Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci.

Published byZachariah Simerson Modified over 9 years ago

Similar presentations

Presentation on theme: "Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci."— Presentation transcript:

1 Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci

2 About Me Andrew works with ISO and OWASP developing security testing standards and guides.Andrew works with ISO and OWASP developing security testing standards and guides. Director at Ionize Matteo has lead the OTG Project from version 2.Matteo has lead the OTG Project from version 2. CEO at Minded Security Hosted by OWASP & the NYC Chapter

3 Agenda Hosted by OWASP & the NYC Chapter What is the OTG?What is the OTG? History of the OTGHistory of the OTG Moving from version 3 to version 4Moving from version 3 to version 4 Version 4 roadmapVersion 4 roadmap

4 V4: Index Hosted by OWASP & the NYC Chapter 1. Frontispiece 2. Introduction 3. The OWASP Testing Framework 4. Web Application Penetration Testing 5. Writing Reports: value the real risk Appendix A: Testing Tools Appendix B: Suggested Reading Appendix C: Fuzz Vectors Appendix D: Encoded Injection

5 V4 Alpha Hosted by OWASP & the NYC Chapter NIST SP800-115 “Technical Guide to Information Security Testing and Assessment” Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the OWASP portfolio” – OWASP Podcast by Jim Manico NSA’s "Guidelines for Implementation of REST“ Official (ISC)2 Guide to the CSSLP - Page: 70, 365 Many books, blogs and websites

6 Key benefits Hosted by OWASP & the NYC Chapter 6 OWASP Testing Guide is driven by our Community OWASP Testing Guide is driven by our Community It’s aligned with the other OWASP guides It’s aligned with the other OWASP guides Development Guide Development Guide Code Review Guide Code Review Guide OpenSAMM OpenSAMM Common Numbering Project Common Numbering Project Accepted testing methodology Accepted testing methodology Relevant Relevant Repeatable Repeatable Rigourous Rigourous

7 Testing Guide History Hosted by OWASP & the NYC Chapter January 2004 – " The OWASP Testing Guide", Version 1.0 July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 December 25, 2006 – "OWASP Testing Guide", Version 2.0 December 16, 2008 – "OWASP Testing Guide", Version 3.0 2014 – "OWASP Testing Guide", Version 4.0

8 2011 Roadmap Hosted by OWASP & the NYC Chapter Review all the control numbers to adhere to the OWASP Common numbering, Review all the sections in v3, Create a more readable guide, eliminating some sections that are not really useful, Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc., Rationalize some sections as Session Management Testing, Create a new section: Client side security and Firefox extensions testing?

9 OWASP TG Complexity Hosted by OWASP & the NYC Chapter Number of pages Version

10 V3 vs. V4 Chapters Hosted by OWASP & the NYC Chapter

11 Information Gathering

12 Hosted by OWASP & the NYC Chapter Configuration Management

13 Hosted by OWASP & the NYC Chapter Identity Management

14 Hosted by OWASP & the NYC Chapter Authentication Testing

15 Hosted by OWASP & the NYC Chapter Authorization Testing

16 Hosted by OWASP & the NYC Chapter Session Management Testing

17 Hosted by OWASP & the NYC Chapter Data Validation Testing

18 Hosted by OWASP & the NYC Chapter Error handling

19 Hosted by OWASP & the NYC Chapter Cryptography Testing

20 Hosted by OWASP & the NYC Chapter Logging Testing

21 Hosted by OWASP & the NYC Chapter Denial of Service

22 Hosted by OWASP & the NYC Chapter Web Service Testing

23 Hosted by OWASP & the NYC Chapter Client Side Testing

24 Hosted by OWASP & the NYC Chapter V4 Authors Amro Alolaqi Alexander Antukh Alexander Vavousis Anant Shrivastava Andrew Muller Babu Arokiadas Ben Walther Cecil Su Christian Heinrich Clerkendweller David Fern Davide Danelon Denis Vinny Eduardo Castellanos Eoin Keary Ismael Rocha Goncalves Jeff Williams John Abraham Juan Galiana Juan Manuel Bahamonde Kevin Johnson Luca Carettoni Matteo Meucci Pavol Luptak Rick Mitchell Rob Barnes Robert Winkel Ryan Dewhurst Simone Onofri Stefano Di Paola Thomas Kalamaris Tom Eston

25 2013 Roadmap Hosted by OWASP & the NYC Chapter We are at the final stage of the new versionWe are at the final stage of the new version 1 st deadline for a first draft of the articles: 30 th November 20131 st deadline for a first draft of the articles: 30 th November 2013 15 th December : final deadline for writing the articles15 th December : final deadline for writing the articles 15 th January: 1 st review15 th January: 1 st review End of January: Beta version (we hope! Good luck boys! Welcome to hell!)End of January: Beta version (we hope! Good luck boys! Welcome to hell!)

26 Future Improvements Managing contributions via Github Split Guide into Application, Web Service, and Mobile Testing Guides Jack Mannino has started the Mobile Testing Project https://www.owasp.org/index.php/Projects/OWASP_Mobile _Security_Project_-_Security_Testing Hosted by OWASP & the NYC Chapter

27 Questions? http://www.owasp.org/index.php/OWASP_Testing_Project Hosted by OWASP & the NYC Chapter andrew.muller@owasp.org@Andrew__Mullermatteo.meucci@owasp.org@matteo_meucci

Download ppt "Presenting the OWASP Testing Guide v4 ALPHA Andrew Muller, Matteo Meucci."

Similar presentations

Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
OASIS OData Technical Committee. AGENDA Introduction OASIS OData Technical Committee OData Overview Work of the Technical Committee Q&A.

OASIS OData Technical Committee. AGENDA Introduction OASIS OData Technical Committee OData Overview Work of the Technical Committee Q&A.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Ecosystems and Human Well-being: A Manual for Assessment Practioners Slide No 1 Towards a MA manual for sub-global assessments Thomas Henrichs National.

Ecosystems and Human Well-being: A Manual for Assessment Practioners Slide No 1 Towards a MA manual for sub-global assessments Thomas Henrichs National.
DOM Based XSS and Proper Output Encoding By Abraham Kang Principal Security Researcher HP Fortify.

DOM Based XSS and Proper Output Encoding By Abraham Kang Principal Security Researcher HP Fortify.
Individul Project: NPD-NET Component 4: Integration and Regional Adaptation of NPD Roadmap Kick-off meeting Region of Central Macedonia – URENIO Research.

Individul Project: NPD-NET Component 4: Integration and Regional Adaptation of NPD Roadmap Kick-off meeting Region of Central Macedonia – URENIO Research.
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.

December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 7 Ethernet Technologies.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 7 Ethernet Technologies.
Automation Domination Application Security with Continuous Integration (CI)

Automation Domination Application Security with Continuous Integration (CI)
The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT

The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Copyright © 2010 - The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP BeNeLux 2010
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
COMP 208/214/215/216 LECTURE 1 Introduction 恭喜發財.

COMP 208/214/215/216 LECTURE 1 Introduction 恭喜發財.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Similar presentations

Ads by Google