Comments (18)
Hi @gitcnd! I think this issue could make a useful addition to the Introduction section (2.x). Are you still interested in covering it?
If so, might we start with a point-form list of the advice you'd like to cover? That way we can give some feedback with minimal time investment to start.
from wstg.
While I don't disagree that human factors need accounting for I'm not sure this is specifically applicable to the Testing Guide project.
from wstg.
This is a simple "duty of care" issue. The fines for getting this stuff wrong in the EU are now crippling, it's only going to take one lawsuit where the victim comes looking for the cause when you're going to realize it was prudent to warn those victims in advance about what your guide leaves out.
Think about it this way: you're in an accident, and the life-support system keeping you alive was "signed off" for production after being tested with your guide. Do you want the compliance people to have tested all the known security oversights, or just the ones in your guide? If it's all, then your guide needs to tell them that it is not all.
from wstg.
I'm sure it'll be suitably prefaced.
It's a guide not a standard. Plus the day after it's published there'll be some new attack and hence test type that it fails to cover.
from wstg.
@kingthorin I believe this can be added as part of what to look for. Like if it doesn't contain this, it can rank a low somewhere if the task is pretty heavy? Such as a transaction, or something similar. What do you think?
from wstg.
@kingthorin I am actually reconsidering this. First and foremost, I believe this issue needs rewording. Can you maybe help me do that? And are you π― with this issue? Would you like that we discuss it and see how it can be done to improve the guide, or just remove it?
from wstg.
I'm happy to help with this. I wrote the pen-testing Guide for the Australian Trusted Digital Identity Framework, so much of the work needed is already done. I'm pretty busy though - can someone give me a heads-up on how and where this preface should go, and what I need to do to submit something for consideration?
from wstg.
Hi Victoria - sure; I will take a stab at some points. Can we also reword some things? e.g.: "This framework helps organizations test their web applications in order to build reliable and secure software." which is misleading. WE know that the sentence means "HELPS", but the consumers of this guide are not going to interpret that sentence that way - they're going to read "do this and you are secure"; and they're not going to understand that they've not yet considered more than half the problem.
from wstg.
Here is an antique version from 13+ years ago:-
(use the "Edit" link to view that - something turned my text into HTML without fixing the line endings)
I'll do a newer one with updates and fixed formatting that stays on topic for you as well.
from wstg.
@gitcnd any news/progress?
from wstg.
@gitcnd any news/progress?
from wstg.
It's actually a lot more work that I realized, plus I'm somewhat disillusioned because I've done similar things in the past and ended up having it all discarded by folk who over-zealously enforce scope-demarcation. My philosophy is "fix the problem", but 99% of the security world worships a different theme: "keep the scope so narrow that all holes are someone else's problem". (or, tin-foil-hat-on, they're enforcing a hidden nation-state agenda or protecting a commercial product that's insecure or making money from services based on the insecurity - you never can tell what the real reason is behind obvious security-reducing decisions these days).
p.s. What's the answer to my question - is re-wording stuff that misleads the layperson on the agenda or not?
from wstg.
Okay the core team can tackle it. There is a scope and it is a guide not a standard. Yes things can be re-worded. But, I donβt want you to end up feeling youβve wasted time or effort.
Thanks for your ideas and references so far!
from wstg.
Just to add a bit on the above.
@gitcnd If someone up the line dismissed your thoughts and ideas, it doesn't mean they're correct π We don't enjoy throwing this to someone else's plate. Not the direction that AppSec is taking.
Would you prefer working this with us? We can share ideas and thoughts between here and Slack, and then agree on what could be done and what could be accepted, without making it weight down on you. We wouldn't want that to happen to any contributor!
from wstg.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
from wstg.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
from wstg.
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
from wstg.
Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
from wstg.
Related Issues (20)
- Possible error in 4.4.6 Testing for Browser Cache Weaknesses HOT 6
- Possible error in 4.9.2 Testing for Padding Oracle
- Ambiguity in the summary related to the test case Testing for Bypassing Authorization Schema HOT 4
- [fix] : Typo in CONTRIBUTING.md
- [Fix] : Fix Formatting Issue in OWASP Web Security Testing Guide Document
- [fix]: Fix Formatting Issue in OWASP Web Security Testing Guide Document
- E-Book action artifact expired HOT 3
- yjh HOT 1
- fghhyg
- vbbbbbbbbbbbbbm
- jjjjjjjjjjjjjjj
- Adding "How to Test" for the WSTG Checklist [Work in Progress] HOT 17
- Adding "Test for Simultaneous sessions" in Session Management Testing HOT 2
- Provide a simplified Chinese translation version for this project HOT 1
- Cookies-Link under 4.08 #cookies points to itself HOT 1
- Invisible code parts - bright blue text on the blue background HOT 6
- Check List Translation to french and arabic HOT 3
- Update Privilege Escalation's Weak SessionID Section
- Juice Shop - Error Handling link not found HOT 1
- Grammar error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wstg.