

OWASP Testing Guide 2014 - SanderMak
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

======
tptacek
If you're starting from zero, OWASP isn't a useless resource. If you're not
going to look anywhere else for guidance, definitely read their stuff.

Having said that, OWASP's guidance is extremely... uneven. It's also
consultant-focused; you can see that from the weight given to the early
"fingerprint and profile the application"-type guidance, which matters a lot
when you're a consultant coming in cold to an application you've never seen
before, but is not a particularly good use of resources for an in-house
devops/security team.

Disregard anything OWASP has to say about cryptography or password storage.

OWASP tends to have pretty reasonable coverage of "the big three" web flaws
--- XSS, CSRF, and SQLI.

If you're a professional, my recommendation is to buy Daffyd Studdart's book,
and Michel Zalewski's "The Tangled Web".

~~~
ZoFreX
I have to agree. A lot of the more detailed advice is muddled, misleading or
even wrong. Very little discussion and collaboration seems to be happening on
the wiki - just people editing in what they think is right.

Are there any freely available resources online that cover best practices?
Even StackOverflow is a quagmire when it comes to security concerns.

Edit: Or even not freely available. But preferably free :P

------
david_shaw
For those of you that aren't familiar, OWASP (the Open Web Application
Security Project) is a great resource for security neophytes. When my team is
on application security engagements, we'll frequently introduce our clients to
the OWASP cheat sheets for various different areas.

For developers, it can be a great resource -- although I'm not sure how much
stock I'd put into this "testing guide."

Where OWASP really shines seems to be coverage (both detection and prevention)
of the most common web application flaws. Given that their claim-to-fame is
the "top ten" web application threats, this makes sense. Here's an example of
what I'm talking about: [https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(...](https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_\(CSRF\)_Prevention_Cheat_Sheet)

For people who are unfamiliar with different classes of web app
vulnerabilities -- especially if they are developing an application themselves
-- this can be an excellent resource.

------
coldcode
Is there something similar for native client applications?

~~~
wglb
Check out
[http://www.wiley.com/WileyCDA/WileyTitle/productCd-111820412...](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
and
[http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864...](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)

The latter seems to be of very good quality.

