[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

robert at webappsec.org robert at webappsec.org
Mon Jul 13 16:41:30 EDT 2009


> Now, the WASC folks are super smart, and the threat classification is =20=
> a solid body of work. Control based AppSec is not something I hear =20
> about often on these lists.

I agree. I don't see this as intentional though and I'd actually like more SDLC discussions
on this list. For that matter WASC isn't opposed to an SDLC style project, it would just
require the right project leader with the right focus. 

Regards,
- Robert


> 
> Jim Manico
> 
> On Jul 13, 2009, at 1:01 PM, robert at webappsec.org wrote:
> 
> > Hello Roger,
> >
> > I lead the WASC TCv2 project and will be able to answer your =20
> > questions, albeit with a bias towards the TC.
> > For starters I am not the best person to speak on behalf of the =20
> > OWASP ASVS project (maybe they will respond?)
> > so I simply won't speak on it other than to say it appears to focus =20=
> 
> > more on process and maturity levels.
> >
> > Second please take a peek at =
> http://projects.webappsec.org/Using-the-Threat-Classification=20
> >  as it outlines
> > ways people use the TC (myself included). Speaking on my own =20
> > personal experience (and others that I know)
> > I use the TC as
> >
> > A checklist:
> > I use the TC as a checklist of potential security issues (the TC =20
> > breaks this up into attacks and weaknesses)
> > that my application/site is likely to be affected by. I evaluate =20
> > which functionality my application offers from
> > a business and technical perspective and map that functionality to =20
> > possible weaknesses and attacks that will need
> > to be evaluated during a security review. For example if my =20
> > application uses XML and XQUERY I'd add XML Injection
> > (http://projects.webappsec.org/XML-Injection) and XQuery Injection =
> (http://projects.webappsec.org/XQuery-Injection=20
> > )
> > to a list of security concerns, effectively creating a minimum =20
> > security test plan/threat model. I then ensure my
> > security evaluations/testing is checking (at the least) for the =20
> > attacks and weaknesses against this list. I've
> > personally had a situation where I've used the TC on a pen test with =20=
> 
> > a 3rd party and asked if they performed 'x'
> > testing which they responded no. Shortly after they performed the =20
> > testing and found an 'x' issue. In this situation
> > I used the TC as a checklist and it resulted in a finding that may =20
> > or may not have been discovered had I not asked.
> >
> > Reference Material
> > When I file a security defect I provide a URl to the appropriate TC =20=
> 
> > section for additional reading by development
> > and/or QA. This saves me time rewriting/explaining the issue and =20
> > being to brief. The TCv2 sub sections are all group
> > peer reviewed in multiple phases and once they are completed are =20
> > locked (random website visitors cannot modify them
> > as with a traditional wiki).
> >
> > Security Metrics
> > In particular the ability to flag defects with a certain attack or =20
> > weakness flag allowing me to gain better insight into
> > the more prevalent issues. This has been useful in developing better =20=
> 
> > security training, enhancing security testing/finding
> > gaps, and evaluating priority for security component development.
> >
> > Chances are you'd probably utilize both for different aspects in =20
> > your security program.
> > Based on your email I will likely write an in depth article on using =20=
> 
> > the TC beyond the light wiki page above
> > as we near publication.
> >
> > Regards,
> > - Robert Auger
> > WASC Co Founder and Threat Classification v2 Project Leader
> > http://www.webappsec.org/
> >
> >>
> >> I'm putting together a requirements list for black box web pen =20
> >> testing
> >> and want to include a standards requirement. I've looked intothe WASC
> >> Threat Classification and OWASP's ASVS. The former seems to focus on
> >> high level threats, while the latter on testing controls present in
> >> the app. With the release of version two of the threat =20
> >> classification,
> >> which standard is more appropriate to use for web app pen testing and
> >> why?
> >>
> >> Thanks,
> >>  Roger
> >
> > ---=20
> > ---=20
> > ----------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list