APPSEC2013 OWASP Testing Guide v4 Alpha

Presenting the OWASP Testing Guide v4 ALPHA

Andrew Muller, Matteo Meucci

About Me

• Andrew works with ISO and OWASP Andrew works with ISO and OWASP developing security testing standards and developing security testing standards and guides.guides.

Director at IonizeDirector at Ionize

• Matteo has lead the OTG Project from Matteo has lead the OTG Project from version 2.version 2.

CEO at Minded SecurityCEO at Minded Security

Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter

Agenda


• What is the OTG?What is the OTG?

• History of the OTG History of the OTG

• Moving from version 3 to version 4Moving from version 3 to version 4

• Version 4 roadmapVersion 4 roadmap

V4: Index


1. Frontispiece1. Frontispiece

2. Introduction2. Introduction

3. The OWASP Testing Framework 3. The OWASP Testing Framework

4. Web Application Penetration Testing 4. Web Application Penetration Testing

5. Writing Reports: value the real risk 5. Writing Reports: value the real risk

Appendix A: Testing ToolsAppendix A: Testing Tools

Appendix B: Suggested ReadingAppendix B: Suggested Reading

Appendix C: Fuzz Vectors Appendix C: Fuzz Vectors

Appendix D: Encoded InjectionAppendix D: Encoded Injection

V4 Alpha


• NIST SP800-115 “Technical Guide to Information Security Testing and Assessment”

• Gary McGraw (CTO Cigital) says: “In my opinion it is the strongest piece of Intellectual Property in the

OWASP portfolio” – OWASP Podcast by Jim Manico

• NSA’s "Guidelines for Implementation of REST“

• Official (ISC)2 Guide to the CSSLP - Page: 70, 365

• Many books, blogs and websites

Key benefits


• OWASP Testing Guide is driven by our CommunityOWASP Testing Guide is driven by our Community

• It’s aligned with the other OWASP guides It’s aligned with the other OWASP guides

• Development GuideDevelopment Guide

• Code Review GuideCode Review Guide

• OpenSAMMOpenSAMM

• Common Numbering ProjectCommon Numbering Project

• Accepted testing methodologyAccepted testing methodology

• RelevantRelevant

• RepeatableRepeatable

• RigourousRigourous

Testing Guide History


January 2004 January 2004 – ""The OWASP Testing Guide", Version 1.0 The OWASP Testing Guide", Version 1.0

July 14, 2004 July 14, 2004 – "OWASP Web Application Penetration Checklist", Version 1.1 "OWASP Web Application Penetration Checklist", Version 1.1

December 25, 2006 December 25, 2006 – "OWASP Testing Guide", Version 2.0 "OWASP Testing Guide", Version 2.0

December 16, 2008 December 16, 2008 – "OWASP Testing Guide", Version 3.0"OWASP Testing Guide", Version 3.0

20142014– "OWASP Testing Guide", Version 4.0"OWASP Testing Guide", Version 4.0

2011 Roadmap


Review all the control numbers to adhere to the OWASP Common Review all the control numbers to adhere to the OWASP Common numbering, numbering,

Review all the sections in v3,Review all the sections in v3,

Create a more readable guide, eliminating some sections that are not Create a more readable guide, eliminating some sections that are not really useful,really useful,

Insert new testing techniques: HTTP Verb tampering, HTTP Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc.,Parameter Pollutions, etc.,

Rationalize some sections as Session Management Testing,Rationalize some sections as Session Management Testing,

Create a new section: Client side security and Firefox extensions Create a new section: Client side security and Firefox extensions testing?testing?

OWASP TG Complexity


V1 V1.1 V2 V3 V40

100

200

300

400

500

600

Nu

mb

er

of p

ag

es

Version

V3 vs. V4 Chapters



Information Gathering


Configuration Management


Identity Management


Authentication Testing


Authorization Testing


Session Management Testing


Data Validation Testing


Error handling


Cryptography Testing


Logging Testing


Denial of Service


Web Service Testing


Client Side Testing


V4 Authors

Amro AlolaqiAlexander AntukhAlexander Vavousis Anant ShrivastavaAndrew Muller Babu ArokiadasBen Walther Cecil SuChristian HeinrichClerkendweller David FernDavide DanelonDenis Vinny Eduardo CastellanosEoin KearyIsmael Rocha Goncalves

Jeff WilliamsJohn AbrahamJuan Galiana Juan Manuel Bahamonde Kevin JohnsonLuca CarettoniMatteo MeucciPavol LuptakRick MitchellRob Barnes Robert WinkelRyan DewhurstSimone OnofriStefano Di PaolaThomas Kalamaris Tom Eston

2013 Roadmap


• We are at the final stage of the new versionWe are at the final stage of the new version

• 11stst deadline for a first draft of the articles: 30 deadline for a first draft of the articles: 30thth November November 20132013

• 1515thth December : final deadline for writing the articles December : final deadline for writing the articles

• 1515thth January: 1 January: 1stst review review

• End of January: Beta version (we hope! Good luck boys! End of January: Beta version (we hope! Good luck boys! Welcome to hell!)Welcome to hell!)

Future Improvements

Managing contributions via GithubManaging contributions via Github

Split Guide into Application, Web Service, and Mobile Split Guide into Application, Web Service, and Mobile Testing Guides Testing Guides

Jack Mannino has started the Mobile Testing ProjectJack Mannino has started the Mobile Testing Project

https://www.owasp.org/index.php/Projects/https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Security_TestingOWASP_Mobile_Security_Project_-_Security_Testing


Questions?

http://www.owasp.org/index.php/OWASP_Testing_Projecthttp://www.owasp.org/index.php/OWASP_Testing_Project


[email protected]@owasp.org

@Andrew__Muller@Andrew__Muller

[email protected]@owasp.org

@matteo_meucci@matteo_meucci

Documents

APPSEC2013 OWASP Testing Guide v4 Alpha