Add an abbreviated Top-10 focused guide

[J3rry367]

As a consultant, I run into a lot of smaller groups who aren't looking to pay for the number of hours it takes to work through the full ASVS. This is especially the case when the client has multiple web apps they need to have reviewed, we end up having to submit bids for abbreviated reviews where we focus solely on the Top-10.

It would be great if there was a quick and dirty testing guide that could be offered as a bare minimum assessment or even as a way to show that they really should have a full review performed.

I'd looked into the cheetsheet series, but the Top-10 cheetsheet has been recommended for deletion. While I understand the thinking behind the Top-10 being primarily for education purposes rather than a testing guide, in my experience there's a definite need for something like this.

We created a quick work program based off of the 2017 Top-10 that I'd love some feedback on and/or could be used as a jumping-off point for this.
OWASP-TOP10.xlsx

[kingthorin]

I think we could provide a mapping of the Testing Guide to the Top 10.

However, doing an assessment based solely on Top 10 items still leaves a huge amount of attack surface or abuse cases (some of which may be more important over the top 10's 2 or 3 year lifespan, or due to new research). We can probably add some commentary to that effect in the intro sections....

[victoriadrake]

@J3rry367 How do you see this integrating into the WSTG? It's not focused on specific tests, so if it's a guide, what is the criteria for having followed it?

[ThunderSon]

@victoriadrake I don't think it's creating new test cases. It's creating a sheet that covers the Top 10.
It's a simple list of simply the top 10 vulnerabilities, which we can create from the map we have between issues and test cases.

[J3rry367]

@victoriadrake yeah, the lack of specific tests is exactly what I'm running into. Like @ThunderSon said I don't think anything new needs to be added, rather something like "here's the top 10(ish) vulnerabilities to check for based on what is currently prevalent" or even "at the bare minimum all apps should have these controls." I guess, basically, I'm thinking something similar to how the MSTG has three levels of testing, a baseline which all apps need, then level 2, and reverse engineering for more sensitive apps. We work with sensitive apps, generally, and don't recommend the baseline, but if someone really needed something relatively quick and cheap we have that to offer.

[kingthorin]

"at the bare minimum all apps should have these controls."

Is addressed by the Proactive Controls project: https://owasp.org/www-project-proactive-controls/ (See 'Quick Access' in the right nav sidebar)

[victoriadrake]

I could see this becoming a broad overview section, maybe as part of the proposed (#254) Introduction_to_Web_Testing section grouping. @J3rry367 are you willing to point-form a sort of Top 10 overview article so we can better envision it?

[J3rry367]

Thanks @kingthorin I didn't know that existed I will definitely check that out.
Sure, @victoriadrake I can take a stab at it based on what I've been seeing requested.

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[rahuldotbiz]

can I work on this?