The Open Web Application Security Project (OWASP) announced on Wednesday the availability of version 4 of the OWASP Testing Guide.
According to the organization, OWASP Testing Guide Version 4 contains several changes compared to the previous version, including new chapters and a larger number of test cases. Version 3 of the guide was released on September 15, 2008, and as many experts have pointed out, a new version is needed to reflect the changes in the evolving cybersecurity landscape.
The latest version of the testing guide includes the Developers Guide and the Code Review Guide. OWASP believes the addition of these two flagship documentation products is important because the Testing and the Code Review guides are designed to help developers evaluate the security controls described in the Developers Guide.
New chapters have been introduced for identity management testing, cryptography, error handling and client-side testing. The number of test cases has been increased from 64 to 87.
“This version of the Testing Guide encourages the community not to simply accept the test cases outlined in this guide. We encourage security testers to integrate with other software testers and devise test cases specific to the target application,” OWASP said. “As we find test cases that have wider applicability we encourage the security testing community to share them and contribute them to the Testing Guide. This will continue to build the application security body of knowledge and allow the development of the Testing Guide to be an iterative rather than monolithic process.”
Close to 60 people have authored and reviewed the 220-page guide under the leadership of Andrew Muller, the leader of the Canberra OWASP Chapter, and Matteo Meucci, OWASP-Italy founder and CEO of Minded Security. OWASP is currently seeking aid in translating the guide into other languages.
“The OWASP Testing Guide includes a ‘best practice’ penetration testing framework which users can implement in their own organizations and a ‘low level’ penetration testing guide that describes techniques for testing most common web application and web service security issues,” Meucci said in a post on the Minded Security blog.
The OWASP Testing Guide Version 4 in PDF format is available here.