The global security community has completed an 18-month effort to produce a guide it is hoped will boost the standard of web application testing and address new and dangerous technologies.
Version 4 of the Open Web App Security Project's (OWASP's) Testing Guide [pdf] was produced by more than 60 security bods from around the world with a core lead team of four .
Co-leader and OWASP Canberra head Andrew Muller (@Andrew__Muller) said he and other OWASP members had pushed for the creation of an updated guide after a four-year gap since version three to address the threats of emerging technology.
"We want to apply a level of rigor to security testing of web applications," Muller said.
"The guide is an education piece so people who are new to the arena can review all aspects of testing while more experienced people could see it as a checklist to apply against their own testing."
The 220-page security opus is a companion to the Developers' and Code Review guides also released by the security crusader collective. Punters can use a numbering system to test the security controls listed in the Developers guide.
The guide introduces identity management testing, cryptography, client side testing and error handling and was designed so readers can develop their own application-specific test methods.
Muller pointed to the new guide example of testing HTML5 WebSockets which allowed the client and server to communicate asynchronously. "It's a concerning technology, a potentially dangerous technology, because you can shuffle anything down through WebSockets," he said.
The guide will be translated into different languages in line with its ambition to set a global standard for web app testing. ®