[Owasp-testing] Relation between OWASP ASVS and testing guide

Herman Stevens herman at astyran.com
Tue May 21 07:13:55 UTC 2013


A while ago I posted the following, hopefully it can help:

*         http://blog.astyran.sg/2011/06/real-world-against-owasp-asvs.html

*         http://blog.astyran.sg/2012/03/mapping-skies-owasp-asvs-against.html

Unfortunately, I never finished the complete mapping. I believe that people are working on new versions of the ASVS and the Testing Guide.

In my vision, the ASVS should only iclude things that are _directly_ relevant for security. Anything that is a "nice to have" should not be included, since business manager will question the purpose (why put any money into a that?). Anything that cannot be reliably tested should be tossed out too.



From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of false
Sent: Tuesday, 21 May, 2013 3:01 PM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Relation between OWASP ASVS and testing guide

I am studied a little about both OWASP Testing guide and OWASP ASVS. I found that Testing guide is more practical and it provides real test cases and guidelines for testing, but ASVS is more better for business purposes and describing different levels of  testing for pricing and contract description but it does not provide any details about how we must verify requirements...

Now I am confusing about this that there is a gap between these two guidelines to apply security testing for business purposes... Is there any guidelines to specify and resolve this gap?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130521/129f6b20/attachment.html>

More information about the Owasp-testing mailing list