Presenting the OWASP

Testing Guide v4 ALPHA

Andrew Muller, Matteo Meucci

About Me
Andrew works with ISO and OWASP
developing security testing standards and
guides.
Director at Ionize

Matteo has lead the OTG Project from
version 2.
CEO at Minded Security
Hosted by OWASP & the NYC Chapter
Agenda


Hosted by OWASP & the NYC Chapter
What is the OTG?
History of the OTG
Moving from version 3 to version 4
Version 4 roadmap
V4: Index
Hosted by OWASP & the NYC Chapter
1. Frontispiece
2. Introduction
3. The OWASP Testing Framework
4. Web Application Penetration Testing
5. Writing Reports: value the real risk
Appendix A: Testing Tools
Appendix B: Suggested Reading
Appendix C: Fuzz Vectors
Appendix D: Encoded Injection
V4 Alpha
Hosted by OWASP & the NYC Chapter
NIST SP800-115 Technical Guide to Information Security Testing and Assessment
Gary McGraw (CTO Cigital) says: In my opinion it is the strongest piece of Intellectual Property in the
OWASP portfolio OWASP Podcast by Jim Manico
NSAs "Guidelines for Implementation of REST
Official (ISC)2 Guide to the CSSLP - Page: 70, 365
Many books, blogs and websites
Key benefits
Hosted by OWASP & the NYC Chapter
6
OWASP Testing Guide is driven by our Community

Its aligned with the other OWASP guides
Development Guide
Code Review Guide
OpenSAMM
Common Numbering Project

Accepted testing methodology
Relevant
Repeatable
Rigourous

Testing Guide History
Hosted by OWASP & the NYC Chapter
January 2004
"The OWASP Testing Guide", Version 1.0
July 14, 2004
"OWASP Web Application Penetration Checklist", Version 1.1
December 25, 2006
"OWASP Testing Guide", Version 2.0
December 16, 2008
"OWASP Testing Guide", Version 3.0
2014
"OWASP Testing Guide", Version 4.0
2011 Roadmap
Hosted by OWASP & the NYC Chapter
Review all the control numbers to adhere to the OWASP Common
numbering,

Review all the sections in v3,

Create a more readable guide, eliminating some sections that are not
really useful,

Insert new testing techniques: HTTP Verb tampering, HTTP Parameter
Pollutions, etc.,

Rationalize some sections as Session Management Testing,

Create a new section: Client side security and Firefox extensions
testing?
OWASP TG Complexity
Hosted by OWASP & the NYC Chapter
V1 V1.1 V2 V3 V4
0
100
200
300
400
500
600
N
u
m
b
e
r

o
f

p
a
g
e
s

Version
V3 vs. V4 Chapters
Hosted by OWASP & the NYC Chapter
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Information Gathering
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Configuration Management
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Identity Management
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Authentication Testing
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Authorization Testing
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Session Management Testing
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Data Validation Testing
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
OTG-ERR-001 OTG-ERR-002
Error handling
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Cryptography Testing
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
OTG-LOG-001 OTG-LOG-002
Logging Testing
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
OTG-DOS-001 OTG-DOS-002 OTG-DOS-003 OTG-DOS-004 OTG-DOS-005
Denial of Service
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Web Service Testing
Hosted by OWASP & the NYC Chapter
0%
20%
40%
60%
80%
100%
Client Side Testing
Hosted by OWASP & the NYC Chapter
V4 Authors
Amro Alolaqi
Alexander Antukh
Alexander Vavousis
Anant Shrivastava
Andrew Muller
Babu Arokiadas
Ben Walther
Cecil Su
Christian Heinrich
Clerkendweller
David Fern
Davide Danelon
Denis Vinny
Eduardo Castellanos
Eoin Keary
Ismael Rocha Goncalves
Jeff Williams
John Abraham
Juan Galiana
Juan Manuel Bahamonde
Kevin Johnson
Luca Carettoni
Matteo Meucci
Pavol Luptak
Rick Mitchell
Rob Barnes
Robert Winkel
Ryan Dewhurst
Simone Onofri
Stefano Di Paola
Thomas Kalamaris
Tom Eston
2013 Roadmap
Hosted by OWASP & the NYC Chapter
We are at the final stage of the new version
1
st
deadline for a first draft of the articles: 30
th
November
2013
15
th
December : final deadline for writing the articles
15
th
January: 1
st
review
End of January: Beta version (we hope! Good luck boys!
Welcome to hell!)
Future Improvements
Managing contributions via Github

Split Guide into Application, Web Service, and Mobile
Testing Guides

Jack Mannino has started the Mobile Testing Project
https://www.owasp.org/index.php/Projects/OWASP_Mobile
_Security_Project_-_Security_Testing


Hosted by OWASP & the NYC Chapter
Questions?
http://www.owasp.org/index.php/OWASP_Testing_Project




Hosted by OWASP & the NYC Chapter
[email protected]
@Andrew__Muller

[email protected]
@matteo_meucci