Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci.

Slides:



Advertisements
Similar presentations
Past, Present and Future By Eoin Keary and Jim Manico
Advertisements

OASIS OData Technical Committee. AGENDA Introduction OASIS OData Technical Committee OData Overview Work of the Technical Committee Q&A.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Ecosystems and Human Well-being: A Manual for Assessment Practioners Slide No 1 Towards a MA manual for sub-global assessments Thomas Henrichs National.
DOM Based XSS and Proper Output Encoding By Abraham Kang Principal Security Researcher HP Fortify.
Individul Project: NPD-NET Component 4: Integration and Regional Adaptation of NPD Roadmap Kick-off meeting Region of Central Macedonia – URENIO Research.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 7 Ethernet Technologies.
Automation Domination Application Security with Continuous Integration (CI)
The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,
OWASP Mobile Top 10 Why They Matter and What We Can Do
COMP 208/214/215/216 LECTURE 1 Introduction 恭喜發財.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
0 Kluge Burch Zimmerling GRC Advisors Commodity Services Specification Penetration Testing & Application Security Assessment January 2015.
1 Defensive Programming and Debugging (Chapters 8 and 23 of Code Complete) Tori Bowman CSSE 375, Rose-Hulman September 21, 2007.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Software Quality Assurance Activities
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Cambridge 2 nd December Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.
ISA–The Instrumentation, Systems, and Automation Society ISA SP-99 Introduction: Manufacturing and Control Systems Security -- Kickoff Meeting Call to.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation OWASP Belgium Chapter OWASP Update 12-Sep-2012 Seba Deleersnyder Foundation / BE Board
Code Review Guide Book PROJECT SUMMIT. About Me Company Logo Hosted.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
INTRODUCTION TO WEB APPLICATION Chapter 1. In this chapter, you will learn about:  The evolution of the Internet  The beginning of the World Wide Web,
Code Reviews James Walden Northern Kentucky University.
Recommended Draft Policy ARIN Remove Web Hosting Policy.
Lab Results Interfaces S&I Framework Initiative Bi-Weekly Initiative Meeting August 1, 2011.
Passion, Purpose & Intent: Envisioning Units of Study in Writer’s Workshop Tasha A. Thomas Director, Spartanburg Writing Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSCE 548 Secure Software Development Security Operations.
Getting Started with OWASP The Top 10, ASVS, and the Guides Dave Wichers COO, Aspect Security OWASP Board Member OWASP Top 10 and ASVS Projects Lead.
WELCOME. Hosted by OWASP & the NYC Chapter Defenders.
Now what? 1.  I have short-listed projects I am interested in  I know the types of projects I would like to pursue  I have an idea of the resources.
OWASP Secure Configuration Guide Alexander Antukh 25/11/2014.
OWASP London 4 th December Agenda Networking, food and refreshments Welcome Justin Clark Offensive OSINT Christian Martorella and Zigor Zumalde.
How did we get to this point Reviewed the BDA (2008) Curriculum Framework Hosted a number of consultation events in 2010 with placement providers Developed.
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
RSA Security Practice January 2010 RSA SecurID Solution Design and Implementation (D&I) Services.
Unvalidated Redirects & Forwards
Canberra OWASP Chapter meeting
Greater Idaho SharePoint User Group
OWASP Testing Guide V3 Matteo Meucci OWASP Testing Guide Lead.
^ About the.
Session 6. overview of annotated outline of new guidelines
Relevance of the OWASP Top 10
Web Applications Security INTRO
CompTIA Security+ Study Guide (SY0-501)
OWASP Web Services Project
OWASP Application Security Verification Standard 2009
Eoin Keary Code review Lead Irish Chapter Lead
Getting benefits of OWASP ASVS at initial phases
Building production-ready APIs with ASP.NET Core 2.2
OWASP Application Security Verification Standard
OWASP Application Security Verification Standard
OWASP Application Security Verification Standard
Presentation transcript:

Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci

About Me Andrew works with ISO and OWASP developing security testing standards and guides.Andrew works with ISO and OWASP developing security testing standards and guides. Director at Ionize Matteo has lead the OTG Project from version 2.Matteo has lead the OTG Project from version 2. CEO at Minded Security Hosted by OWASP & the NYC Chapter

Agenda Hosted by OWASP & the NYC Chapter What is the OTG?What is the OTG? History of the OTGHistory of the OTG Moving from version 3 to version 4Moving from version 3 to version 4 Version 4 roadmapVersion 4 roadmap

V4: Index Hosted by OWASP & the NYC Chapter 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection

V4 Alpha Hosted by OWASP & the NYC Chapter NIST SP “Technical Guide to Information Security Testing and Assessment” Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico NSA’s "Guidelines for Implementation of REST“ Official (ISC)2 Guide to the CSSLP - Page: 70, 365 Many books, blogs and websites

Key benefits Hosted by OWASP & the NYC Chapter 6 OWASP Testing Guide is driven by our Community OWASP Testing Guide is driven by our Community It’s aligned with the other OWASP guides It’s aligned with the other OWASP guides Development Guide Development Guide Code Review Guide Code Review Guide OpenSAMM OpenSAMM Common Numbering Project Common Numbering Project Accepted testing methodology Accepted testing methodology Relevant Relevant Repeatable Repeatable Rigourous Rigourous

Testing Guide History Hosted by OWASP & the NYC Chapter January 2004 – " The OWASP Testing Guide", Version 1.0 July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 December 25, 2006 – "OWASP Testing Guide", Version 2.0 December 16, 2008 – "OWASP Testing Guide", Version – "OWASP Testing Guide", Version 4.0

2011 Roadmap Hosted by OWASP & the NYC Chapter Review all the control numbers to adhere to the OWASP Common numbering, Review all the sections in v3, Create a more readable guide, eliminating some sections that are not really useful, Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., Rationalize some sections as Session Management Testing, Create a new section: Client side security and Firefox extensions testing?

OWASP TG Complexity Hosted by OWASP & the NYC Chapter Number of pages Version

V3 vs. V4 Chapters Hosted by OWASP & the NYC Chapter

Information Gathering

Hosted by OWASP & the NYC Chapter Configuration Management

Hosted by OWASP & the NYC Chapter Identity Management

Hosted by OWASP & the NYC Chapter Authentication Testing

Hosted by OWASP & the NYC Chapter Authorization Testing

Hosted by OWASP & the NYC Chapter Session Management Testing

Hosted by OWASP & the NYC Chapter Data Validation Testing

Hosted by OWASP & the NYC Chapter Error handling

Hosted by OWASP & the NYC Chapter Cryptography Testing

Hosted by OWASP & the NYC Chapter Logging Testing

Hosted by OWASP & the NYC Chapter Denial of Service

Hosted by OWASP & the NYC Chapter Web Service Testing

Hosted by OWASP & the NYC Chapter Client Side Testing

Hosted by OWASP & the NYC Chapter V4 Authors Amro Alolaqi Alexander Antukh Alexander Vavousis Anant Shrivastava Andrew Muller Babu Arokiadas Ben Walther Cecil Su Christian Heinrich Clerkendweller David Fern Davide Danelon Denis Vinny Eduardo Castellanos Eoin Keary Ismael Rocha Goncalves Jeff Williams John Abraham Juan Galiana Juan Manuel Bahamonde Kevin Johnson Luca Carettoni Matteo Meucci Pavol Luptak Rick Mitchell Rob Barnes Robert Winkel Ryan Dewhurst Simone Onofri Stefano Di Paola Thomas Kalamaris Tom Eston

2013 Roadmap Hosted by OWASP & the NYC Chapter We are at the final stage of the new versionWe are at the final stage of the new version 1 st deadline for a first draft of the articles: 30 th November st deadline for a first draft of the articles: 30 th November th December : final deadline for writing the articles15 th December : final deadline for writing the articles 15 th January: 1 st review15 th January: 1 st review End of January: Beta version (we hope! Good luck boys! Welcome to hell!)End of January: Beta version (we hope! Good luck boys! Welcome to hell!)

Future Improvements Managing contributions via Github Split Guide into Application, Web Service, and Mobile Testing Guides Jack Mannino has started the Mobile Testing Project _Security_Project_-_Security_Testing Hosted by OWASP & the NYC Chapter

Questions? Hosted by OWASP & the NYC Chapter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.