[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

Arian J. Evans arian.evans at anachronic.com
Mon Jul 13 15:36:36 EDT 2009

The WASC "threat classification" is a mix of both attack-nodes and
weakness-nodes, largely from a blackbox perspective.

ASVS is primarily Whitebox and a process and "requirements" document. The
WASC 24 covers none of that.

You could use both. ASVS as your process guide, but cover all the of the
WASC/24 as part of your BB checklist of "things to test for".

OWASP tends to be a whiteboxed focused organization, and WASC tends to be a
black-box focused organization, if that helps clarify for you.

The ASVS has "requirements" which WASC does not. Many are good, but some are
arbitrary requirements, like "verify validation is done with whitelists".

You have to take these types of absolutes provided without any business
context with a grain of salt. Sometimes whitelists work, and sometimes they
are just not feasible, and sometimes blacklists actually work better (not
often, but sometimes). At the end of the day the business context is
everything. Aside from that stuff, ASVS looks like a great "process guide"
to start with if you want to do more than blackbox test.

Where the WASC being attack-node centric does not have any "you must design
your system like this". It is mostly a list of "you are weak to Attack Type
X". Even systemic weaknesses (like a weak authorization system) are usually
described in some form of a parameter-tampering attack.

Does that answer?

Arian Evans

On Mon, Jul 13, 2009 at 11:09 AM, Roger Munk <roger.munk at gmail.com> wrote:

> I'm putting together a requirements list for black box web pen testing
> and want to include a standards requirement. I've looked intothe WASC
> Threat Classification and OWASP's ASVS. The former seems to focus on
> high level threats, while the latter on testing controls present in
> the app. With the release of version two of the threat classification,
> which standard is more appropriate to use for web app pen testing and
> why?
> Thanks,
>  Roger
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090713/9483c988/attachment.html>

More information about the websecurity mailing list