Add to collection(s) Add to saved
  1. No category

OWASP Testing Guide - OWASP Appsec USA 2013

advertisement 
Presenting the OWASP
Testing Guide v4 ALPHA
Andrew Muller, Matteo Meucci
About Me
• Andrew works with ISO and OWASP
developing security testing standards and
guides.
Director at Ionize
• Matteo has lead the OTG Project from
version 2.
CEO at Minded Security
Hosted by OWASP & the NYC Chapter
Agenda
•
•
•
•
What is the OTG?
History of the OTG
Moving from version 3 to version 4
Version 4 roadmap
Hosted by OWASP & the NYC Chapter
V4: Index
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
Appendix D: Encoded Injection
Hosted by OWASP & the NYC Chapter
V4 Alpha
• NIST SP800-115 “Technical Guide to Information Security Testing and Assessment”
• Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the
OWASP portfolio” – OWASP Podcast by Jim Manico
• NSA’s "Guidelines for Implementation of REST“
• Official (ISC)2 Guide to the CSSLP - Page: 70, 365
• Many books, blogs and websites
Hosted by OWASP & the NYC Chapter
Key benefits
•
•
•
OWASP Testing Guide is driven by our Community
It’s aligned with the other OWASP guides
• Development Guide
• Code Review Guide
• OpenSAMM
• Common Numbering Project
Accepted testing methodology
• Relevant
• Repeatable
• Rigourous
Hosted by OWASP & the NYC Chapter
Testing Guide History
January 2004
–
"The OWASP Testing Guide", Version 1.0
July 14, 2004
–
"OWASP Web Application Penetration Checklist", Version 1.1
December 25, 2006
–
"OWASP Testing Guide", Version 2.0
December 16, 2008
–
"OWASP Testing Guide", Version 3.0
2014
–
"OWASP Testing Guide", Version 4.0
Hosted by OWASP & the NYC Chapter
2011 Roadmap
Review all the control numbers to adhere to the OWASP Common
numbering,
Review all the sections in v3,
Create a more readable guide, eliminating some sections that are not
really useful,
Insert new testing techniques: HTTP Verb tampering, HTTP Parameter
Pollutions, etc.,
Rationalize some sections as Session Management Testing,
Create a new section: Client side security and Firefox extensions
testing?
Hosted by OWASP & the NYC Chapter
OWASP TG Complexity
600
Number of pages
500
400
300
200
100
0
V1
V1.1
V2
Version
Hosted by OWASP & the NYC Chapter
V3
V4
V3 vs. V4 Chapters
Hosted by OWASP & the NYC Chapter
Information Gathering
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Configuration Management
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Identity Management
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Authentication Testing
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Authorization Testing
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Session Management Testing
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Data Validation Testing
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Error handling
100%
80%
60%
40%
20%
0%
OTG-ERR-001
Hosted by OWASP & the NYC Chapter
OTG-ERR-002
Cryptography Testing
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Logging Testing
100%
80%
60%
40%
20%
0%
OTG-LOG-001
Hosted by OWASP & the NYC Chapter
OTG-LOG-002
Denial of Service
100%
80%
60%
40%
20%
0%
OTG-DOS-001
Hosted by OWASP & the NYC Chapter
OTG-DOS-002
OTG-DOS-003
OTG-DOS-004
OTG-DOS-005
Web Service Testing
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
Client Side Testing
100%
80%
60%
40%
20%
0%
Hosted by OWASP & the NYC Chapter
V4 Authors
Amro Alolaqi
Alexander Antukh
Alexander Vavousis
Anant Shrivastava
Andrew Muller
Babu Arokiadas
Ben Walther
Cecil Su
Christian Heinrich
Clerkendweller
David Fern
Davide Danelon
Denis Vinny
Eduardo Castellanos
Eoin Keary
Ismael Rocha Goncalves
Hosted by OWASP & the NYC Chapter
Jeff Williams
John Abraham
Juan Galiana
Juan Manuel Bahamonde
Kevin Johnson
Luca Carettoni
Matteo Meucci
Pavol Luptak
Rick Mitchell
Rob Barnes
Robert Winkel
Ryan Dewhurst
Simone Onofri
Stefano Di Paola
Thomas Kalamaris
Tom Eston
2013 Roadmap
• We are at the final stage of the new version
• 1st deadline for a first draft of the articles: 30th November
2013
• 15th December : final deadline for writing the articles
• 15th January: 1st review
• End of January: Beta version (we hope! Good luck boys!
Welcome to hell!)
Hosted by OWASP & the NYC Chapter
Future Improvements
Managing contributions via Github
Split Guide into Application, Web Service, and Mobile
Testing Guides
Jack Mannino has started the Mobile Testing Project
https://www.owasp.org/index.php/Projects/OWASP_Mobile
_Security_Project_-_Security_Testing
Hosted by OWASP & the NYC Chapter
Questions?
http://www.owasp.org/index.php/OWASP_Testing_Project
andrew.muller@owasp.org
matteo.meucci@owasp.org
@Andrew__Muller
@matteo_meucci
Hosted by OWASP & the NYC Chapter
Related documents
OWASPWebAppPenTestList1.1 ITA
OWASPWebAppPenTestList1.1 ITA
Ilmu ekonomi
Ilmu ekonomi
Download
advertisement