OWASP Summit Outcome

OWASP Testing Guide v5 Track at the OWASP SUMMIT 2017
-----------------------------------------------------

14-15th June, 2017

TASKS DONE:
---------------------
- Brainstorming regarding the new activities to perform to improve the guide
- Alignment with OWASP guides: Development Guide, Code Review Guide, ASVS, Top10, Testing Checklist, ZAP, Vulnerability list
- Discussion on tools
- Add the list of new tests to the v5

OUTCOME
-----------------
NEW TESTS TO WRITE:
- Server-Side Request Forgery (SSRF)
- Server-side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Self Based DOM XSS
- Authorization bypass horizontal 
- Authorization bypass vertical
- Server-Side Template Injection (SSTI) 
- Host Header Attack
- SPARQL Injection
- Testing for Deserialization of untrusted data
- API Abuse
- Testing Content Security Policy V2 (CSP)?
- Testing for SSO?

REVIEW:
- Client Side Testing
- ORM Injection 
- Authorization Testing
- Information and Config management testing
- Authentication Testing: add oauth testing
- Reporting: adding how to create security testing case for devs
- https://www.owasp.org/index.php/Test_Local_Storage_(OTG-CLIENT-012) add Client Side SQLi

Two questions for OWASP:
------------------------------------
- TOOLS discussion: in the old version of Testing Guide we cited open source and commercial ones for each type of test to perform that could help during the analysis. Would you like to cite both?

- CWE: many companies are using this standard, but at the moment not all the Testing Guide tests are mapped to a specified CWE. Is it possible to set up a working team with CWE in order to update it with all the tests we describe in the Testing Guide?