About Me Andrew works with ISO and OWASP developing security testing standards and guides. Director at Ionize
Matteo has lead the OTG Project from version 2. CEO at Minded Security Hosted by OWASP & the NYC Chapter Agenda
Hosted by OWASP & the NYC Chapter What is the OTG? History of the OTG Moving from version 3 to version 4 Version 4 roadmap V4: Index Hosted by OWASP & the NYC Chapter 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection V4 Alpha Hosted by OWASP & the NYC Chapter NIST SP800-115 Technical Guide to Information Security Testing and Assessment Gary McGraw (CTO Cigital) says: In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio OWASP Podcast by Jim Manico NSAs "Guidelines for Implementation of REST Official (ISC)2 Guide to the CSSLP - Page: 70, 365 Many books, blogs and websites Key benefits Hosted by OWASP & the NYC Chapter 6 OWASP Testing Guide is driven by our Community
Its aligned with the other OWASP guides Development Guide Code Review Guide OpenSAMM Common Numbering Project
Testing Guide History Hosted by OWASP & the NYC Chapter January 2004 "The OWASP Testing Guide", Version 1.0 July 14, 2004 "OWASP Web Application Penetration Checklist", Version 1.1 December 25, 2006 "OWASP Testing Guide", Version 2.0 December 16, 2008 "OWASP Testing Guide", Version 3.0 2014 "OWASP Testing Guide", Version 4.0 2011 Roadmap Hosted by OWASP & the NYC Chapter Review all the control numbers to adhere to the OWASP Common numbering,
Review all the sections in v3,
Create a more readable guide, eliminating some sections that are not really useful,
Rationalize some sections as Session Management Testing,
Create a new section: Client side security and Firefox extensions testing? OWASP TG Complexity Hosted by OWASP & the NYC Chapter V1 V1.1 V2 V3 V4 0 100 200 300 400 500 600 N u m b e r
o f
p a g e s
Version V3 vs. V4 Chapters Hosted by OWASP & the NYC Chapter Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Information Gathering Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Configuration Management Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Identity Management Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Authentication Testing Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Authorization Testing Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Session Management Testing Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Data Validation Testing Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% OTG-ERR-001 OTG-ERR-002 Error handling Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Cryptography Testing Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% OTG-LOG-001 OTG-LOG-002 Logging Testing Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% OTG-DOS-001 OTG-DOS-002 OTG-DOS-003 OTG-DOS-004 OTG-DOS-005 Denial of Service Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Web Service Testing Hosted by OWASP & the NYC Chapter 0% 20% 40% 60% 80% 100% Client Side Testing Hosted by OWASP & the NYC Chapter V4 Authors Amro Alolaqi Alexander Antukh Alexander Vavousis Anant Shrivastava Andrew Muller Babu Arokiadas Ben Walther Cecil Su Christian Heinrich Clerkendweller David Fern Davide Danelon Denis Vinny Eduardo Castellanos Eoin Keary Ismael Rocha Goncalves Jeff Williams John Abraham Juan Galiana Juan Manuel Bahamonde Kevin Johnson Luca Carettoni Matteo Meucci Pavol Luptak Rick Mitchell Rob Barnes Robert Winkel Ryan Dewhurst Simone Onofri Stefano Di Paola Thomas Kalamaris Tom Eston 2013 Roadmap Hosted by OWASP & the NYC Chapter We are at the final stage of the new version 1 st deadline for a first draft of the articles: 30 th November 2013 15 th December : final deadline for writing the articles 15 th January: 1 st review End of January: Beta version (we hope! Good luck boys! Welcome to hell!) Future Improvements Managing contributions via Github
Split Guide into Application, Web Service, and Mobile Testing Guides
Jack Mannino has started the Mobile Testing Project https://www.owasp.org/index.php/Projects/OWASP_Mobile _Security_Project_-_Security_Testing
Hosted by OWASP & the NYC Chapter Questions? http://www.owasp.org/index.php/OWASP_Testing_Project
Hosted by OWASP & the NYC Chapter andrew.muller@owasp.org @Andrew__Muller