This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Testing Guide Table of Contents"

From OWASP
Jump to: navigation, search
(Changed V2 to V3, Redirect to v3)
 
(25 intermediate revisions by 8 users not shown)
Line 1: Line 1:
==[[Testing Guide Frontispiece|Frontispiece]]==
+
#REDIRECT [[OWASP_Testing_Guide_v3_Table_of_Contents]]
#Copyright and License
 
#Endorsements
 
#Trademarks
 
  
==[[Testing Guide Introduction|Introduction]]==
+
Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide
#Performing An Application Security Review
 
#Principles of Testing
 
#Testing Techniques Explained
 
  
==[[Methodologies Used]]==
+
PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3:
#Secure application design
+
http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents
#Code Review (See the code review project)
 
#*Overview
 
#*Advantages and Disadvantages
 
#Penetration Testing
 
#*Overview
 
#*Advantages and Disadvantages
 
#The Need for a Balanced Approach
 
#A Note about Web Application Scanners
 
#A Note about Static Source Code Review Tools
 
 
 
==[[Finding Specific Issues In a Non-Technical Manner]]==
 
#Threat Modeling Introduction
 
#Design Reviews
 
#Threat Modeling the Application
 
#Policy Reviews
 
#Requirements Analysis
 
#Developer Interviews and Interaction
 
 
 
==Finding Specific Vulnerabilities Using Source Code Review==
 
 
 
''For code review please see the [[:Category:OWASP_Code_Review_Project|OWASP Code Review Project]]
 
 
 
==[[Manual testing techniques]]==
 
#[[Business logic testing]] - <TBD>
 
#[[Authentication Testing Guide|Authentication]]
 
#[[How to perform cookie manipulation test|Cookie manipulation]]
 
#[[How to test for weak session tokens|Weak session tokens]]
 
#[[How to perform session riding test|Session riding test]]
 
#[[Testing for Cross site scripting vulnerabilities]]
 
#[[Testing for vulnerable remember password implementation]]
 
#[[Weak Password Self-Reset Testing]]
 
#[[Testing for default or guessable user accounts and empty passwords]]
 
#[[Testing for application layer Denial of Service (DoS) attacks]]
 
#*[[DoS Testing: Locking Customer Accounts]]
 
#*[[DoS Testing: Buffer Overflows]]
 
#*[[DoS Testing: User Specified Object Allocation]]
 
#*[[DoS Testing: User Input as a Loop Counter]]
 
#*[[DoS Testing: Writing User Provided Data to Disk]]
 
#*[[DoS Testing: Failure to Release Resources]]
 
#*[[DoS Testing: Storing too Much Data in Session]]
 
#[[Testing for buffer overflow]]
 
#*[[Testing for heap overflow vulnerability]]
 
#*[[Testing for stack overflow vulnerability]]
 
#*[[Testing for format string vulnerability]]
 
#[[Testing for test and debug files]]
 
#[[Testing file extensions handling]]
 
#[[Testing for Old, backup and unreferenced files]]
 
#[[Testing defense from Automatic Attacks]]
 
#[[Testing configuration Management Infrastructure]]
 
#[[Sensitive data in URL’s]]
 
#[[SSL / TLS cipher specifications and requirements for site]]
 
#[[Web Services Security Testing]]
 
#[[References]]
 
#[[Testing Tools|Tools]]
 
 
 
==[[The OWASP Testing Framework]]==
 
#Overview
 
#Phase 1 — Before Development Begins
 
#*Phase 1A: Policies and Standards Review
 
#*Phase 1B: Develop Measurement and Metrics Criteria (Ensure Traceability)
 
#Phase 2: During Definition and Design
 
#*Phase 2A: Security Requirements Review
 
#*Phase 2B: Design an Architecture Review
 
#*Phase 2C: Create and Review UML Models
 
#*Phase 2D: Create and Review Threat Models
 
#Phase 3: During Development
 
#*Phase 3A: Code Walkthroughs
 
#*Phase 3B: Code Reviews
 
#Phase 4: During Deployment
 
#*Phase 4A: Application Penetration Testing
 
#*Phase 4B: Configuration Management Testing
 
#Phase 5: Maintenance and Operations
 
#*Phase 5A: Conduct Operational Management Reviews
 
#*Phase 5B: Conduct Periodic Health Checks
 
#*Phase 5C: Ensure Change Verification
 
#A Typical SDLC Testing Workflow
 
#* Figure 3: Typical SDLC Testing Workflow.
 
 
 
==[[Appendix A: Testing Tools]]==
 
#Source Code Analyzers
 
#Open Source / Freeware
 
#*Commercial
 
#Black Box Scanners
 
#*Open Source
 
#*Commercial
 
#Other Tools
 
#*Runtime Analysis
 
#*Binary Analysis
 
#*Requirements Management
 
 
 
==[[Appendix B: Suggested Reading]]==
 
#Whitepapers
 
#Books
 
#Articles
 
#Useful Websites
 
#OWASP — http://www.owasp.org
 
 
 
==[[Figures]]==
 
#Figure 1: Proportion of Test Effort in SDLC.
 
#Figure 2: Proportion of Test Effort According to Test Technique.
 
#Figure 3: Typical SDLC Testing Workflow.
 
 
 
[[Category:OWASP Testing Project]]
 
[[Category:Test]]
 

Latest revision as of 23:27, 17 September 2013

Note: This page is not in use any more since it contained the 1st version of the OWASP Testing guide

PLEASE, REFER TO THIS URL FOR THE TESTING GUIDE V3: http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents