[Owasp-topten] [Owasp-testing] RFC: Common numbering proposal # 1

Boberski, Michael [USA] boberski_michael at bah.com
Thu Jan 7 12:50:13 EST 2010

Great idea,

I created the following wiki page for us to use:


Mike B.

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo Meucci
Sent: Thursday, January 07, 2010 12:07 PM
To: mike.boberski at gmail.com
Cc: owasp-guide at lists.owasp.org; owasp-application-security-verification-standard at lists.owasp.org; owasp-topten at lists.owasp.org; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] [Owasp-topten] RFC: Common numbering proposal # 1

I totally agree, that should be a great added value for the OWASP Guides.
I think we can create a page on our wiki for that purpose, tracking our brainstorming and the links between the Guides.

As Mike said, we can start from here:

So we can create the OWASP naming convention (e.g. OWASP-DV-001 - Reflected XSS) and mapping that with all the Guides.
In that way we can reach 2 goals in my opinion:
- update the Guides and understand what the DG,CRG,TG, Top10, ASVS are missing and what we can improve in each guide (also if some controls are specific to certain guides).
- create a more accessible starting point for the exploration of the wiki from a user perspective.


On Wed, Jan 6, 2010 at 11:59 PM, Mike Boberski <mike.boberski at gmail.com> wrote:
> Right, the next step if there were agreement would be to basically 
> take the table from the TG that summarizes the IDs, add a couple 
> columns, and start mapping.
> Then, each doc would be updated in turn, and yes each would then have 
> to address any holes. Not an issue from the ASVS or dev guide perspective.
> Mike
> On Wed, Jan 6, 2010 at 5:09 PM, Brad Causey <bradcausey at gmail.com> wrote:
>> Thinking from the perspective of a purely ignorant person, this is 
>> rather confusing. Problem is, it totally makes sense as to why you 
>> did what you did, to me. So which of those numbers would be final 
>> one? And with that number alone, could I find what I needed in each guide?
>> *thinking aloud*
>> Ideally, we have 2 ultimate goals in my mind. (bear with me here) 1. 
>> create a central ID number, and provide a mapping to each project.
>> (maybe a good interim goal)
>> 2. Actually _change_ each OWASP guide to match the TG or some agreed 
>> upon numbering system.
>> Now, you are probably all asking "why are we chosing to go with the 
>> TG?". Well I wasn't sold either, and I'm still not 100%. But it does 
>> appear to provide detailed numberin for specific vulnerabilities, and 
>> has a pretty good following. (and I'm partial because I currently 
>> rely on it) Here is the catch! There are going to be holes no matter 
>> which direction we take, for example, the TG has items the ASVS 
>> doesn't.
>> Which is why I'm voting for a super detailed comprehensive "master 
>> list" and match them up for now, item #1. And allow each project to 
>> catch up to the list, ultimately leading to a truly complete #2.
>> I'm literally thinking out loud here guys, so fire back full force.
>> */thinking aloud*
>> -Brad Causey
>> http://www.owasp.org
>> --
>> Never underestimate the time, expense, and effort an opponent will 
>> expend to break a code. (Robert Morris)
>> --
>> On Wed, Jan 6, 2010 at 1:44 PM, Boberski, Michael [USA] 
>> <boberski_michael at bah.com> wrote:
>> > Let us work on this using a specific example, SQL Injection:
>> >
>> > Here is a proposal for your consideration:
>> >
>> > ASVS Ref. Number
>> > OWASP-V0604
>> >
>> > TG Ref. Number
>> > OWASP-T0604-DV-005
>> > (compared to currently: OWASP-DV-005)
>> >
>> > CRG Ref. Number
>> > OWASP-C0604-DV-005
>> >
>> > Guide Ref. Number
>> > OWASP-D0604
>> > (goes into guidance at this level, in the next release)
>> >
>> > Where,
>> >
>> > OWASP-V0604 == V6.4  Verify that all untrusted data that is output 
>> > to SQL interpreters use parameterized interfaces, prepared 
>> > statements, or are escaped properly.
>> >
>> > Mike B.
>> > _______________________________________________
>> > Owasp-topten mailing list
>> > Owasp-topten at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-topten
>> >
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

Matteo Meucci
OWASP Testing Guide lead
Owasp-testing mailing list
Owasp-testing at lists.owasp.org

More information about the Owasp-topten mailing list