OWASP Testing Guide v3 Table of Contents

26th April 2008 This is the draft of table of content of the New Testing Guide. You can download the stable version or read it on line here

Also see http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Startup.

The new OWASP testing Guidev3: This analyze the OWASP Testing Guide v2 checklist and a plan for create the new v3.

1) security requirements tests derivazione functional and non functional test requirements and test cases through use e misuse cases. 2) security tests integrated in developers and testers workflows: 2.a Developers security tests; Unit Tests, component levels tests 2.b Functional testers security tests: integrated system tests, tests in UAT and production environment 3) Security test data analysis and reporting: root cause identification and business/role case test data reporting


 * 1) Methodical Testing (new category) <-- (Mat) needs explanation
 * 2) Authorization testing missing. (new category)
 * 3) Information gathering is not a vulnerability
 * 4) Business logic testing
 * 5) Infrastructural test  (new category) *this has to only concentrate on 80 and 443 and other web related testing
 * 6) Web Services section needs improvement
 * 7) AJAX Testing section needs improvement
 * 8) Testing Methodology section updates (requirements, plans, levels and environments)
 * 9) New category: Client side Testing
 * 10) New category: Thick Client Testing
 * 11) New category: Flash/Silverlight Applications
 * 12) New category: Assessing Financial Applications
 * 13) New category: Fuzzing (we have the vectors, but this should explain the whole concept)

Proposed new categories for the OTG v3:
 * OTG Form Templates
 * OTG Request for Quote (RFQ) (new)
 * OTG 3rd Party Assessment Authorization Form (new)
 * OTG Sample Report (new)
 * Passive Mode
 * Information Gathering
 * Business logic testing
 * Web Application Penetration Testing
 * Infrastructural testing
 * Authentication Testing
 * Authorization Testing (new)
 * Session Management Testing
 * Data Validation Testing
 * Denial of Service Testing
 * Web Services Testing
 * Client-Side Testing
 * AJAX Testing
 * Flash Testing (new)
 * RIA stuff (new)