[WEB SECURITY] WASC Threat Classification vs. OWASP ASVS]

Vishal Garg vishal.garg at firstbase.co.uk
Thu Jul 16 11:55:38 EDT 2009

It is good to see that we have brought all three major documents into 
discussion (WASC-TCv2, ASVS and OWASP-TGv3). This is no criticism to 
WASC-TCv2, but I can really understand the real purpose of ASVS and 
TGv3 and know exactly how to use them. But I fail to understand the 
real purpose of TCv2, while TCv1 made much more sense by classifying 
threats in different categories (as the title says "Threat 
Classification"). TCv2 appears to to have lost its purpose by listing 
different attacks and weaknesses without actually classifying them as 
such (sorry, again no criticism to anyone's hard work done here as I 
know people put in lots of time and effort to create these 
documents). Therefore if I have to learn about some attack technique, 
I can refer to TCv2 and go through the technical details in the 
document, but I will struggle to find out what sort of issue is that 
and if there are other similar issues in the application? What sort 
of controls I would require to mitigate these issues? If I know about 
all the similar issues an application  has then I may be able to find 
a best solution to mitigate these issues with the lowest possible 
cost and effort (in theory). But if I do not have this information in 
hand, I may treat them all as separate issues and would tend a find a 
solution separately, which may be a wasted effort and cost, and still 
may not be sure if all these controls are working as intended.

Again, I might be wrong, but the only point I'm trying to get across 
is that the classification provided in TC1 served a much better 
purpose (at least to me) than in TCv2, the only thing is that we may 
have to scratch our heads bit more to find a proper category to fit 
in all these new attack techniques which may have multiple vectors involved.


At 13:06 15/07/2009 -0500, Matt Tesauro wrote:
>I'm going to add a third option to your list: OWASP Testing Guide v3
>Especially Chapter/Section 4:
>If your blackbox text covers the sections 4.2 to 4.11, it will be a
>thorough test:
>4.2 Information Gathering
>4.3 Configuration Management Testing
>4.4 Business logic testing
>4.5 Authentication Testing
>4.6 Authorization Testing
>4.7 Session Management Testing
>4.8 Data Validation Testing
>4.9 Testing for Denial of Service
>4.10 Web Services Testing
>4.11 Ajax Testing
>The other thing I like about the OWASP Testing Guide is that there are
>unique identifiers for each test e.g OWASP-IG-001 or OWASP-AT-002 [*].
>I uses these for reporting and much of the guide provide good
>boiler-plate for report generation.  I've used these as a standard to
>keep reporting consistent between apps and over time.
>This is no knock on the WASC TC - I've got that on the OWASP Live CD
>because its _very_ useful. As soon as the next version is finalized, it
>will be on there too.
>-- Matt Tesauro
>OWASP Live CD Project Lead
>http://AppSecLive.org - Community and Download site
> >
> > I'm putting together a requirements list for black box web pen testing
> > and want to include a standards requirement. I've looked intothe WASC
> > Threat Classification and OWASP's ASVS. The former seems to focus on
> > high level threats, while the latter on testing controls present in
> > the app. With the release of version two of the threat classification,
> > which standard is more appropriate to use for web app pen testing and
> > why?
> >
> > Thanks,
> >   Roger
>Join us on IRC: irc.freenode.net #webappsec
>Have a question? Search The Web Security Mailing List Archives:
>Subscribe via RSS:
>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>Join WASC on LinkedIn

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list