What is OWASP Web Security Testing Guide? — For Pentesters, Ethical Hackers, Security Researchers

Updated: Jul 5

The Web Security Testing Guide in short WSTG is an open-source project by OWASP Foundation that produces cybersecurity testing resources for web application developers, security professionals, or penetration testers.

WSTG is a comprehensive guide to testing the security of web applications and web services. It provides a framework of best practices used by penetration testers and organizations across the globe.

The OWASP Testing Project

The motive of this project is to help tech guys or other people to understand how, and W4 (what, why, when, where) of testing the web applications, and services.

The Testing Guide describes the general testing framework and techniques required to implement the framework in practice, and it can be used by Tech Guys as a template to build their testing programs or to qualify other people's processes.

Following some challenges from initial, it was challenging to develop the content that allowed people to apply the concepts described in the guide, as well as enabling them to work in their environment and culture. Changing the focus of web application testing from penetration testing to testing integrated into the Software Development Life Cycle (SDLC) was also a challenge.

However, Many are very satisfied with the results of this project. Industry Experts and Security Professionals, some of whom are responsible for software, or application security at some of the largest organizations across the globe, are validating this testing framework.

This framework helps many individuals or organizations to test their web applications, and services to build reliable, and secure software, or application.

Measuring Security: Economics of Insecure Software

OWASP has given a quote from "Controlling Software Projects: Management, Measurement, and Estimates" by Tom DeMarco

You can't control what you can't measure

Security testing is no different, Unfortunately, measuring it (Security) is a difficult process.

One of the aspects that should be highlighted is that security measurements are about the specific technical issues, and how these issues affect the economics of software. The Tech Guys or people will at least understand the basic security issues, or they may have a deeper understanding of the vulnerabilities. Unfortunately, few can translate that technical knowledge into monetary terms (in terms of economics, and finance) and quantify the potential cost of vulnerabilities to the application owner's business. Until this happens, the Chief Information Officers (CIOs) will not be able to develop an accurate return on security investment, and afterward, assign appropriate budgets for software security.

While estimating the cost of insecure software may look terrible, there has been a significant amount of work in this direction.

In 2018, the Consortium for IT Software Quality summarized:

…the cost of poor quality software in the US in 2018 is approximately $2.84 trillion…

This framework encourages Tech Guys to measure security throughout the entire development process. They can relate the cost of insecure software to the impact it has on the business, and afterward, develop appropriate business processes, and assign resources to manage the risk. It should be remembered that measuring and testing web applications is even more critical than for other software since web applications and services are exposed to millions of users through the Internet.

What is Testing?

The Oxford Dictionary of English defines "test" as:

a procedure intended to establish the quality, performance, or reliability of something, especially before it is taken into widespread use.

Many things need to be tested during the development life cycle of a web application. For this project, testing is a process of comparing the state of a system or application against a set of criteria

In the security industry, people frequently test against a set of mental criteria that are neither well defined nor complete.

As a result of this, OWASP says that many outsiders regard security testing as a black art. The aim of this project or document is to change that perception and to make it easier for people without in-depth security knowledge to make a difference in testing.

Why Perform Testing?

This project or document is well designed to help individuals or organizations understand what comprises a testing program and to help them identify the steps that need to be undertaken to build and operate a modern web application testing program.

The guide gives a broad scope view of the elements required to make a comprehensive web application security program. This guide can be used as a reference and as a methodology to help determine the gap between existing practices and industry best practices. This guide allows individuals or organizations to compare themselves against industry peers, understand the magnitude of resources required to test and maintain software or prepare for an audit.

When to Test?

OWASP says most people today don't test software until it has already been created and is in the deployment phase of its life cycle, meaning the code has been completed and instantiated into a working web application and service. Generally, This is a very ineffective and cost-prohibitive practice.

One of the best methods to prevent security bugs from appearing in production applications is to improve the Software Development Life Cycle (SDLC) by including security in each of its phases. The SDLC is a structure imposed on the development of software artifacts. If an individual or organization is not currently using SDLC in their environment, it is time to pick one!

The following figure shows a generic SDLC model as well as the estimated/increasing cost of fixing security bugs in such a model

The organizations should inspect their overall SDLC model to ensure that security is an integral part of the development process. SDLCs should include security tests to ensure security is sufficiently covered and controls are effective throughout the development process.

What to Test?

It can be helpful to think of software development as a combination of people, processes, and technology. If these are the factors that "create" software, then it is logical that these are the factors that must be tested. OWASP says that today most people generally test the technology or the software itself.

An effective testing program should have components that test the following:

  • People - to ensure that there is sufficient education and awareness;

  • Process - to ensure that there are sufficient policies and standards and that people know how to follow these policies;

  • Technology - to ensure that the process has been effective in its implementation.

Unless an entire approach is adopted, testing the technical implementation of an application will not uncover management or operation vulnerabilities that could be present.

By testing the people, policies, and processes, an organization can catch issues that would after presenting themselves as defects in the technology, thus eliminating bugs early and identifying the root causes of defects. Likewise, testing only some of the technical issues that can be present in a system will result in an incomplete and inaccurate security posture assessment.

OWASP says, Denis Verdon, Head of Information Security at Fidelity National Financial, presented an excellent analogy for this misconception at the OWASP AppSec 2004 Conference in New York:

If cars were built like applications ... safety tests would assume frontal impact only. Cars would not be roll tested for stability in emergency maneuvers, brake effectiveness, side impact, and resistance to theft.


GitHub Repository

Related Posts

See All

Testing Techniques Explained It is a high-level overview of various testing techniques that can be employed when building a testing program. Manual Inspections and Reviews Overview Manual inspections

In India, you must visit the National Cybercrime Reporting Portal (https://cybercrime.gov.in) of the Ministry of Home Affairs for reporting all types of cybercrime. This portal is an initiative of the


Thanks for submitting!