Add advice regarding Human Factors about wstg HOT 18 OPEN

Hi @gitcnd! I think this issue could make a useful addition to the Introduction section (2.x). Are you still interested in covering it?

If so, might we start with a point-form list of the advice you'd like to cover? That way we can give some feedback with minimal time investment to start.

from wstg.

While I don't disagree that human factors need accounting for I'm not sure this is specifically applicable to the Testing Guide project.

from wstg.

This is a simple "duty of care" issue. The fines for getting this stuff wrong in the EU are now crippling, it's only going to take one lawsuit where the victim comes looking for the cause when you're going to realize it was prudent to warn those victims in advance about what your guide leaves out.

Think about it this way: you're in an accident, and the life-support system keeping you alive was "signed off" for production after being tested with your guide. Do you want the compliance people to have tested all the known security oversights, or just the ones in your guide? If it's all, then your guide needs to tell them that it is not all.

from wstg.

I'm sure it'll be suitably prefaced.

It's a guide not a standard. Plus the day after it's published there'll be some new attack and hence test type that it fails to cover.

from wstg.

@kingthorin I believe this can be added as part of what to look for. Like if it doesn't contain this, it can rank a low somewhere if the task is pretty heavy? Such as a transaction, or something similar. What do you think?

from wstg.

@kingthorin I am actually reconsidering this. First and foremost, I believe this issue needs rewording. Can you maybe help me do that? And are you 💯 with this issue? Would you like that we discuss it and see how it can be done to improve the guide, or just remove it?

from wstg.

I'm happy to help with this. I wrote the pen-testing Guide for the Australian Trusted Digital Identity Framework, so much of the work needed is already done. I'm pretty busy though - can someone give me a heads-up on how and where this preface should go, and what I need to do to submit something for consideration?

from wstg.

Hi Victoria - sure; I will take a stab at some points. Can we also reword some things? e.g.: "This framework helps organizations test their web applications in order to build reliable and secure software." which is misleading. WE know that the sentence means "HELPS", but the consumers of this guide are not going to interpret that sentence that way - they're going to read "do this and you are secure"; and they're not going to understand that they've not yet considered more than half the problem.

from wstg.

Here is an antique version from 13+ years ago:-

https://wiki.owasp.org/index.php?title=Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data&action=edit

(use the "Edit" link to view that - something turned my text into HTML without fixing the line endings)

I'll do a newer one with updates and fixed formatting that stays on topic for you as well.

from wstg.

@gitcnd any news/progress?

from wstg.

@gitcnd any news/progress?

from wstg.

It's actually a lot more work that I realized, plus I'm somewhat disillusioned because I've done similar things in the past and ended up having it all discarded by folk who over-zealously enforce scope-demarcation. My philosophy is "fix the problem", but 99% of the security world worships a different theme: "keep the scope so narrow that all holes are someone else's problem". (or, tin-foil-hat-on, they're enforcing a hidden nation-state agenda or protecting a commercial product that's insecure or making money from services based on the insecurity - you never can tell what the real reason is behind obvious security-reducing decisions these days).

p.s. What's the answer to my question - is re-wording stuff that misleads the layperson on the agenda or not?

from wstg.

Okay the core team can tackle it. There is a scope and it is a guide not a standard. Yes things can be re-worded. But, I don’t want you to end up feeling you’ve wasted time or effort.

Thanks for your ideas and references so far!

from wstg.

Just to add a bit on the above.
@gitcnd If someone up the line dismissed your thoughts and ideas, it doesn't mean they're correct 😄 We don't enjoy throwing this to someone else's plate. Not the direction that AppSec is taking.

Would you prefer working this with us? We can share ideas and thoughts between here and Slack, and then agree on what could be done and what could be accepted, without making it weight down on you. We wouldn't want that to happen to any contributor!

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

from wstg.