[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS

Jeff Williams planetlevel at gmail.com
Wed Jul 15 21:22:12 EDT 2009

Glad to see this discussion.  Sorry I'm late.


ASVS is not a process guide at all.  ASVS defines the set requirements for
security controls that need to be verified in an appsec scan/code
review/pentest/architecture review.  The process you use to do this
verification is up to you.  To allow organizations to compare the coverage
of different application security services in the market, ASVS has 4 levels:
1. automated, 2. manual, 3. architecture, and 4. internal.  Very few
commercial applications are reviewed beyond level 2.


Philosophically, ASVS (and OWASP for that matter) doesn't really care
whether you use a black-box or white-box technique to verify the
requirements. I suggest you use the cheapest approach on a
requirement-by-requirement basis depending on the particular application to
be verified.  Any other approach will waste money by definition.


Organizing security reviews around security controls makes sense (to me
anyway). It's just easier to understand the coverage. It's *possible* to
organize these efforts around attacks and weaknesses, but there are so many
of them that completeness becomes very difficult.  Is there a plan to cover
the 700+ CWE in the TC?   





From: arian.evans at gmail.com [mailto:arian.evans at gmail.com] On Behalf Of
Arian J. Evans
Sent: Monday, July 13, 2009 3:37 PM
To: Roger Munk; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] WASC Threat Classification vs. OWASP ASVS


The WASC "threat classification" is a mix of both attack-nodes and
weakness-nodes, largely from a blackbox perspective.

ASVS is primarily Whitebox and a process and "requirements" document. The
WASC 24 covers none of that.

You could use both. ASVS as your process guide, but cover all the of the
WASC/24 as part of your BB checklist of "things to test for".

OWASP tends to be a whiteboxed focused organization, and WASC tends to be a
black-box focused organization, if that helps clarify for you.

The ASVS has "requirements" which WASC does not. Many are good, but some are
arbitrary requirements, like "verify validation is done with whitelists".

You have to take these types of absolutes provided without any business
context with a grain of salt. Sometimes whitelists work, and sometimes they
are just not feasible, and sometimes blacklists actually work better (not
often, but sometimes). At the end of the day the business context is
everything. Aside from that stuff, ASVS looks like a great "process guide"
to start with if you want to do more than blackbox test.

Where the WASC being attack-node centric does not have any "you must design
your system like this". It is mostly a list of "you are weak to Attack Type
X". Even systemic weaknesses (like a weak authorization system) are usually
described in some form of a parameter-tampering attack.

Does that answer?

Arian Evans

On Mon, Jul 13, 2009 at 11:09 AM, Roger Munk <roger.munk at gmail.com> wrote:

I'm putting together a requirements list for black box web pen testing
and want to include a standards requirement. I've looked intothe WASC
Threat Classification and OWASP's ASVS. The former seems to focus on
high level threats, while the latter on testing controls present in
the app. With the release of version two of the threat classification,
which standard is more appropriate to use for web app pen testing and


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090715/674f89e8/attachment.html>

More information about the websecurity mailing list