[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS]

Matt Tesauro mtesauro at gmail.com
Wed Jul 15 14:06:04 EDT 2009

I'm going to add a third option to your list: OWASP Testing Guide v3

Especially Chapter/Section 4:

If your blackbox text covers the sections 4.2 to 4.11, it will be a
thorough test:
4.2 Information Gathering
4.3 Configuration Management Testing
4.4 Business logic testing
4.5 Authentication Testing
4.6 Authorization Testing
4.7 Session Management Testing
4.8 Data Validation Testing
4.9 Testing for Denial of Service
4.10 Web Services Testing
4.11 Ajax Testing

The other thing I like about the OWASP Testing Guide is that there are
unique identifiers for each test e.g OWASP-IG-001 or OWASP-AT-002 [*].
I uses these for reporting and much of the guide provide good
boiler-plate for report generation.  I've used these as a standard to
keep reporting consistent between apps and over time.

This is no knock on the WASC TC - I've got that on the OWASP Live CD
because its _very_ useful. As soon as the next version is finalized, it
will be on there too.



-- Matt Tesauro
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

> I'm putting together a requirements list for black box web pen testing
> and want to include a standards requirement. I've looked intothe WASC
> Threat Classification and OWASP's ASVS. The former seems to focus on
> high level threats, while the latter on testing controls present in
> the app. With the release of version two of the threat classification,
> which standard is more appropriate to use for web app pen testing and
> why?
> Thanks,
>   Roger

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list