Advocates with the web application security consortium OWASP published the latest iteration of its Testing Guide this week.
The guide, celebrating its 10th anniversary this year, is an informational manual designed to teach developers how to build and maintain secure applications in the face of ongoing threats.
First started in 2001 as a not-for-profit charitable organization, OWASP, the Open Web Application Security Project, released its first Testing Guide in 2004. The fourth version (v4) of the guide (.PDF) builds onto the last one, published in 2008, in three ways.
For v4 the group combined its Developers Guide and the Code Review Guide into one, upped the number of test cases it includes and perhaps most importantly, challenges its users to share their findings with other security testers in order to bolster the wiki version of the Testing Guide.
The massive 222-page report digs into the basics (What is testing? Why perform testing? When to test?) but also gets into the particulars of adopting a systems development life cycle (SDLC) and identifying and mitigating vulnerabilities.
The report encourages pen testers to develop metrics, use threat modeling to evaluate potential threats and to understand the scope of security as a whole.
One thing that wasn’t fully realized when v3 was published in 2008 was the concept of HTTP Strict Transport Security (HSTS). Version 4 of the guide now instructs how developers can test for the presence of the HSTS header, a mechanism that directs web sites to explicitly communicate to web browsers over HTTPS.
The paper goes on to give developers a handful of other tips and techniques with regards to testing authentication, browser weaknesses and privilege escalation, among many other topics.
As Eoin Keary, a Global Board Member at OWASP, points out in the guide’s foreword, creating a instructional manual of this magnitude is a “huge undertaking.”
In Version 4’s case, it took 18 months and relied on input from 60 of the group’s 40,000+ members according to the report’s frontispiece.
While Keary insists at one point that there’s “not nearly enough application security experts in the world to make any significant dent in the overall problem,” OWASP still believes for the better good, the guide must make it into the hands of developers and software testers.
“This guide is a great testament to the passion and energy our members and project volunteers have for this subject,” Keary says, “It shall certainly help change the world a line of code at a time.”
Per usual, since the guide is available under a free and open software license, OWASP is encouraging developers to share and remix freely.