[Owasp-testing] [Owasp-leaders] Public release of the OWASP TESTING GUIDE v4

Dimitri Fousekis dimitri at bitcrack.net
Sun Sep 28 16:09:49 UTC 2014

English is not only my first language but I do review security documentation for grammar and “sense” as part of my day job as well, so I don’t mind giving it a detailed overview and highlighting what should be changed, if anything?

If so let me know, and whether you would like me to make notes on a separate document or do you have it in Word so I can track changes?



From: Tomas Zatko <tomas.zatko at citadelo.com<mailto:tomas.zatko at citadelo.com>>
Date: Sunday 28 September 2014 at 5:58 PM
To: Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>>
Cc: Hugo Costa <hugo.costa at owasp.org<mailto:hugo.costa at owasp.org>>, "owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>, owasp-testing <owasp-testing at lists.owasp.org<mailto:owasp-testing at lists.owasp.org>>
Subject: Re: [Owasp-testing] [Owasp-leaders] Public release of the OWASP TESTING GUIDE v4

This is very good idea. I agree.

Tomas Zatko, CISSP, CEH

On 28 Sep 2014, at 17:47, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:

My suggestion is that we hire a professional to grammar-edit all of our primary documents like the testing guide. Such services are very reasonable in cost.

Jim Manico
(808) 652-3805

On Sep 28, 2014, at 8:43 AM, Eoin Keary <eoin.keary at owasp.org<mailto:eoin.keary at owasp.org>> wrote:

I've read it over the last few weeks. There are some typos still there. Before going to print shall we perform one more peer review?

Eoin Keary
Owasp Global Board
+353 87 977 2988

On 28 Sep 2014, at 16:30, Ryan Dewhurst <ryandewhurst at gmail.com<mailto:ryandewhurst at gmail.com>> wrote:

Any news on a paperback version? (from lulu.com<http://lulu.com/>?)

On Wed, Sep 24, 2014 at 8:20 PM, Matteo Meucci <matteo.meucci at owasp.org<mailto:matteo.meucci at owasp.org>> wrote:
Hi all,
thanks to the fantastic job of Hugo we just upload an updated version of
the Guide.

You can download it here:

And it is accessible from here:


On 17/09/2014 17:03, Andrew Muller wrote:
> Folks,
>   OWASP is proud to announce the public release of the OWASP Testing
> Guide version 4.
> As a rich and diverse security community we should be proud of the
> achievement and we'd like to thank and congratulate everyone that
> authored or reviewed the Guide.
> You'll notice several changes between v3 and v4. Some sections have been
> renamed, removed or reworked, but overall the OWASP Testing Guide
> version 4 improves on
> version 3 in three ways:
> *1.* This version of the Testing Guide integrates with the two other
> flagship OWASP documentation products: the Developers Guide and the Code
> Review Guide. To achieve this we aligned the testing categories and test
> numbering with those in other OWASP products. The objective of the
> Testing and Code Review Guides is to evaluate the security controls
> described by the Developers Guide.
> *2.* All chapters have been improved and test cases expanded to 87 (64
> test cases in v3) including the introduction of four new chapters and
> controls:
> - Identity Management Testing
> - Error Handling
> - Cryptography
> - Client Side Testing
> *3.* This version of the Testing Guide encourages the community not to
> simply accept the test cases outlined in this guide. We encourage
> security testers to integrate with other software testers and devise
> test cases specific to the target application. As we find test cases
> that have wider applicability we encourage the security testing
> community to share them and contribute them to the Testing Guide. This
> will continue to build the application security body of knowledge and
> allow the development of the Testing Guide to be an iterative rather
> than monolithic process.
> As we continue to improve our tools and documentation, we'd like to ask
> you to support OWASP to reach the following goals:
>   *Continuously improve the guide*.
> The Guide is a "live" document: we always need your feedback! Tell us
> what you love. Tell us what you love less.
> Please join our testing mailing list and share your ideas:
> http://lists.owasp.org/mailman/listinfo/owasp-testing
> <http://lists.owasp.org/mailman/listinfo/owasp-testing>
>   *Promote the Testing Guide*.
> We would like to have some more media coverage on the Guide, so please,
> if you know somebody that can help please put them in touch with us.
> If you have the chance, you can write an article about the Testing Guide
> and other new OWASP Projects.
>   *Add 'quotes' to the Guide*.
> We made a special 'quotes' pages for the Testing Guide.
> Here we'd link you to add comments and references to the Guide.
> http://www.owasp.org/index.php/OWASP_Testing_Guide_Quotes
> <http://www.owasp.org/index.php/OWASP_Testing_Guide_Quotes>
> The OWASP Testing Guide includes a "best practice" penetration testing
> framework which users can implement in their own organizations and a
> "low level" penetration testing guide that describes techniques for
> testing most common web application and web service security issues.
> Download or browse the Guide now from:
> - https://www.owasp.org/images/1/19/OTGv4.pdf
> -
> https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
> <https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents>
> regards,
> ____________________
> *Andrew Muller*
> Canberra OWASP Chapter Leader
> OWASP Testing Guide Co-Leader

Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>

Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
Owasp-testing mailing list
Owasp-testing at lists.owasp.org<mailto:Owasp-testing at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140928/b1d21f9f/attachment.html>

More information about the Owasp-testing mailing list