[Owasp-testing] v5 Plan?

Anant Shrivastava anant.shrivastava at gmail.com
Tue Jun 6 17:24:01 UTC 2017


Are we starting from scratch or are we updating the guide.

If updating Why not fork https://github.com/OWASP/OWASP-Testing-Guide
(older version i suppose), and then we can focus on what has changed or
needs updation.

Once the articles required are finalised, it will be easier to find people
who could contribute to those sections.

-Anant

Anant Shrivastava
Web : http://anantshri.info

On Tue, Jun 6, 2017 at 10:22 PM, Benjamin Robinson <
benjamin.robinson at gmail.com> wrote:

> I just submitted a pull request that added some headings to structure
> workload identification and put a candidate new test out there--Server-Side
> Template Injection (SSTI).
>
> On Tue, Jun 6, 2017 at 5:09 AM, Matteo Meucci <matteo.meucci at owasp.org>
> wrote:
>
>> Hi,
>>
>> sorry for the late.
>>
>> Thanks to Dinis we have now a Github repository here:
>>
>> https://github.com/OWASP/OWASP-Testing-Guide-v5
>>
>> Please let's start to contribute with the new ideas!
>>
>> Who will be present next week at the OWASP Summit?
>>
>> Thanks,
>> Mat
>>
>> On 30/05/2017 12:42, Safuat Hamdy wrote:
>>
>> Hello Matteo,
>>
>>
>>
>> I wonder what is happening according to v5 deadlines. I can’t see any
>> activity (at least here on the list). I applied for an OWASP account for
>> the wiki but didn’t receive any reaction, so I can’t upload anything (I
>> can’t see any activity in the wiki, anyway). So I would like to know how to
>> proceed.
>>
>>
>>
>> As I told you some time ago I have compiled a mapping between several
>> methodologies (such as OTGv4, ASVS L1, and Web App Hacker’s Handbook) and
>> weakness and attack enumerations (such as Top Ten, CWE/SANS Top 25 and
>> CAPEC). Based on that I wrote a proposal outline for v5. (I am currently
>> conducting a web app test based on the proposal, as a proof of concept.)
>> Now, what should I do with this and how is OTGv5 going to proceed? Shall I
>> send my proposal to you so that you can post it somewhere? Especially,
>> since I cannot attend the OWASP Summit there needs to be a hand-over (if
>> you’re interested).
>>
>>
>>
>> Let me highlight some features of my proposal:
>>
>>
>>
>> 1. I do not distinguish between greybox and blackbox testing - in my view
>> tests with more insight are ASVS, and the Testing Guide should be strictly
>> for pentesting. There is no need to duplicate content between the two
>> (although ASVS 3.0.1 L1 overlaps greatly with OTGv4, and as far as I
>> understand ASVS 3.1 L1 and OTGv5 could perfectly match)
>>
>>
>>
>> 2. INFO is pure information gathering/discovery/reconnaissance/enumeration...
>> whatever you want to call it. Every "standard check" that a pentester would
>> reasonably make to explore an application is in INFO, including discovery
>> on authentication, input handling, error handling and others. No verdicts
>> or judgements in INFO - the results are used/evaluated in the sections
>> following INFO.
>>
>>
>>
>> 3. Each section has a -099 item which is like "in this section but none
>> of the above" (as MathRev does it), e.g. AUTHN-099, AUTHZ-099, etc. The
>> purpose is to provide a catch-all for things that constitute a finding but
>> appear in general quite rarely or are findings that are specific for an
>> individual application. This way "exotic" findings don't need their own
>> items but still have a space.
>>
>>
>>
>> 4. I tried to find relevant CWE-entries for each (non-INFO) testing item
>> - after all, if there is no weakness behind an item, where is the point of
>> testing it? Yet, to my surprise, some obvious items don't have a CWE (e.g.
>> using components with known weaknesses).
>>
>>
>>
>>
>>
>> Regards
>>
>> S. Hamdy
>>
>>
>>
>> --------------------------------------------------------
>>
>>
>>
>> Dr. Safuat Hamdy
>>
>> Security Consulting
>>
>>
>>
>> Secorvo Security Consulting GmbH
>>
>> Ettlinger Strasse 12-14, D-76137 Karlsruhe
>>
>> Tel. +49 721 255171-304 <+49%20721%20255171304>, Fax +49 721 255171-100
>> <+49%20721%20255171100>
>>
>> safuat.hamdy at secorvo.de, http://www.secorvo.de
>>
>> PGP: 6A83 EC49 8474 D77C 1258  AE91 4BB4 8DEE 952A 2506
>>
>>
>>
>> Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>>
>>
>>
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170606/f7b82633/attachment-0001.html>


More information about the Owasp-testing mailing list