Since 2001 the Open Web Application Security Project foundation has been leading a free, non-profit project aimed at promoting security of software in general and web applications in particular, running various projects and initiatives for this purpose. Under a Creative Commons licence, it produces and distributes at no charge high-quality material produced by dozens of professionals working in software development and security. Among this material there are guides, educational items, auditing tools, and so forth. Of the publications most valued in relation to the security audit sector, the guides published by the OWASP foundation have become a benchmark in the field of security of development and assessment of applications. In 2008 Version 3 of this guide was published, its translation into Spanish in 2009 having been produced with the active participation of INCIBE.
OWASP Testing Guide, Version 4.
Six years later, Version 4 of the OWASP Testing Guide has now been published, already being seen as an indispensable item, not only for professionals working in software development and testing, but also for those specializing in information security. These latter will find the publication to be an essential compendium for the security of web applications. Specifically, for developers it constitutes an ideal complement to other guides also published by the OWASP foundation: the Developer and Code Review guides.
The guide presents a method which goes in an organized and systematic way through all the possible areas that might be attack vectors for a web application. Thus, by following a well-organized checklist of tests, it is possible to carry out an efficient audit of the security of a web development.
Relative to Version 3, there has been revision and extension of all the topics raised. Furthermore, four new areas for checking have been added:
• Identity Management
• Error Handling
• Client Side Testing
Lifecycle and Test Framework
The guide likewise indicates how to organize an audit by stages in accordance with the state of progress of development of the application. In this way, activities are carried out over the whole of its lifecycle: those to be undertaken before development, those in the definition and design phase, during development, in roll-out, and finally in maintenance and support.
- Phases in Developing an Application -
With this organizational pattern, a framework of tests is proposed to identify and detail control points upon which the corresponding tests will be applied.
- Security Tests in the Development Cycle for an Application -
Control Points and Security Tests
The method proposes two phases of security testing. One is a passive phase, in which the operation of the application is observed and all its possible functionalities are brought into play. The aim of this phase is to understand the logic of operation and identify possible vectors for attacks, vulnerabilities, or both. There follows a second phase in which the tests proposed are executed actively according to the vectors identified in the former phase.
The tests are grouped into 11 categories, totalling 91 control points:
1. Information Gathering
2. Configuration and Deployment Management Testing
3. Identity Management Testing
4. Authentication Testing
5. Authorization Testing
6. Session Management Testing
7. Input Validation Testing
8. Error Handling
10. Business Logic Testing
11. Client Side Testing
The walk through these control points describes, in detail and with examples, the tests to be performed so as to detect possible vulnerabilities or weaknesses in each category. Topics of importance, such as SQL injection, information leaks, methods for authentication, weak encryption, incorrect parameter validation and many other are described in detail, providing auditors a clear view of the problem of security and countermeasures to be adopted.
A detailed list of the control points may be consulted on OWASP's wiki: Testing Checklist
Furthermore, the guide also includes a section directed towards the production of an audit report. This section proposes a model report structured as three main sections:
· An executive report, assessing in a clear and simple way the results obtained in the auditor, without going into technical details, and aimed at giving a high-level overview of the impact of what was found.
· A testing report, describing the technical details of the actions, scope and limitations in each test performed.
· A findings report, presenting the results from each test together with the countermeasures recommended to remedy the problems found correctly.
Finally, the guide ends with a very full appendix, which offers a multitude of references, tools and "cheat-sheets" with the commands, tricks and instructions of greatest use for testing.
Without any doubt, the OWASP guide is a document of great technical value that should be taken fully into account when evaluating the security of a web application.