A checklist tells you to "test for SQL injection." Threat modeling in v5 asks "Where would an attacker pivot from a cloud metadata API to your internal database?"
You don’t need to throw away everything. Here’s a practical path: owasp testing guide v4 or v5
But here’s the reality:
v5 covers what attackers actually target today. A checklist tells you to "test for SQL injection
| | v4 (2008) | v5 (2019) | | --- | --- | --- | | Organization | 12 chapters | 11 chapters | | Testing methodologies | Limited coverage | Comprehensive coverage of risk-based testing and threat modeling | | Vulnerability categories | Limited coverage | New categories, such as "Injection" and "Broken Authentication" | | Testing techniques | Basic techniques | Advanced techniques, including examples and case studies | | API security coverage | Limited coverage | Expanded coverage | owasp testing guide v4 or v5