[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

bugtraq at cgisecurity.net bugtraq at cgisecurity.net
Mon Jul 13 16:47:23 EDT 2009


> The WASC "threat classification" is a mix of both attack-nodes and
> weakness-nodes, largely from a blackbox perspective.

The only part of this statement that I will agree with is that we don't have code samples
in every TC section (instead of demonstrates blackbox testing). This will change in 
future versions and has vastly improved in the latest tc version. 

We also welcome contributors :) 

> You could use both. ASVS as your process guide, but cover all the of the
> WASC/24 as part of your BB checklist of "things to test for".

To correct you WASC 24 is an obsolete term. It is much larger than 24 now (closer to 50).

> OWASP tends to be a whiteboxed focused organization, and WASC tends to be a
> black-box focused organization, if that helps clarify for you.

I don't entirely agree with this. We don't have process related projects, or secure development
related projects (teaching secure coding), however this isn't intentional. We're open
to additional projects with the right scope/proposal/leader behind it. I'm considering starting
some sort of project doing just this after the tc is finished (one major project at a time :). 

Regards,
 - Robert

> Where the WASC being attack-node centric does not have any "you must design
> your system like this". It is mostly a list of "you are weak to Attack Type
> X". Even systemic weaknesses (like a weak authorization system) are usually
> described in some form of a parameter-tampering attack.
> 
> Does that answer?
> 
> -- 
> Arian Evans
> 
> 
> 
> 
> On Mon, Jul 13, 2009 at 11:09 AM, Roger Munk <roger.munk at gmail.com> wrote:
> 
> > I'm putting together a requirements list for black box web pen testing
> > and want to include a standards requirement. I've looked intothe WASC
> > Threat Classification and OWASP's ASVS. The former seems to focus on
> > high level threats, while the latter on testing controls present in
> > the app. With the release of version two of the threat classification,
> > which standard is more appropriate to use for web app pen testing and
> > why?
> >
> > Thanks,
> >  Roger
> >
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >
> 
> --001636427657b5382a046e9b70ac
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> The WASC "threat classification" is a mix of both attack-nodes an=
> d weakness-nodes, largely from a blackbox perspective.<br><br>ASVS is prima=
> rily Whitebox and a process and "requirements" document. The WASC=
>  24 covers none of that.<br>
> <br>You could use both. ASVS as your process guide, but cover all the of th=
> e WASC/24 as part of your BB checklist of "things to test for".<b=
> r><br>OWASP tends to be a whiteboxed focused organization, and WASC tends t=
> o be a black-box focused organization, if that helps clarify for you.<br>
> <br>The ASVS has "requirements" which WASC does not. Many are goo=
> d, but some are arbitrary requirements, like "verify validation is don=
> e with whitelists".<br><br>You have to take these types of absolutes p=
> rovided without any business context with a grain of salt. Sometimes whitel=
> ists work, and sometimes they are just not feasible, and sometimes blacklis=
> ts actually work better (not often, but sometimes). At the end of the day t=
> he business context is everything. Aside from that stuff, ASVS looks like a=
>  great "process guide" to start with if you want to do more than =
> blackbox test.<br>
> <br>Where the WASC being attack-node centric does not have any "you mu=
> st design your system like this". It is mostly a list of "you are=
>  weak to Attack Type X". Even systemic weaknesses (like a weak authori=
> zation system) are usually described in some form of a parameter-tampering =
> attack.<br clear=3D"all">
> <br>Does that answer?<br><br>-- <br>Arian Evans<br><br><br>
> <br><br><div class=3D"gmail_quote">On Mon, Jul 13, 2009 at 11:09 AM, Roger =
> Munk <span dir=3D"ltr"><<a href=3D"mailto:roger.munk at gmail.com">roger.mu=
> nk at gmail.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" sty=
> le=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex;=
>  padding-left: 1ex;">
> I'm putting together a requirements list for black box web pen testing<=
> br>
> and want to include a standards requirement. I've looked intothe WASC<b=
> r>
> Threat Classification and OWASP's ASVS. The former seems to focus on<br=
> >
> high level threats, while the latter on testing controls present in<br>
> the app. With the release of version two of the threat classification,<br>
> which standard is more appropriate to use for web app pen testing and<br>
> why?<br>
> <br>
> Thanks,<br>
>  =A0Roger<br>
> <br>
> ---------------------------------------------------------------------------=
> -<br>
> Join us on IRC: <a href=3D"http://irc.freenode.net" target=3D"_blank">irc.f=
> reenode.net</a> #webappsec<br>
> <br>
> Have a question? Search The Web Security Mailing List Archives:<br>
> <a href=3D"http://www.webappsec.org/lists/websecurity/archive/" target=3D"_=
> blank">http://www.webappsec.org/lists/websecurity/archive/</a><br>
> <br>
> Subscribe via RSS:<br>
> <a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_blank">=
> http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>
> <br>
> Join WASC on LinkedIn<br>
> <a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA" target=3D"_bla=
> nk">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
> <br>
> </blockquote></div><br>
> 
> --001636427657b5382a046e9b70ac--
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list