[Owasp-topten] [Owasp-testing] Common numbering scheme/convention (formerly "top 10 & testing guide" thread)

daniel cuthbert daniel.cuthbert at owasp.org
Wed Jan 6 14:12:59 EST 2010


"Now, the testing guide numbering system isn't all gravy. =)"

that be fighting talk, sniff...

I'm not all partial to the ASVS way of doing things, but then again I have a
certain bias to the testing guide's numbering system. At the end of the day
having a less confusing appsec world would make me happier, so if this is
the way forward, so be it.

2010/1/6 Brad Causey <bradcausey at gmail.com>

> I think that Mike is headed the right direction. We should start with
> the TG refs and sync it with the CRG. Then combine these refs with the
> ASVS, and use the ASVS to glue all else. Thoughts?
>
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> Never underestimate the time, expense, and effort an opponent will
> expend to break a code. (Robert Morris)
> --
>
>
>
> On Wed, Jan 6, 2010 at 11:58 AM, Boberski, Michael [USA]
> <boberski_michael at bah.com> wrote:
> > Maybe, let me put together a proposal, then we can speak to that. My
> > accomplishments so far on this task include responding to these emails
> and
> > eating a burger. Not there yet, for the proposal :-)
> >
> > Mike B.
> >
> > ________________________________
> > From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of Eoin
> > Sent: Wednesday, January 06, 2010 12:56 PM
> > To: Boberski, Michael [USA]
> > Cc: Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> > owasp-topten at lists.owasp.org;
> > owasp-application-security-verification-standard at lists.owasp.org
> > Subject: Re: [Owasp-testing] Common numbering scheme/convention (formerly
> > "top 10 & testing guide" thread)
> >
> > ok but if the TG and CRG use the same numbers, as is envisaged, it is
> really
> > very simple rather than introducing additional reference convention or am
> I
> > barking up the wrong tree here?
> >
> >
> > 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
> >>
> >> The goal in my mind should make it obvious by inspection how numbers in
> >> any given document relate back to the ASVS, and for e.g. the testing
> guide,
> >> make it obvious by inspection how it relates back to the existing TG
> >> numbering.
> >>
> >> Mike B.
> >>
> >> ________________________________
> >> From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of
> Eoin
> >> Sent: Wednesday, January 06, 2010 12:40 PM
> >> To: Boberski, Michael [USA]
> >> Cc: Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> >> owasp-topten at lists.owasp.org;
> >> owasp-application-security-verification-standard at lists.owasp.org
> >> Subject: Re: [Owasp-testing] Common numbering scheme/convention
> (formerly
> >> "top 10 & testing guide" thread)
> >>
> >> So we'll have OWASP TG and CRG refs + ASVS refs also?
> >>
> >>
> >> 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
> >>>
> >>> Nothing. But, the proposal is to align numbering schemes, using ASVS as
> >>> the common denominator.
> >>> From Dave's email below:
> >>>
> >>> OWASP is just starting a synchronization effort between the Top 10,
> ASVS,
> >>> and all the Guides. We are trying to use the ASVS requirements as the
> >>> baseline and then developing the dev guide and testing guide and code
> review
> >>> against that outline.  However, we don’t want to wreck what you guys
> have
> >>> been doing with the testing guide #’s
> >>>
> >>> Mike B.
> >>>
> >>> ________________________________
> >>> From: eoinkeary at gmail.com [mailto:eoinkeary at gmail.com] On Behalf Of
> Eoin
> >>> Sent: Wednesday, January 06, 2010 12:36 PM
> >>> To: Boberski, Michael [USA]
> >>> Cc: Dave Wichers; Brad Causey; owasp-testing at lists.owasp.org;
> >>> owasp-topten at lists.owasp.org;
> >>> owasp-application-security-verification-standard at lists.owasp.org
> >>> Subject: Re: [Owasp-testing] Common numbering scheme/convention
> (formerly
> >>> "top 10 & testing guide" thread)
> >>>
> >>> Whats wrong with the Testing guide convention?
> >>> I am planning to correlate the CRG with this convention.
> >>>
> >>> -ek
> >>>
> >>> 2010/1/6 Boberski, Michael [USA] <boberski_michael at bah.com>
> >>>>
> >>>> Hi Brad. I'm game for figuring out a common identifier
> >>>> scheme/convention, ideally before the end of the month or so, which is
> the
> >>>> current ETA to putting out a call for contributors to work on the next
> rev
> >>>> of the dev guide, which as Dave mentioned will be reorganized
> according to
> >>>> ASVS.
> >>>>
> >>>> Maybe a first step is to take a look at this:
> >>>>
> http://code.google.com/p/owasp-development-guide/wiki/Introduction?tm=6  I
> >>>> just replaced the ASVS' "A#" with "D#" but kept the title.  The "D#"
> is a
> >>>> Mike-ism/first cut at a dev guide numbering scheme, so 100% open to
> working
> >>>> with you on this, since obviously the thought crossed my mind
> something had
> >>>> to be figured out. We're also in the early stages of planning a next
> release
> >>>> of ASVS as Dave alludes to below as well, so now's a good time to talk
> about
> >>>> this, i.e. we could potentially also markup
> >>>> http://code.google.com/p/owasp-asvs/wiki/ASVS?tm=6  in a similar
> fashion.
> >>>>
> >>>> Based on your email below, I generally think we should have a
> >>>> major/minor kinda scheme that starts with ASVS and goes to whatever:
> >>>>
> >>>> OWASP-V[1-14]-[1-n,A,D,T,other]-[1-m,A,D,T,other]
> >>>>
> >>>> i.e., as if one were expanding a tree control that when one got to a
> >>>> detailed verification requirement, would then have children nodes for
> e.g.
> >>>> development guide, testing guide, perhaps threats that the
> requirements map
> >>>> to like T10/CWE/WASC.
> >>>>
> >>>> Let me know your thoughts, the above is just a first proposal, I may
> not
> >>>> be understanding what you need. We can use the above dev guide wiki to
> flesh
> >>>> this out, see how much things make sense as we go, thing look
> different from
> >>>> email/paper to clickable trees/widgets.
> >>>>
> >>>> Best,
> >>>>
> >>>> Mike B.
> >>>>
> >>>> ________________________________
> >>>> From: owasp-topten-bounces at lists.owasp.org
> >>>> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Dave
> Wichers
> >>>> Sent: Wednesday, January 06, 2010 12:34 AM
> >>>> To: Brad Causey; owasp-testing at lists.owasp.org;
> >>>> owasp-topten at lists.owasp.org
> >>>> Cc: mike.boberski at gmail.com
> >>>> Subject: Re: [Owasp-topten] top 10 & testing guide
> >>>>
> >>>> Brad,
> >>>>
> >>>>
> >>>>
> >>>> OWASP is just starting a synchronization effort between the Top 10,
> >>>> ASVS, and all the Guides. We are trying to use the ASVS requirements
> as the
> >>>> baseline and then developing the dev guide and testing guide and code
> review
> >>>> against that outline.  However, we don’t want to wreck what you guys
> have
> >>>> been doing with the testing guide #’s
> >>>>
> >>>>
> >>>>
> >>>> Mike Boberski is working with Andrew van der Stock to launch an update
> >>>> effort to the Dev Guide. Can you work with Mike so he understands how
> you
> >>>> are using the OWASP finding #’s to see if we can move forward in a way
> that
> >>>> is not massively disruptive? Mike may not even be aware of the testing
> guide
> >>>> numbering scheme.
> >>>>
> >>>>
> >>>>
> >>>> And we can also make sure that the dev guide covers everything you
> think
> >>>> needs to be covered (which hopefully already is covered in ASVS), and
> if
> >>>> not, maybe it needs to be updated too.
> >>>>
> >>>>
> >>>>
> >>>> -Dave
> >>>>
> >>>>
> >>>>
> >>>> From: owasp-topten-bounces at lists.owasp.org
> >>>> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Brad
> Causey
> >>>> Sent: Tuesday, January 05, 2010 8:59 PM
> >>>> To: owasp-testing at lists.owasp.org; owasp-topten at lists.owasp.org
> >>>> Subject: [Owasp-topten] top 10 & testing guide
> >>>>
> >>>>
> >>>>
> >>>> First of all, sorry for the x-posting, but it seemed appropriate.
> >>>>
> >>>> For those of you that don't know, I work in the financial sector and
> >>>> developed our organization's WAS testing procedures, documentation,
> and
> >>>> probably 80% of our whole WAS program from OWASP materials. Great
> stuff.
> >>>>
> >>>> As matter of fact, each of our analysts has a LULU printed copy of the
> >>>> testing guide on their desks. When we write reports up, we use the
> >>>> OWASP-XX-XX as our classification mapping. For example:
> >>>>
> >>>> Finding 1 - rXSS - OWASP-DV-001 - hxxp://www.vulnsite.com?msg=<blah
> >>>> blah, you get it> - screenshot1.png
> >>>>
> >>>> When we write our long form reports, we use the text from the testing
> >>>> guide. It has really proven great for us and we've been doing this
> since v2
> >>>> came out. In addition, we have previously used the top ten literature
> as
> >>>> supplementary in proving higher risk, higher priority items. That has
> worked
> >>>> great until now.....
> >>>>
> >>>> A8 on the RC version of the Top Ten throws a nice shiny wrench into it
> >>>> all. Reason being, there isn't a corresponding OWASP-xx-xx
> classification
> >>>> that matches up to A8. Now I've been writing A8 up for some time, but
> it
> >>>> never had a nice-neat home in any of the Testing guide
> classifications.
> >>>>
> >>>> Now that I've gotten past all that. I'd like to maybe discuss how,
> >>>> possibly in the future, the two projects could be somewhat more in
> sync. I'm
> >>>> not sure there is a good way to do that today, but it sure makes sense
> in my
> >>>> mind that all owaspy stuff have some overlap, and should avoid gaps
> such as
> >>>> the A8 vs OWASP-XX-XX situation.
> >>>>
> >>>> Also I see some gaps here:
> >>>>
> >>>>
> >>>>
> http://2.bp.blogspot.com/_JdybrokZBAk/S0Nt5DVYHWI/AAAAAAAABvU/HXQSzzoRJu0/s1600-h/WASC.png
> >>>>
> >>>> That aren't covered in any OWASP documentation, and should be. I'd
> like
> >>>> to get everyones' thoughts, and probably flames, on this stuff.
> >>>>
> >>>>
> >>>>
> >>>> -Brad Causey
> >>>> CISSP, MCSE, C|EH, CIFI, CGSP
> >>>>
> >>>> http://www.owasp.org
> >>>> --
> >>>> Never underestimate the time, expense, and effort an opponent will
> >>>> expend to break a code. (Robert Morris)
> >>>> --
> >>>>
> >>>> _______________________________________________
> >>>> Owasp-testing mailing list
> >>>> Owasp-testing at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Eoin Keary
> >>> OWASP Global Board Member
> >>> OWASP Code Review Guide Lead Author
> >>>
> >>> http://asg.ie/
> >>> https://twitter.com/EoinKeary
> >>
> >>
> >>
> >> --
> >> Eoin Keary
> >> OWASP Global Board Member
> >> OWASP Code Review Guide Lead Author
> >>
> >> http://asg.ie/
> >> https://twitter.com/EoinKeary
> >
> >
> >
> > --
> > Eoin Keary
> > OWASP Global Board Member
> > OWASP Code Review Guide Lead Author
> >
> > http://asg.ie/
> > https://twitter.com/EoinKeary
> >
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100106/6f94cef0/attachment-0001.html 


More information about the Owasp-topten mailing list