Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Advertisements

What is Test Director? Test Director is a test management tool
OWASP Application Security Verification Standard 2009
OWASP Secure Coding Practices Quick Reference Guide
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Software Quality Assurance Plan
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
Mercury Quality Center Formerly Test Director. Topics Covered Testdirector Introduction Understanding the Testdirector Interface. Understanding Requirement.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
© Blackboard, Inc. All rights reserved. Back to the Feature: An Agile, User-centric Software Development Lifecycle Cindy Barry Senior Product Manager Martha.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Software Development Configuration management. \ 2 Software Configuration  Items that comprise all information produced as part of the software development.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Page 1 © 2001, Epicentric - All Rights Reserved Epicentric Modular Web Services Alan Kropp Web Services Architect WSRP Technical Committee – March 18,
Systems Analysis and Design in a Changing World, Fourth Edition
Copyright © - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
© 2002 IBM Corporation Confidential | Date | Other Information, if necessary June, 2011 Made available under the Eclipse Public License v Mobile.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Adagio4 Web Content Management Mailing. Create a "GROUP" containing receivers' s. You may create different groups according to the language, target.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The CLS IS Unit Presents Creating Schedules What are schedules in Entourage? By using Entourage to set up schedules, you can easily automate certain.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Getting Started with OWASP The Top 10, ASVS, and the Guides Dave Wichers COO, Aspect Security OWASP Board Member OWASP Top 10 and ASVS Projects Lead.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ASVS Levels1234 Tools Manual Test and Review Manual Design Review At higher levels in ASVS,the use of tools is encouraged. But to be effective,the.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 © 2004 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Technical Support Seminar Using the Cisco Technical Support Website.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 11: Software Configuration Management
^ About the.
Introduction to Software Testing
OWASP Application Security Verification Standard 2009
Tour of OWASP’s projects
Chapter 11: Software Configuration Management
OWASP Application Security Verification Standard
Improving Your Testing
ESAPI Design Patterns November 2009 Mike Boberski Booz Allen Hamilton
OWASP Application Security Verification Standard
OWASP Application Security Verification Standard
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Application Security Verification Standard Mike Boberski (Booz Allen Hamilton) Jeff Williams (Aspect Security) Dave Wichers (Aspect Security) 12/08 – Web Application Edition

OWASP 2 The Challenges…  There is a huge range in coverage and rigor available in the application security verification market!  Consumers have no way to tell the difference between:  Someone running a grep tool, and  Someone doing painstaking code review and manual testing! There are differences in coverage and rigor between types of tools, between tools and manual techniques, and between types of manual techniques!

OWASP 3 The Philosophy of ASVS  Any standard that provides a basis for the verification of web applications should be application-independent.  Any standard should be life-cycle model independent.  Any standard should define requirements that can be applied across applications without special interpretation. Any such standard also needs to be commercially- workable and can’t be overly burdensome!

OWASP 4 The Design of ASVS  The standard should define levels of application security verification.  The difference in coverage and level of rigor between levels should be relatively linear.  The standard should define functional verification requirements that take a white-list (i.e. positive) approach. The standard should also be tool and technique procedure independent!

OWASP 5 What questions does ASVS answer?  How much trust can be placed in a web application?  What features should be built into security controls?  How do I acquire a web application that is verified to have a certain range in coverage and level of rigor? ASVS can answer these questions for applications ranging from minimum risk applications, to critical infrastructure applications.

OWASP 6 Where can I get a copy of ASVS, and talk to people using ASVS?  You can download a copy from the ASVS Project page:   You can send comments and suggestions for improvement using the project mailing list:  See “Mailing List/Subscribe” link on project web page.  Tell us how your organization is using the OWASP ASVS. Include your name, organization's name, and brief description of how you are using the ASVS Tip: Subscribe to the OWASP ASVS mailing list!

OWASP 7 What is the status of the ASVS as an OWASP standard?  Web Application Edition of ASVS  It is the first OWASP standard.  Its current official release version is Beta.  Web Service Edition of ASVS  It is under development and not yet available for release.  Future Editions of ASVS  Additional languages, additional technologies (perhaps Cloud computing for example)

OWASP 8 An Overview of ASVS  “Verification Levels” section  “Verification Requirements” section  “Verification Reporting Requirements” section

OWASP 9 What are ASVS verification levels?

OWASP 10 Level Definitions  Level 1 – Automated Verification  Level 1A – Dynamic Scan (Partial Automated Verification)  Level 1B – Source Code Scan (Partial Automated Verification)  Level 2 – Manual Verification  Level 2A – Penetration Test (Partial Manual Verification)  Level 2B – Code Review (Partial Manual Verification)  Level 3 – Design Verification  Level 4 – Internal Verification

OWASP 11 How do I get started using ASVS?  Buyer and seller: agree how technical security requirements will be verified by specifying a level from 1 to 4,  Perform an initial review of the application to be verified,  Minimum: Perform an ASVS Level 1 security architecture review!  Develop a verification plan and a project schedule, Using ASVS requires planning and in that respect is just like any other testing exercise!

OWASP 12 How do I get started using ASVS? (continued)  Perform a verification according to ASVS level requirements,  Present findings, develop a remediation strategy, and develop a strategy to add verifications into the SDLC, and  Re-verify after fixes are made (repeat as necessary). Tip: don’t scare people when you present your findings! Be specific. Propose a specific fix or a workaround, if able.

OWASP 13 Questions?