OWASP_Testing_Guide_-_OWASP_Summit_2011

《OWASP_Testing_Guide_-_OWASP_Summit_2011》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、PlanningtheOWASPTestingGuidev4MatteoMeucci,GiorgioFedon,PavolLuptakAGENDA•FewwordsabouttheTGhistoryandadoptionbytheCompanies•WhyweneedtheCommonNumberingandCommonVulnerabilitylist•Updatethesetoftest•V4RoadmapWhatistheOWASPTestingGuide?Wherearewenow?TestingGuidehistory•J

2、anuary2004–"TheOWASPTestingGuide",Version1.0•July14,2004–"OWASPWebApplicationPenetrationChecklist",Version1.1•December25,2006–"OWASPTestingGuide",Version2.0•December16,2008–"OWASPTestingGuide",Version3.0–ReleasedattheOWASPSummit08ProjectComplexityPages400350300250200Pa

3、ges150100500v1v1.1v2v3OWASPTestingGuidev3•SANSTop202007•NIST“TechnicalGuidetoInformationSecurityTesting(Draft)”•GaryMcGraw(CTOCigital)says:“InmyopinionitisthestrongestpieceofIntellectualPropertyintheOWASPportfolio”–OWASPPodcastbyJimManicoTestingGuidev3:Index1.Frontispi

4、ece2.Introduction3.TheOWASPTestingFramework4.WebApplicationPenetrationTesting5.WritingReports:valuetherealriskAppendixA:TestingToolsAppendixB:SuggestedReadingAppendixC:FuzzVectorsAppendixD:EncodedInjectionWhatarethedifferencebetweentheOWASPTestingGuideandanotherbookabo

5、utWebAppPenTesting?WebApplicationPenetrationTesting•OWASPTestingGuideisdrivenbyourCommunity•It’srelatedtotheotherOWASPguides•Ourapproachinwritingthisguide–Open–Collaborative•Definedtestingmethodology–Consistent–Repeatable–Underquality9TestingGuideCategories&vulnerabili

6、tylistWhatweneednowtoimprovethev3andplanthev4?OWASPCommonVulnerabilityListWeneedacommonvulnerabilitylist12LookingattheTestingGuideCategories&vulnerabilitylistThenewteamAndrewMullerMikeHryekewiczAungKhAntNickFreemanCecilSuNorbertSzeteiColinWatsonPaoloPeregoDanielCuthber

7、tPavolLuptakGiorgioFedonPsiinonJasonFloodRaySchippersJavierMarcosdePradoRobertSmithJuanGalianaLaraRobertWinkelKenanGursoyRobertoSuggiLiveraniKevinHorvatSebastienGioriaLodeVanstechelmanStefanoDiPaolaMarcoMoranaSumitSiddharthMattChurchyThomasRyanMatteoMeucciTimBertelsMic

8、haelBomanTripurariRaiWagnerEliasProposedv4list:let’sdiscussitCategoryVulnerabilitynameWhereimplementedSourceInformati