Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Testing Guide V3 Matteo Meucci OWASP Testing Guide Lead.

Published byAmelia Sullivan Modified over 6 years ago

Similar presentations

Presentation on theme: "OWASP Testing Guide V3 Matteo Meucci OWASP Testing Guide Lead."— Presentation transcript:

1 OWASP Testing Guide V3 Matteo Meucci OWASP Testing Guide Lead

2 Agenda Welcome to the OWASP Testing Guide v3! Objectives Roadmap to v3
What’s new? Next step

3 Who am I? OWASP Work OWASP-Italy Chair OWASP Testing Guide Lead
Minded Security Application Security Consulting 7+ years on Information Security focusing on Application Security

4 Welcome to the OWASP Testing Guide v3!
July 14,    "OWASP Web Application Penetration Checklist", Version 1.0 December 25,    "OWASP Testing Guide", Version 2.0 6th November,    "OWASP Testing Guide", Version 3.0

5 Objectives Improve, update, complete v2 Create a complete new project focused on Web Application Penetration Testing Create a reference for application testing Describe the OWASP Testing methodology

6 Testing Guide Project Roadmap
26th April 2008: start the new project OWASP Leaders brainstorming Call for participation  21 authors (-18!) Index brainstorming Discuss the article content 20th May 2008 New draft Index 1st June 2008  Let's start writing! 27th August 2008  started the reviewing phase  4 Reviewers (-16!) October 2008  Review all the Guide 6h November 2008 Published the Guide! (347pages +80!)

7 Testing Guide v3: Index 1. Frontispiece 2. Introduction
3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection Testing Guide v2 RC1: Index 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors

8 What’s new? V2 8 sub-categories (for a total amount of 48 controls)
36 new articles! Information Gathering Business Logic Testing Authentication Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Information Gathering Config. Management Testing Business Logic Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Denial of Service Testing Web Services Testing Ajax Testing Encoded Appendix The Guide Contents A series of articles on the most common web application security problems Some process information, but not much… The world desperately needs a body of knowledge on application security. One important piece of this body of knowledge is about application security testing.

9 Testing paragraph template
Brief Summary Describe in "natural language" what we want to test. The target of this section is non-technical people (e.g.: client executive) Description of the Issue Short Description of the Issue: Topic and Explanation Black Box testing and example How to test for vulnerabilities: Result Expected: ... Gray Box testing and example References Whitepapers Tools

10 Some new articles 4.1.1 Testing Checklist Identify application entry points Infrastructure Configuration Management Testing Credentials transport over an encrypted channel Testing for user enumeration Testing for CAPTCHA Testing Multiple Factors Authentication Testing for path traversal Testing for bypassing authorization schema Testing for Privilege Escalation Testing for Session Management Schema 4.7.2 Testing for Cookies attributes Testing for Reflected Cross Site Scripting Testing for Stored Cross Site Scripting Testing for DOM based Cross Site Scripting Testing for Cross Site Flashing MS Access Testing Testing PostgreSQL (from OWASP BSP) Testing for SQL Wildcard Attacks WS Information Gathering Testing WSDL Checklist PDF

11 Status and Future Steps
Discuss how to integrate the Develop, Code Review, Testing and ASDR Guide Improve Client Side Security Let’s talk at the WORKING SESSION! Building Guide Code Review Guide Testing Guide Application Security Desk Reference (ASDR)

12 Obrigado! V3 Authors V3 Reviewers Anurag Agarwwal Daniele Bellucci
Arian Coronel Stefano Di Paola Giorgio Fedon Alan Goodman Christian Heinrich Kevin Horvath Gianrico Ingrosso Roberto Suggi Liverani Alex Kuza Pavol Luptak Ferruh Mavituna Marco Mella Matteo Meucci Marco Morana Antonio Parata Cecil Su Harish Skanda Sureddy Mark Roxberry Andrew Van der Stock V3 Reviewers Marco Cova Kevin Fuller Nam Nguyen

13 Questions? http://www.owasp.org

Download ppt "OWASP Testing Guide V3 Matteo Meucci OWASP Testing Guide Lead."

Similar presentations

Webgoat.

Webgoat.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci.

Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
CDA Implementation Forum November 2012 Agenda 12:3012:40 Introduction -Survey Feedback -Future Forum topics -ISCF update 12:4013:00 CDA Attachments -Guidance.

CDA Implementation Forum November 2012 Agenda 12:3012:40 Introduction -Survey Feedback -Future Forum topics -ISCF update 12:4013:00 CDA Attachments -Guidance.
IS 421 Information Systems Management James Nowotarski 16 September 2002.

IS 421 Information Systems Management James Nowotarski 16 September 2002.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Ruby on Rails CSCI 6314 David Gaspar Jennifer Garcia Avila.

Ruby on Rails CSCI 6314 David Gaspar Jennifer Garcia Avila.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing

Similar presentations

Ads by Google