OWASP Continuous Penetration Testing Framework

The landscape of Web Application security is ever changing and evolving. WebApp penetration testing is not what it used to be 5/10 years ago or even earlier. The organisations and/or the developers have adopted agile practices and methodologies, focusing on smaller incremental changes of the codebase following methodologies like Scrum etc. This practically means that the InfoSec and AppSec community need to adapt their practices and methodologies to reflect a well suited coverage when it comes to penetration testing and assessing those Web Applications.

The Continuous Penetration Testing Framework project intends to be a standarisation of Continuous Penetration Testing across the AppSec community. It will describe all the relevant:

  • Methodologies
  • Tools
  • Functions and
  • Guidelines

While making sure it follows all the highest industry standards and best practices.

This project will stimulate research around the future of AppSec and penetration testing, with a focus on the continuous aspect, following the development principles of Agility and the DevSecOps principles of Shift Left. It will go hand-in-hand with OWASP’s objectives of educating security professionals in effective Application Security practices and promoting Secure Coding principles in the Development community.

It aims to act as an open and central point of knowledge transfer and exchange of opinions.


Roadmap

Short Term

  • Create the project space
  • Start gathering resources (reviews, research, important diagrams etc.)
  • Add proposed material

Mid Term

  • Outreach within OWASP community and the general infosec community
  • Take part in local chapter meetings
  • OWASP mailing list
  • Prepare presentations for OWASP events
  • Networking
  • Create a study group which will review the material and the resources, as well as add to that
  • Start producing a draft version of the specification

Long Term

  • Continue working on the optimisation of the specification
  • Present it in the OWASP conferences to reach out to more people