A quick one sentence primer: the OWASP Testing Guide enables a business to test the security strengths and weaknesses of its web applications.
I used v3 for several years and there is a new version out that I have yet to review. However, OWASP enabled me to find literally thousands of vulnerabilities (mostly manual) in scores of businesses. The incredible folks at aspectsecurity.com were among the founders of OWASP and did an incredible job crafting the “Bible” of security precautions, coding standards and testing methods.
Here is a quick review of the version that I have been using…
The OWASP Testing Guide is top shelf. I have used this guide as a framework for penetration testing at scores of businesses over the last 7 years. Not only does the OWASP guide tell you where to look for vulnerabilities it goes to great lengths to explain what each vulnerability is. It is high level yet technical and clearly written.
It gives you a sense of severity and priority when it comes to the plethora of security issues plaguing our web applications. For example, distinguishing between simple SQL Injection and enhanced access and traversal through networked computers using SQL injection. Shell access using injection methods. And even more granular… XSS reflective vs. stored.
Because of this the guide is practical, not sending the follower down rabbit holes but correctly detailing the things that are the most important to web application security and server configuration. Like anything, you’ll want to customize this framework to work best for your specific business.
The OWASP Testing Guide will give you a measurable head-start on any form of testing process, audit program or quality assurance initiative that you need to undertake.
More on OWASP, penetration testing/pen testing, social engineering and SQA at http://www.jockpereira.com.