12:08:02 UTC 2013


Hi Andrew, have you fully updated that wiki page? Assuming yes and just having a quick look here are a few concerns (some of this is from the related wiki talk page):


1)      It suggests using a document code as element 1. If it's common then no document reference should be required.

2)      Leading things with OCR- seems redundant and just wasteful of space (page space when printing and disk space when saving/generating reports, DBs, etc.)

I can't be sure but to me it doesn't seem like the wiki content accounts for mailing list discussions (though many of them were purely suggestion/consideration based and never really reached any solid conclusion(s)):
http://lists.owasp.org/pipermail/owasp-common-numbering/
http://lists.owasp.org/pipermail/owasp-topten/2010-January/date.html#596
https://lists.owasp.org/pipermail/owasp-topten/2010-January/000585.html

[I'm sure there is other stuff on the lists as well, that was just a quick check from memory.]

My 2 cents...

Rick

From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Andrew Muller
Sent: June 19, 2013 7:11 AM
To: Colin Watson
Cc: owasp-testing
Subject: Re: [Owasp-testing] Test Guide changes

Hi Colin,
  Its not detailed, and it doesn't include some of the categories we've included in the Test Guide, but the body of it is captured at https://www.owasp.org/index.php/OWASP_Common_Numbering_Project


Andrew

On Wed, Jun 19, 2013 at 8:16 PM, Colin Watson <colin.watson at owasp.org<mailto:colin.watson at owasp.org>> wrote:
Andrew

> 1) Common Numbering - I've leveraged work done by Dave Wichers and Andrew vd Stock in relation to this and started migrating OWASP test cases into a new numbering scheme that aligns with their earlier work.
Could you provide the schema and some examples of how these look please?

Colin



On 14 June 2013 04:51, Andrew Muller <andrew.muller at owasp.org<mailto:andrew.muller at owasp.org>> wrote:
> Hi folks,
>
>   As I've recently been appointed as Matteo's Test Guide wingman I thought I
> would introduce some things I've been working on in relation to the Test
> Guide.
>
>
>
> The brainstorming is largely complete and we've started reviewing the
> efficacy of test cases. You'll see some suggested ones have disappeared or
> changed categories. There were some very cool suggestions that I'd recommend
> folks consider during testing (e.g. prod data in pre-prod) but reflect
> procedural vulnerabilities rather than software vulnerabilities. Where
> possible I've retained the existing test case wording to reduce the stress
> of transitioning from v3 to v4, but there are some significant changes. The
> major changes include:
>
>
>
> 1) Common Numbering - I've leveraged work done by Dave Wichers and Andrew vd
> Stock in relation to this and started migrating OWASP test cases into a new
> numbering scheme that aligns with their earlier work. The new scheme is
> based on defining security control categories and then defining test cases
> that test for vulnerabilities related to each control category. However,
> you'll find that some of these categories relate to technology rather than a
> security control. The inconsistent application of this principle was done in
> the interests of usability and familiarity.
>
>
>
> 2) Test Case template - I've been working on creating a test case template
> that makes understanding, executing, responding to and reporting tests
> easier and more consistent.
>
> For example, it would be helpful if test cases were titled according to:
>
> [Verb] [Object] for [Vulnerability] (e.g. "Test Inputs for SQL Injection")
>
> It would also be helpful to describe a test case by addressing:
>
> a) summary of vulnerability,
>
> b) summary of test,
>
> c) objective of test,
>
> d) how to test,
>
> e) example of test,
>
> f) tools,
>
> g) references to the Dev Guide for fixing the issue, and
>
> h) vulnerability references.
>
> I'm not inclined to change the legacy test case titles just yet, but I ask
> for contributors to consider formatting the content test cases in this way.
>
>
>
> 3) New control categories - Identity Management, Error Handling,
> Cryptography, Logging and Client-side security have emerged that either
> better categorise existing and new test cases. As with the existing test
> cases, not all will apply to every engagement, but we should aim to be as
> comprehensive as possible.
>
>
>
> 4) Above all, we're not suggesting you stick to the OWASP list of test
> cases. Generic test cases will only get us so far, and it is imperative that
> security testers develop their own test cases for functionality that is
> either highly specific or absent from the OWASP test case list. The Test
> Guide is the starting point, not the finishing point. But we hope that
> you'll be able to apply the methodology and templates to these as yet
> unknown test cases. If you develop a test case you think is particularly
> relevant then please consider submitting it to the Test Guide.
>
>
>
> Many thanks to the army of contributors for giving their knowledge and
> experience. There is an incredible amount of expertise out there and It
> shows in the very high quality updates to the test cases.
>
> I believe many of the changes will serve to improve the quality of the
> Guide, but I'm open to feedback on any of the changes to the Test Guide.
>
>
>
> regards,
>
>
>
>   Andrew
>
>
>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130619/80f6ee2f/attachment.html>


More information about the Owasp-testing mailing list