Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

OWASP Releases New Testing Guide

The Open Web Application Security Project (OWASP) announced on Wednesday the availability of version 4 of the OWASP Testing Guide.

The Open Web Application Security Project (OWASP) announced on Wednesday the availability of version 4 of the OWASP Testing Guide.

According to the organization, OWASP Testing Guide Version 4 contains several changes compared to the previous version, including new chapters and a larger number of test cases. Version 3 of the guide was released on September 15, 2008, and as many experts have pointed out, a new version is needed to reflect the changes in the evolving cybersecurity landscape.

The latest version of the testing guide includes the Developers Guide and the Code Review Guide. OWASP believes the addition of these two flagship documentation products is important because the Testing and the Code Review guides are designed to help developers evaluate the security controls described in the Developers Guide.

New chapters have been introduced for identity management testing, cryptography, error handling and client-side testing. The number of test cases has been increased from 64 to 87.

“This version of the Testing Guide encourages the community not to simply accept the test cases outlined in this guide. We encourage security testers to integrate with other software testers and devise test cases specific to the target application,” OWASP said. “As we find test cases that have wider applicability we encourage the security testing community to share them and contribute them to the Testing Guide. This will continue to build the application security body of knowledge and allow the development of the Testing Guide to be an iterative rather than monolithic process.”

Close to 60 people have authored and reviewed the 220-page guide under the leadership of Andrew Muller, the leader of the Canberra OWASP Chapter, and Matteo Meucci, OWASP-Italy founder and CEO of Minded Security. OWASP is currently seeking aid in translating the guide into other languages.

“The OWASP Testing Guide includes a ‘best practice’ penetration testing framework which users can implement in their own organizations and a ‘low level’ penetration testing guide that describes techniques for testing most common web application and web service security issues,” Meucci said in a post on the Minded Security blog.

The OWASP Testing Guide Version 4 in PDF format is available here.

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...