[Owasp-testing] A Few Additions to Testing Guide v4

Colin Watson colin.watson at owasp.org
Tue Oct 15 16:00:03 UTC 2013


Andrew and Matt

I have updated:

   https://www.owasp.org/index.php/Testing:_Conduct_search_engine_discovery/reconnaissance_for_information_leakage_(OTG-INFO-001)

   https://www.owasp.org/index.php/Test_Application_Platform_Configuration_(OTG-CONFIG-002)


and created first drafts for:

   https://www.owasp.org/index.php/Testing_for_Weaker_authentication_in_alternative_channel_(OTG-AUTHN-010)

   https://www.owasp.org/index.php/Test_defenses_against_application_mis-use_(OTG-BUSLOGIC-011)

   https://www.owasp.org/index.php/Test_time_synchronisation_(OTG-LOG-001)

   https://www.owasp.org/index.php/Test_user-viewable_log_of_authentication_events_(OTG-LOG-002)

If you don't want a Logging section, I think LOG-001 could be moved to
Business Logic Testing, and LOG-002 to Authentication Testing.  Note
that logging is also discussed in OTG-CONFIG-002.

I wasn't sure if I got the default headings correct as there seems to
be some differences across the tests. And I may not be consistent with
my use of "website", "web application" and "application". The case of
some test names is not always the same - some sentence case and some
title case, and I wondered if its worth tidying this up before it gets
too late.

At AppSec EU this year the opening keynote was given by Angela Sasse.
She suggested that "Security measures that waste users' time" should
be one of the OWASP Top Ten because they undermine security. Should we
have a test description for this based on Angela's presentation?

   https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal/high_quality/OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4

Colin


More information about the Owasp-testing mailing list