Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Application Security Verification Standard

Published byRoeland Bos Modified over 5 years ago

Similar presentations

Presentation on theme: "OWASP Application Security Verification Standard"— Presentation transcript:

1 OWASP Application Security Verification Standard
– Web Application Edition Mike Boberski (Booz Allen Hamilton) Jeff Williams (Aspect Security) Dave Wichers (Aspect Security) 12/08

2 Agenda The OWASP Foundation About ASVS Project Status
Technical Details Getting Started Where to Go from Here Questions The OWASP Foundation

3 Consumers have no way to tell the difference between:
The Challenges… There is a huge range in the coverage and level of rigor available in the application security verification market! Consumers have no way to tell the difference between: Someone running a grep tool, and Someone doing painstaking code review and manual testing!

4 The Philosophy of ASVS Any standard that provides a basis for the verification of web applications should be application-independent. Any standard should be life-cycle model independent. Any standard should define requirements that can be applied across applications without special interpretation.

5 The Design of ASVS The standard should define levels of application security verification. The difference in coverage and level of rigor between levels should be relatively linear. The standard should define functional verification requirements that take a white-list (i.e. positive) approach.

6 What questions does ASVS answer?
How do I know how much trust can be placed in a web application? How do I know what features to build into security controls used by a web application? How do I acquire a web application that is verified to have a certain range in coverage and level of rigor?

7 Agenda The OWASP Foundation About ASVS Project Status
Technical Details Getting Started Where to Go from Here Questions The OWASP Foundation

8 What is the status of the ASVS as an OWASP standard?
The Web Application Edition of ASVS is the first OWASP standard. Its current official release version is Beta. A Web Service Edition of ASVS is under development and not yet available for release. Future Editions of ASVS are planned both for: Additional languages (it is currently available in English) and for Future technologies (perhaps for example, a Cloud Computing Edition)

9 Project Plan and Status
12/8/ OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments. 12/5/ OWASP ASVS exits the Summer of Code 2008! The Beta draft of the Web Application Edition is released! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors. 10/3/ OWASP ASVS Alpha draft is released! Mike Boberski is the primary author. 4/16/ OWASP ASVS Summer of Code 2008 proposal submitted by Mike Boberski wins!

10 Agenda The OWASP Foundation About ASVS Project Status
Technical Details Getting Started Where to Go from Here Questions The OWASP Foundation

11 An Overview of ASVS “Verification Levels” section “Detailed Verification Requirements” section “Verification Reporting Requirements” section

12 Details: What are ASVS verification levels?

13 Earning a level…

14 Level 1 – Automated Verification
Level Definitions Level 1 – Automated Verification Level 1A – Dynamic Scan (Partial Automated Verification) Level 1B – Source Code Scan (Partial Automated Verification) Level 2 – Manual Verification Level 2A – Penetration Test (Partial Manual Verification) Level 2B – Code Review (Partial Manual Verification) Level 3 – Design Verification Level 4 – Internal Verification

15 Level 1 in more detail Automated verification of a web application treated as groups of components within single monolithic entity.

16 Application Security Verification Techniques
Find Vulnerabilities Using the Running Application Find Vulnerabilities Using the Source Code Manual Application Penetration Testing Manual Security Code Review Automated Application Vulnerability Scanning Automated Static Code Analysis

17 Tools – At Best 45% MITRE found that all application security tool vendors’ claims put together cover only 45% of the known vulnerability types (695) They found very little overlap between tools, so to get 45% you need them all (assuming their claims are true)

18 Level 2 in more detail Manual verification of a web application organized into a high-level architecture.

19 Manual Penetration Test Level 2B Manual Code Review
Level 2 Options Level 2A Manual Penetration Test Level 2B Manual Code Review Need BOTH to achieve a full level 2 But requirements can be filled by either

20 Level 3 in more detail Design verification of a web application organized into a high-level architecture.

21 Level 4 in more detail Internal verification of a web application by searching for malicious code (not malware) and examining how security controls work.

22 What are ASVS verification requirements?
Security architecture verification requirements Security control verification requirements Security architecture information puts verification results into context and helps testers and reviewers to determine if the verification was accurate and complete

23 A positive approach Negative Positive
The tester shall search for XSS holes Positive Verify that the application performs input validation and output encoding on all user input

24 Requirement Summary Security Area Level 1A 1B 2A 2B Level 3 Level 4
V1 – Security Architecture Verification Requirements 1 2 4 5 V2 – Authentication Verification Requirements 3 9 13 14 V3 – Session Management Verification Requirements 6 7 8 V4 – Access Control Verification Requirements 12 15 V5 – Input Validation Verification Requirements V6 – Output Encoding/Escaping Verification Requirements 10 V7 – Cryptography Verification Requirements V8 – Error Handling and Logging Verification Requirements V9 – Data Protection Verification Requirements V10 – Communication Security Verification Requirements V11 – HTTP Security Verification Requirements V12 – Security Configuration Verification Requirements V13 – Malicious Code Search Verification Requirements V14 – Internal Security Verification Requirements Totals 22 51 83 96 112

25 What are ASVS reporting requirements?
R1 – Report Introduction R2 – Application/Service Description R3 – Application/Service Security Architecture R4 – Verification Results Is the report sufficiently detailed to make verification repeatable? Does the report have sufficient types of information to allow a reviewer to determine if the verification was accurate and complete?

26 Agenda The OWASP Foundation About ASVS Project Status
Technical Details Getting Started Where to Go from Here Questions The OWASP Foundation

27 How do I get started using ASVS?
Buyer and seller: agree how technical security requirements will be verified by specifying a level from 1 to 4, Perform an initial review of the application to be verified, Minimum: Perform an ASVS Level 1 security architecture review! Develop a verification plan and a project schedule,

28 How do I get started using ASVS? (continued)
Perform a verification according to ASVS level requirements, Present findings, develop a remediation strategy, and develop a strategy to add verifications into the SDLC, and Re-verify after fixes are made (repeat as necessary).

29 Agenda The OWASP Foundation About ASVS Project Status
Technical Details Getting Started Where to Go from Here Questions The OWASP Foundation

30 Where can I find help getting started using ASVS?
You can find information to help you get started using ASVS in two locations: Inside ASVS, section “Some Guidance on the Verification Process” in ASVS On the ASVS Project Page there are articles at the bottom of the page:

31 Where can I get a copy of ASVS, and talk to people using ASVS?
You can download a copy from the ASVS Project page: You can send comments and suggestions for improvement using the project mailing list: See “Mailing List/Subscribe” link on project web page.

32 Agenda The OWASP Foundation About ASVS Project Status
Technical Details Getting Started Where to Go from Here Questions The OWASP Foundation

33 Questions? ?

Download ppt "OWASP Application Security Verification Standard"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
OWASP Application Security Verification Standard 2009

OWASP Application Security Verification Standard 2009
Ossi Taipale, Lappeenranta University of Technology

Ossi Taipale, Lappeenranta University of Technology
Software Quality Assurance Plan

Software Quality Assurance Plan
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
#PhUSE Standard Scripts Project 2 2014 - Proposal for Qualification of Standard Scripts.

#PhUSE Standard Scripts Project Proposal for Qualification of Standard Scripts.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation
© 2012 IBM Corporation Rational Insight | Back to Basis Series Chao Zhang 06-07-2012 Unit Testing.

© 2012 IBM Corporation Rational Insight | Back to Basis Series Chao Zhang Unit Testing.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Testing Basics of Testing Presented by: Vijay.C.G – Glister Tech.

Testing Basics of Testing Presented by: Vijay.C.G – Glister Tech.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CMPS 211 JavaScript Topic 1 JavaScript Syntax. 2Outline Goals and Objectives Goals and Objectives Chapter Headlines Chapter Headlines Introduction Introduction.

CMPS 211 JavaScript Topic 1 JavaScript Syntax. 2Outline Goals and Objectives Goals and Objectives Chapter Headlines Chapter Headlines Introduction Introduction.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google