[Owasp-testing] v5 Plan?

Matteo Meucci matteo.meucci at owasp.org
Tue Jun 6 09:09:10 UTC 2017


Hi,

sorry for the late.

Thanks to Dinis we have now a Github repository here:

https://github.com/OWASP/OWASP-Testing-Guide-v5

Please let's start to contribute with the new ideas!

Who will be present next week at the OWASP Summit?

Thanks,

Mat

On 30/05/2017 12:42, Safuat Hamdy wrote:
>
> Hello Matteo,
>
>  
>
> I wonder what is happening according to v5 deadlines. I can’t see any
> activity (at least here on the list). I applied for an OWASP account
> for the wiki but didn’t receive any reaction, so I can’t upload
> anything (I can’t see any activity in the wiki, anyway). So I would
> like to know how to proceed.
>
>  
>
> As I told you some time ago I have compiled a mapping between several
> methodologies (such as OTGv4, ASVS L1, and Web App Hacker’s Handbook)
> and weakness and attack enumerations (such as Top Ten, CWE/SANS Top 25
> and CAPEC). Based on that I wrote a proposal outline for v5. (I am
> currently conducting a web app test based on the proposal, as a proof
> of concept.) Now, what should I do with this and how is OTGv5 going to
> proceed? Shall I send my proposal to you so that you can post it
> somewhere? Especially, since I cannot attend the OWASP Summit there
> needs to be a hand-over (if you’re interested).
>
>  
>
> Let me highlight some features of my proposal:
>
>  
>
> 1. I do not distinguish between greybox and blackbox testing - in my
> view tests with more insight are ASVS, and the Testing Guide should be
> strictly for pentesting. There is no need to duplicate content between
> the two (although ASVS 3.0.1 L1 overlaps greatly with OTGv4, and as
> far as I understand ASVS 3.1 L1 and OTGv5 could perfectly match)
>
>  
>
> 2. INFO is pure information
> gathering/discovery/reconnaissance/enumeration... whatever you want to
> call it. Every "standard check" that a pentester would reasonably make
> to explore an application is in INFO, including discovery on
> authentication, input handling, error handling and others. No verdicts
> or judgements in INFO - the results are used/evaluated in the sections
> following INFO.
>
>  
>
> 3. Each section has a -099 item which is like "in this section but
> none of the above" (as MathRev does it), e.g. AUTHN-099, AUTHZ-099,
> etc. The purpose is to provide a catch-all for things that constitute
> a finding but appear in general quite rarely or are findings that are
> specific for an individual application. This way "exotic" findings
> don't need their own items but still have a space.
>
>  
>
> 4. I tried to find relevant CWE-entries for each (non-INFO) testing
> item - after all, if there is no weakness behind an item, where is the
> point of testing it? Yet, to my surprise, some obvious items don't
> have a CWE (e.g. using components with known weaknesses).
>
>  
>
>  
>
> Regards
>
> S. Hamdy
>
>  
>
> --------------------------------------------------------
>
>  
>
> Dr. Safuat Hamdy
>
> Security Consulting
>
>  
>
> Secorvo Security Consulting GmbH
>
> Ettlinger Strasse 12-14, D-76137 Karlsruhe
>
> Tel. +49 721 255171-304, Fax +49 721 255171-100
>
> safuat.hamdy at secorvo.de, http://www.secorvo.de
>
> PGP: 6A83 EC49 8474 D77C 1258  AE91 4BB4 8DEE 952A 2506
>
>    
>
> Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170606/873743cd/attachment.html>


More information about the Owasp-testing mailing list