Scribd Logo
Upload

Welcome to Scribd!

  • APPSEC2013 OWASP Testing Guide v4 Alpha

    Uploaded by

    nadwanjohi
    145 views27 pages
    APPSEC2013 OWASP Testing Guide v4 Alpha

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    APPSEC2013 OWASP Testing Guide v4 Alpha

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    145 views27 pages

    APPSEC2013 OWASP Testing Guide v4 Alpha

    Uploaded by

    nadwanjohi
    APPSEC2013 OWASP Testing Guide v4 Alpha

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 27

    Presenting the OWASP

    Testing Guide v4 ALPHA


    Andrew Muller, Matteo Meucci

    About Me
    Andrew works with ISO and OWASP
    developing security testing standards and
    guides.
    Director at Ionize

    Matteo has lead the OTG Project from
    version 2.
    CEO at Minded Security
    Hosted by OWASP & the NYC Chapter
    Agenda


    Hosted by OWASP & the NYC Chapter
    What is the OTG?
    History of the OTG
    Moving from version 3 to version 4
    Version 4 roadmap
    V4: Index
    Hosted by OWASP & the NYC Chapter
    1. Frontispiece
    2. Introduction
    3. The OWASP Testing Framework
    4. Web Application Penetration Testing
    5. Writing Reports: value the real risk
    Appendix A: Testing Tools
    Appendix B: Suggested Reading
    Appendix C: Fuzz Vectors
    Appendix D: Encoded Injection
    V4 Alpha
    Hosted by OWASP & the NYC Chapter
    NIST SP800-115 Technical Guide to Information Security Testing and Assessment
    Gary McGraw (CTO Cigital) says: In my opinion it is the strongest piece of Intellectual Property in the
    OWASP portfolio OWASP Podcast by Jim Manico
    NSAs "Guidelines for Implementation of REST
    Official (ISC)2 Guide to the CSSLP - Page: 70, 365
    Many books, blogs and websites
    Key benefits
    Hosted by OWASP & the NYC Chapter
    6
    OWASP Testing Guide is driven by our Community

    Its aligned with the other OWASP guides
    Development Guide
    Code Review Guide
    OpenSAMM
    Common Numbering Project

    Accepted testing methodology
    Relevant
    Repeatable
    Rigourous

    Testing Guide History
    Hosted by OWASP & the NYC Chapter
    January 2004
    "The OWASP Testing Guide", Version 1.0
    July 14, 2004
    "OWASP Web Application Penetration Checklist", Version 1.1
    December 25, 2006
    "OWASP Testing Guide", Version 2.0
    December 16, 2008
    "OWASP Testing Guide", Version 3.0
    2014
    "OWASP Testing Guide", Version 4.0
    2011 Roadmap
    Hosted by OWASP & the NYC Chapter
    Review all the control numbers to adhere to the OWASP Common
    numbering,

    Review all the sections in v3,

    Create a more readable guide, eliminating some sections that are not
    really useful,

    Insert new testing techniques: HTTP Verb tampering, HTTP Parameter
    Pollutions, etc.,

    Rationalize some sections as Session Management Testing,

    Create a new section: Client side security and Firefox extensions
    testing?
    OWASP TG Complexity
    Hosted by OWASP & the NYC Chapter
    V1 V1.1 V2 V3 V4
    0
    100
    200
    300
    400
    500
    600
    N
    u
    m
    b
    e
    r

    o
    f

    p
    a
    g
    e
    s

    Version
    V3 vs. V4 Chapters
    Hosted by OWASP & the NYC Chapter
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Information Gathering
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Configuration Management
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Identity Management
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Authentication Testing
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Authorization Testing
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Session Management Testing
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Data Validation Testing
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    OTG-ERR-001 OTG-ERR-002
    Error handling
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Cryptography Testing
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    OTG-LOG-001 OTG-LOG-002
    Logging Testing
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    OTG-DOS-001 OTG-DOS-002 OTG-DOS-003 OTG-DOS-004 OTG-DOS-005
    Denial of Service
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Web Service Testing
    Hosted by OWASP & the NYC Chapter
    0%
    20%
    40%
    60%
    80%
    100%
    Client Side Testing
    Hosted by OWASP & the NYC Chapter
    V4 Authors
    Amro Alolaqi
    Alexander Antukh
    Alexander Vavousis
    Anant Shrivastava
    Andrew Muller
    Babu Arokiadas
    Ben Walther
    Cecil Su
    Christian Heinrich
    Clerkendweller
    David Fern
    Davide Danelon
    Denis Vinny
    Eduardo Castellanos
    Eoin Keary
    Ismael Rocha Goncalves
    Jeff Williams
    John Abraham
    Juan Galiana
    Juan Manuel Bahamonde
    Kevin Johnson
    Luca Carettoni
    Matteo Meucci
    Pavol Luptak
    Rick Mitchell
    Rob Barnes
    Robert Winkel
    Ryan Dewhurst
    Simone Onofri
    Stefano Di Paola
    Thomas Kalamaris
    Tom Eston
    2013 Roadmap
    Hosted by OWASP & the NYC Chapter
    We are at the final stage of the new version
    1
    st
    deadline for a first draft of the articles: 30
    th
    November
    2013
    15
    th
    December : final deadline for writing the articles
    15
    th
    January: 1
    st
    review
    End of January: Beta version (we hope! Good luck boys!
    Welcome to hell!)
    Future Improvements
    Managing contributions via Github

    Split Guide into Application, Web Service, and Mobile
    Testing Guides

    Jack Mannino has started the Mobile Testing Project
    https://www.owasp.org/index.php/Projects/OWASP_Mobile
    _Security_Project_-_Security_Testing


    Hosted by OWASP & the NYC Chapter
    Questions?
    http://www.owasp.org/index.php/OWASP_Testing_Project




    Hosted by OWASP & the NYC Chapter
    andrew.muller@owasp.org
    @Andrew__Muller

    matteo.meucci@owasp.org
    @matteo_meucci

    You might also like