Roadmap of content / Table of content

[lwierzbicki]

I found only available Table of Content here. However it is a bit outdated. Additionally it provides map only to headings level 3. I think it would be good to have a table of content which covers to headings level 6 (this provides some overview of what we have and where it is). It would also help to discover inconsistency between used headings.

And here is the issue: Reference section in some chapters is heading level 3 and in some other is heading level 4. As heading level 4 is in: grep -rnw ./ -e "#### References" ./Document/0x04g-Testing-Cryptography.md:172:#### References ./Document/0x06g-Testing-Network-Communication.md:301:#### References ./Document/0x05g-Testing-Network-Communication.md:649:#### References ./Templates/testcase.md:18:#### References

If we want to adjust this, you could assign me to this case. If we want to do something with Table of Content, please share previous script which was used to generate it and I can work on it.

[sushi2k]

Thanks for pointing it out. To be honest I think we can just remove this document. I do not know where the script is that was used to generate this also.

In editors like Visual Studio Code you can get a quite good overview of the headings of one markdown file by using the markdown extension.

@commjoen @cpholguera Ok if we remove this file, or was there any purpose for it?

[cpholguera]

I'm ok with it, if we can remove. Maybe Jeroen knows if we need if for something else?

[commjoen]

it is a file you can generate via the tools int he tools section. i think we need to get rid of all generated files and just help people to get the generated files themselves.

[lwierzbicki]

1st case is a file, I agree with guide to help people generate files themselves 2n case is clear and consistent structure across chapters (as example of inconsistency Reference heading was mentioned)

[cpholguera]

I agree on the 2nd point that we should fix that inconsistency. Would you like to help us out with that @lwierzbicki ?

[lwierzbicki]

Yes, of course. I think if we have a template, it would be great and save some time in the future (like a blueprint when you build a house).

[lwierzbicki]

Initial concept looks like this:

• level 1 heading - everything which starts 0x0[number]
• level 2 heading - everything which starts 0x0[number][a-z] - example platform overview, and "Testing "[iterate through MASVS domains - without architecture?]
• level 3 heading - overview of a chapter, "Testing for "[iterate through MSTG-ID related to that chapter], references - that can be transform to the statement: initial knowledge (overview), how to do a test(testing), where to learn more (referneces)
• level 4 heading - specific topic under level 3 heading (specific use case which is under level 3, like part of overview or specific case during testing for)
• level 5 heading - specific topic under level 4 heading
• level 6 heading - specific topic under level 5 heading

[lwierzbicki]

Additionally, I would split that into two tasks:

1. Blueprint/template of MSTG structure
2. Removal of Generated directory and describing tools for users that they can generate files themselves (I think sample Table of Content is generated by this script: https://github.com/OWASP/owasp-mstg/blob/master/Tools/generate_toc.rb, some intro is also here https://github.com/OWASP/owasp-mstg/blob/master/Tools/README.md ;) )

[cpholguera]

Thanks @lwierzbicki , we'll have a closer look at that ;)

[cpholguera]

I think we should definitely sync this to the topics of

• having a clear intro to each test case, that can be parsed for e.g. SKF
• having the same structure "overview/static/dynamic" everywhere
• in static analysis having a part for when you have the code and one for when you don't. We just have a few sections doing that. I think in 0x06h.

@sushi2k @lwierzbicki what do you think? We can discuss on our next meeting Sven.

[lwierzbicki]

I agree. Advantages which I see:

• content is organized to deliver precise information how to perform the test
• guide is organized, you can easily find desired topic
• we can plan updates and organize work for future releases
• all of this would lead to more modular document (which can be easily refactored like a code ;) )

[cpholguera]

@TheDauntless @sushi2k we were mentioning this today in our meeting

[lwierzbicki]

@cpholguera could you share the output? Would be good to incorporate it in future commits/PR.

[cpholguera]

Hi @lwierzbicki, we agreed on the comment above: https://github.com/OWASP/owasp-mstg/issues/1631#issuecomment-584516532

We take this now as the new approach of the MSTG. It will require a lot of restructuring and removing of information, making everything more concise, relying on external sources, focusing on "what the tester has to verify" instead of telling "what the developer should do". We will collect all the points and raise a proper issue/announcement for this so everyone is aware ;)

[cpholguera]

Addressed in the latest automated release.