The OWASP Testing Guide 4.0

OWASP has recently published  ‘OWASP Testing Guide 4.0’.

The OWASP Testing Guide version 4 improves on version 3 in three ways:

  1. This version of the Testing Guide integrates with the two other flagship OWASP documentation products: the Developers Guide and the Code Review Guide. To achieve this we aligned the testing categories and test numbering with those in other OWASP products. The aim of the Testing and Code Review Guides is to evaluate the security controls described by the Developers Guide.
  1. All chapters have been improved and test cases expanded to 87 (64 test cases in v3) including the introduction of four new chapters and controls:
  • Identity Management Testing
  • Error Handling
  • Cryptography
  • Client Side Testing
  1. This version of the Testing Guide encourages the community not to simply accept the test cases outlined in this guide. We encourage security testers to integrate with other software testers and devise  test cases specific to the target application. As we find test cases that have wider applicability we encourage the security testing community to share them and contribute them to the Testing Guide. This will continue to build the application security body of knowledge and allow the development of the Testing Guide to be an iterative rather than monolithic process


Creating a guide like this is a huge undertaking, requiring the expertise of hundreds of people around the world. There are many different ways to test for security flaws and this guide captures the consensus of the leading experts on how to perform this testing quickly, accurately, and efficiently. OWASP gives like minded security folks the ability to work together and form a leading practice approach to a security problem.

OWASP 4.0 Testing Guide Contents:

  1. Frontispiece
    2. Introduction
    3. The OWASP Testing Framework
    4. Web Application Security Testing
    5. Reporting

You may read full table of content on the official OWASP website.