https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=CbarlowOWASP - User contributions [en]2026-05-19T15:15:36ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=22171Category:OWASP Application Security Assessment Standards Project2007-10-05T12:22:27Z<p>Cbarlow: /* Current Project Status: */</p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Current Project Status: ==<br />
'''OWASP Organization Backing'''<br />
<br />
* Minimal feedback - Need Leadership Backing.<br />
<br />
'''Phase I – Project Approach:'''<br />
<br />
* Minimal feedback obtained. Contributors jumped in.<br />
<br />
'''Phase II - Definitions:'''<br />
<br />
* Define Common Business Application Types – '''Need Input.'''<br />
* Define Security Assessment Types – '''Need Input.'''<br />
<br />
'''Phase III – Assessment Context:'''<br />
<br />
* Define Standard Application Assessment Process – '''Stub Started - Need Input.'''<br />
* Define Standard Assessment Scope Per Application Type – Need Stub<br />
* Define Standard Testing Boundaries For Application Assessments – Need Stub<br />
* Define Business End Preparation For Application Assessment – Need Stub<br />
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub<br />
* Establish Baseline Assessor Qualifications And Evaluation Criteria – '''Stub Started - Need Input.'''<br />
<br />
'''Phase IV – Assessment Levels:'''<br />
<br />
''[ Suggest Establishment of Definitions and Context prior to commencement ]''<br />
<br />
* Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.).<br />
* Create assessment levels based on previous Phase II and III objectives. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.<br />
* Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
Also refer to project Roadmap.<br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-appsec-standards subscription page.]<br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
* Vinay Bansal, Cisco Systems<br />
<br />
* Imre Kertesz, KoreLogic Security<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=10879Category:OWASP Application Security Assessment Standards Project2006-10-20T16:41:26Z<p>Cbarlow: </p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Current Project Status: ==<br />
<br />
'''Phase I – Project Approach:'''<br />
<br />
* Minimal feedback obtained. Contributors jumped in.<br />
<br />
'''Phase II - Definitions:'''<br />
<br />
* Define Common Business Application Types – '''Stub Started - Need Input.'''<br />
* Define Security Assessment Types – '''Stub Started - Need Input.'''<br />
<br />
'''Phase III – Assessment Context:'''<br />
<br />
* Define Standard Application Assessment Process – Need Stub<br />
* Define Standard Assessment Scope Per Application Type – Need Stub<br />
* Define Standard Testing Boundaries For Application Assessments – Need Stub<br />
* Define Business End Preparation For Application Assessment – Need Stub<br />
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub<br />
* Establish Baseline Assessor Qualifications And Evaluation Criteria – '''Stub Started - Need Input.'''<br />
<br />
'''Phase IV – Assessment Levels:'''<br />
<br />
''[ Suggest Establishment of Definitions and Context prior to commencement ]''<br />
<br />
* Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.).<br />
* Create assessment levels based on previous Phase II and III objectives. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.<br />
* Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
Also refer to project Roadmap.<br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-appsec-standards subscription page.]<br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
* Vinay Bansal, Cisco Systems<br />
<br />
* Imre Kertesz, KoreLogic Security<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=10325Definition for Security Assessment Techniques2006-10-09T19:06:45Z<p>Cbarlow: </p>
<hr />
<div>==Overview==<br />
<br />
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Techniques'''. Agreement and establishment of these definitions are foundational to establishing the '''Assessment Levels''' later within this project.<br />
<br />
==Techniques==<br />
<br />
The following assessment techniques are proposed (in assessment depth order):<br />
<br />
* Application Security Threat Assessment<br />
* Application Security Architecture Review<br />
* Automated External Application Scanning (Tool Based)<br />
* Automated Source Code Analysis (Tool-Based Static Code Analysis) <br />
* Manual Penetration Testing (Security Test Specialist)<br />
* Manual Security-Focused Code Review (Software Security Specialist)<br />
<br />
NOTE: these should probably link to full articles on each subject<br />
<br />
[Semi Agree. Detail on each technique is needed to establish definitions baseline for assessment levels component of project (the guts). OK with moving to full articles if can maintain one master article (need to build in this one) that demonstrates relationships between techniques, commonalities, and relative building of assessment depth from technique to technique]<br />
<br />
==Application Security Threat Assessment==<br />
<br />
Analyzes application architectural information to develop a threat profile for the application components. <br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
==Application Security Architecture Review==<br />
<br />
Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
==Automated External Application Scanning==<br />
<br />
Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
==Automated Source Code Analysis==<br />
<br />
Automated source code analysis involves the use of special software "tools" to conduct [http://en.wikipedia.org/wiki/Static_code_analysis Static Code Analysis] on software source code to identify potential vulnerabilities within the code. <br />
<br />
''Advantages:''<br />
* can be very effective method for identifying defects in code functionality and syntax errors<br />
* most automated source code analysis tools are highly scalable<br />
* expedites code review process (can review 400-500 LOC/hr via manual review vs. up to 10,000 LOC/hr using automated source code scanning tools)<br />
* helps teams focus their manual code review activities on flagged, high-risk areas <br />
<br />
''Disadvantages:''<br />
* most automated source code analysis tools generate false positives <br />
* some automated source code analysis tools have a significant learning curve<br />
* some coding languages (such as ASP) are not supported by the tools<br />
* results of automated scans are basically "blueprints" of source code vulnerabilities, so they must be properly protected<br />
* Most of the automated source code analysis tools available on the market today can not identify logic errors, timing errors, resource conflicts, data errors and configuration errors.<br />
<br />
Recommended use:<br />
* Automated source code analysis tools can be used to enhance and improve an organization’s overall efforts to find and eliminate security vulnerabilities within software applications. However, they should not be viewed as a "silver bullet". Manual code reviews must still be conducted to identify false positives and security-related defects that tools can not identify.<br />
<br />
<br />
==Manual Penetration Testing==<br />
<br />
Manual Penetration Testing involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
==Manual Security-Focused Code Review==<br />
<br />
Review of the software source code to identify source code-level issues, which may enable an attacker to compromise an application, system, or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Security-focused code reviews should be specifically tailored to find common vulnerabilities in applications. <br />
<br />
''Advantages:''<br />
* If integrated into the [http://en.wikipedia.org/wiki/Software_development_life_cycle Software Development Life Cycle (SDLC)], coding issues can be resolved earlier in the development process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* Enables development teams to identify and correct insecure coding techniques that could lead to security vulnerabilities or possible incidents.<br />
* Helps developers learn from each other and share knowledge on secure coding techniques, best practices and common solutions.<br />
<br />
<br />
''Disadvantages:''<br />
* can be very time consuming and costly if automated tools are not available to help augment the review process<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* Security-focused code reviews should be conducted as part of the normal SDLC. Reviews may also be needed during or after security testing, prior to implementing system upgrades, prior to making system configuration changes, when new security bulletins are released, or immediately following any reported security incidents.<br />
<br />
<br />
<br />
==References/Sources==<br />
<br />
* Testing Taxonomy & Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Metrics_Survey_Form&diff=9994Metrics Survey Form2006-09-27T16:12:04Z<p>Cbarlow: </p>
<hr />
<div>Please use attached to participate in Application Security Metrics Survey<br />
<br />
https://www.owasp.org/images/3/30/Survey_form_draft0925061.doc<br />
<br />
[[Category:OWASP Application Security Metrics Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Metrics_Survey_Form&diff=9993Metrics Survey Form2006-09-27T16:11:39Z<p>Cbarlow: </p>
<hr />
<div>Please use attached to participate in Application Security Metrics Survey<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Metrics Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Metrics_Survey_Form&diff=9992Metrics Survey Form2006-09-27T16:09:50Z<p>Cbarlow: </p>
<hr />
<div>Please use attached to participate in Application Security Metrics Survey</div>Cbarlowhttps://wiki.owasp.org/index.php?title=File:Survey_form_draft0925061.doc&diff=9991File:Survey form draft0925061.doc2006-09-27T16:06:11Z<p>Cbarlow: </p>
<hr />
<div></div>Cbarlowhttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=9681Definition for Security Assessment Techniques2006-09-14T16:37:38Z<p>Cbarlow: </p>
<hr />
<div>This project article’s focus is to define, where practical, nomenclature and definitions of the differing security assessment types. Agreement and establishment of these definitions are foundational to establishing the Assessment Levels later within this project. The following assessment types are proposed:<br />
<br />
* Application Threat Assessment<br />
* Application Architecture Review<br />
* Automated Testing (Application Scanning (Tool Based)) <br />
* Expert Testing (Hands On Based) <br />
* Application Code Review <br />
<br />
<br />
== Application Assessment Types - Defined: ==<br />
<br />
'''Application Threat Assessment''' – Analyzes application architectural information to develop a threat profile for the application components. Threat assessments:<br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats to each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from a threat assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine responses(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security resources (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
'''Application Architecture Review''' – Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus many organizations will blend this activity with Threat Assessment. The review of the application and its interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
'''Automated Testing (Application Scanning (Tool Based))''' – Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
* Testing critical applications as a prelude to expert testing or code reviews.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted (particularly by management) as being more “secure” than they actually are. <br />
<br />
<br />
'''Expert Testing (Hands On Based)''' – “Expert Testing” involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
'''Application Code Review''' – Reviews the underlying foundational level to identify coding issues, which may create/enable an attacker to compromise an applications systems and/or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Code reviews should be specifically tailored to find vulnerabilities common in applications. <br />
<br />
''Advantages:''<br />
* If integrated into application SDLC, coding issues can be resolved early in the development and functional testing process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* …<br />
<br />
''Disadvantages:''<br />
* …<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* …<br />
<br />
<br />
<br />
References/Sources:<br />
<br />
* Testing Taxonomy &�Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=9667Category:OWASP Application Security Assessment Standards Project2006-09-13T17:45:00Z<p>Cbarlow: /* Current Project Status: */</p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Current Project Status: ==<br />
<br />
'''Phase I – Project Approach:'''<br />
<br />
* Minimal feedback obtained. Contributors jumped in.<br />
<br />
'''Phase II - Definitions:'''<br />
<br />
* Define Common Business Application Types – '''Stub Started - Need Input.'''<br />
* Define Security Assessment Types – '''Stub Started - Need Input.'''<br />
<br />
'''Phase III – Assessment Context:'''<br />
<br />
* Define Standard Application Assessment Process – Need Stub<br />
* Define Standard Assessment Scope Per Application Type – Need Stub<br />
* Define Standard Testing Boundaries For Application Assessments – Need Stub<br />
* Define Business End Preparation For Application Assessment – Need Stub<br />
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub<br />
* Establish Baseline Assessor Qualifications And Evaluation Criteria – '''Stub Started - Need Input.'''<br />
<br />
'''Phase IV – Assessment Levels:'''<br />
<br />
''[ Suggest Establishment of Definitions and Context prior to commencement ]''<br />
<br />
* Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.).<br />
* Create assessment levels based on previous Phase II and III objectives. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.<br />
* Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
Also refer to project Roadmap.<br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
* Vinay Bansal, Cisco Systems<br />
<br />
* Imre Kertesz, KoreLogic Security<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Application Security Assessment Standards Project is sponsored by: [[Image:Kore_Logo.jpg]][http://www.korelogic.com]<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=9666Category:OWASP Application Security Assessment Standards Project2006-09-13T17:32:27Z<p>Cbarlow: /* Current Project Status: */</p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Current Project Status: ==<br />
<br />
'''Phase I – Project Approach:'''<br />
<br />
* Minimal feedback obtained. Contributors jumped in.<br />
<br />
'''Phase II - Definitions:'''<br />
<br />
* Define Common Business Application Types – '''Stub Started - Need Input.'''<br />
* Define Security Assessment Types – '''Stub Started - Need Input.'''<br />
<br />
'''Phase III – Assessment Context:'''<br />
<br />
* Define Standard Application Assessment Process – Need Stub<br />
* Define Standard Assessment Scope Per Application Type – Need Stub<br />
* Define Standard Testing Boundaries For Application Assessments – Need Stub<br />
* Define Business End Preparation For Application Assessment – Need Stub<br />
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub<br />
* Establish Baseline Assessor Qualifications And Evaluation Criteria – '''Stub Started - Need Input.'''<br />
<br />
Also refer to project Roadmap.<br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
* Vinay Bansal, Cisco Systems<br />
<br />
* Imre Kertesz, KoreLogic Security<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Application Security Assessment Standards Project is sponsored by: [[Image:Kore_Logo.jpg]][http://www.korelogic.com]<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Baseline_Assessor_Qual_and_Eval_Criteria&diff=9665Baseline Assessor Qual and Eval Criteria2006-09-13T17:30:54Z<p>Cbarlow: </p>
<hr />
<div>This project article’s focus is to establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type. Agreement and establishment of these qualifications and criteria are foundational to establishing the Assessment Levels later within this project.<br />
<br />
== Baseline Assessor Qualifications for Expert Testing ==<br />
<br />
Prior to hiring a firm or before hiring internally, verify and ensure on individual basis each Assessor has the following skills:<br />
* 4+ years of technical security experience with multiple computer platforms, operating systems, software products, network protocols and system architecture. <br />
* Knowledge of security architecture methodologies, industry best practices and generally accepted information security principles. <br />
* Demonstrated ability to secure (lock-down/harden) underlying operating systems and web services such as IIS or Apache – Thus inverse ability to break into insecure systems.<br />
* Demonstrated experience in designing and integrating security services (authentication, authorization, encryption, integrity, and non-repudiation) into systems and/or applications. <br />
** Demonstrated ability to recognize MD5 from Base64 from an encrypted value visually. (Example to demonstrate depth of knowledge in encryption)<br />
* Demonstrated experience in conducting vulnerability assessments and penetration testing – Seen as foundational skills to application level testing.<br />
** Demonstrated evidence of vulnerability discoveries (new undiscovered vulnerability).<br />
** Demonstrated ability to interpret a generated report from vulnerability scanners and quickly recognize potential false positives.<br />
** Able to demonstrate any exploit used during a test if requested by a client.<br />
* Solid understanding and experience in Web application and Internet security.<br />
* Solid, in-depth understanding of all Internet and Web protocols.<br />
* Full understanding of major HTML directives and code.<br />
* Knowledge of Service Oriented Architectures (SOA) and SOAP if applicable to environment.<br />
* Demonstrated ability to reverse engineer a transactional web application.<br />
* Produces own security tools known in reputable security circles. Ability to shell code to automate custom tests.<br />
* Demonstrated use of testing methodologies defined in OWASP Testing Project – Ask for specific testing process used for three or more testing areas.<br />
* Demonstrated ability to create and follow a project specific well documented test plan.<br />
* Programming / web services development experience a benefit. However, not all programmers make good security testers (it’s a mindset thing).<br />
* Demonstrated ability to formulate written technical material in a clear and effective manner – Ask for writing sample.<br />
<br />
Assessors identify and exploit security weaknesses, evaluate counter-measures and conduct analysis to determine potential security impacts to business. More so, the assessor must demonstrate ability to take assessment data and formulate security technical solutions. <br />
<br />
The following education and/or certifications are helpful and increase the viability of the Assessor (establishes their business foundation skills thus ability to link technical results to business impact) but should not be taken as sole means for evaluating.<br />
* Undergraduate degree in Computer Science, Information Systems, Engineering, or related discipline<br />
* CISSP or CCNA or GIAC certifications <br />
<br />
<br />
'''Evaluation Criteria'''<br />
<br />
The following matrix is intended to summarize the skills required per assessment level. <br />
<br />
''…[To Be Developed After Assessment Levels Established]''<br />
<br />
<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=9664Category:OWASP Application Security Assessment Standards Project2006-09-13T17:26:03Z<p>Cbarlow: /* Project Contributers */</p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Current Project Status: ==<br />
<br />
'''Phase I – Project Approach:'''<br />
<br />
* Minimal feedback obtained. Contributors jumped in.<br />
<br />
'''Phase II - Definitions:'''<br />
<br />
* Define Common Business Application Types – Stub Started.<br />
* Define Security Assessment Types – Stub Started.<br />
<br />
'''Phase III – Assessment Context:'''<br />
<br />
* Define Standard Application Assessment Process – Need Stub<br />
* Define Standard Assessment Scope Per Application Type – Need Stub<br />
* Define Standard Testing Boundaries For Application Assessments – Need Stub<br />
* Define Business End Preparation For Application Assessment – Need Stub<br />
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub<br />
* Establish Baseline Assessor Qualifications And Evaluation Criteria – Need Stub<br />
<br />
Also refer to project Roadmap.<br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
* Vinay Bansal, Cisco Systems<br />
<br />
* Imre Kertesz, KoreLogic Security<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Application Security Assessment Standards Project is sponsored by: [[Image:Kore_Logo.jpg]][http://www.korelogic.com]<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=9663Definition for Security Assessment Techniques2006-09-13T17:24:08Z<p>Cbarlow: </p>
<hr />
<div>This project article’s focus is to define, where practical, nomenclature and definitions of the differing security assessment types. Agreement and establishment of these definitions are foundational to establishing the Assessment Levels later within this project.<br />
<br />
== Application Assessment Types - Defined: ==<br />
<br />
'''Application Threat Assessment''' – Analyzes application architectural information to develop a threat profile for the application components. Threat assessments:<br />
<br />
* Identify the nature of the threats – the likely vulnerabilities of the given application and business.<br />
<br />
* Estimate the probability that those vulnerabilities might lead to a disruption and the type of impact – both expected and worst case – that might arise.<br />
<br />
* Analyze the different consequences and their likelihood of occurrence and determine which should be dealt with and what priority should be attached to mitigate.<br />
<br />
While the threats for each asset within the Application can be individually developed and mapped, a more efficient approach is to develop a master list of threat types and identify how these can be used to launch an attack on the Application and/or its components and potentially in turn the business itself. A single threat may exploit a vulnerability to damage different types of assets. Conversely, several threat types may exploit disparate vulnerabilities in order to attack a single critical asset. Given the many-to-many relationships between threats and assets, it is best to use a simple representation of threat to asset mapping by listing threat types by each critical asset identified.<br />
<br />
A threat assessment should categorize threat types and threat agents but should focus on malicious threats and will not cover accidental and natural threats. The source of Malicious Threats (the attacker or perpetrator, in this context) can be classified as unauthorized and authorized. Threat vectors and operating environment more fully define how and why a particular “user” falls into one of these categories:<br />
<br />
Unauthorized: <br />
* An attacker who does not have credentials to legitimately access the application<br />
<br />
Authorized:<br />
* A legitimate user of the application<br />
* A malicious insider<br />
* A previously unauthorized user who has gained authorized access through compromise of a valid account or user session<br />
<br />
While the threat agents may have the similar intent, varying reasons for engaging in illegal activities motivates them. Some authorized employees may willfully commit fraud for financial gain or engage in sabotage in order to disrupt routine operations. Theft, vandalism, intentional corruptions and alteration of information are also categorized as malicious threats.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* By using results from Threat Assessment, the end-client is able to focus assessment (testing) activities based on business requirements and operational reality. <br />
* Allows vulnerabilities discovered in other assessment types to be weighted and prioritized based on threat probability vs. raw vulnerability finding.<br />
<br />
''Disadvantages:''<br />
* Cannot guarantee that all possible security threats will be uncovered. <br />
* End-client must evaluate analysis and determine action(s).<br />
* Requires existence of application architecture documentation.<br />
* Often confused with Risk Assessments, which weigh asset value, threat, and vulnerability in order to determine business risk. Threat assessments focus on identifying only the threat component (vector(s) and probability).<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., “bake in” security during application development begets higher return on investment vs. “bolting on” application security fixes post production).<br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
'''Application Architecture Review''' – Typically a table-top design level review and analysis of the application to identify critical assets, sensitive data stores and business critical interconnections. The purpose of architecture reviews is to also aid in determining potential attack vectors, which could be used in testing. Thus the reason many organizations will blend this activity with Threat Assessment. The review of the application and their interconnections should include both a network- and application-level evaluation. Evaluation should identify areas of potential and actual vulnerability from these levels. This includes areas of vulnerability in the network and application architecture, in addition to a high-level measure of risk of each of those areas.<br />
<br />
''Advantages:''<br />
* Aids in focusing testing activities and defining true targets in large scale enterprise level applications.<br />
* Provides more depth to the development rationale of various functionality in the application life cycle. <br />
* By using results from Architecture Review, the assessment (testing) team is able to follow development logic in the “how” and “why” business and security requirements were integrated into application behavior and security controls/constraints. <br />
<br />
''Disadvantages:''<br />
* Cannot guarantee identification of all possible security threats. <br />
* Because the scope of an architectural assessment is far more complex than the limited perspective of an application layer assessment, recommendations are similarly complex, sometimes involving “political” changes (i.e., security department’s level of involvement in the SDLC). <br />
* Requires on-site discussions with application principals.<br />
<br />
Recommended use:<br />
* Best as a precursor to development activities allowing best use of security dollars (i.e., incorporate security in beginning begets higher return on investment vs. fixing applications post production). <br />
* Best utilized to determine the need and extent for further assessment (testing) activities (e.g., automated testing, expert testing, code review, etc.).<br />
<br />
<br />
'''Automated Testing (Application Scanning (Tool Based))''' – Utilizing automated open source or commercial software to discover known application layer vulnerabilities.<br />
<br />
''Advantages:''<br />
* Able to quickly identify default content, misconfigurations and error conditions resulting from improper input.<br />
* Ability to be run on automated, regular basis to provide baseline and ongoing vulnerability management metrics.<br />
* Can reduce the time required to assess large applications.<br />
* Lower cost to operate/execute (excluding initial capital cost if using commercial testing software).<br />
<br />
''Disadvantages:''<br />
* Not designed to determine the extent to which the vulnerabilities can be exploited to compromise the data the application handles.<br />
* Requires appropriate skills/knowledge to use, configure, and interpret results (despite “point and click” vendor marketing claims). <br />
* Requires extensive configuration and customization to emulate a user session.<br />
* Limited ability to correlate events and correlate minor issues that may lead to larger exposure. <br />
* Inability to adapt to dynamic responses in business logic flows.<br />
* Unable to find vulnerabilities that only become apparent after performing a sequence of steps (e.g., business logic flow bypass, session state compromise, etc.).<br />
* Unable to figure out “how deep the rabbit hole goes” – No means to interpret security implications, express extent of potential compromise, or identify seriousness of business and information exposure. <br />
* Tools will often be confused by some aspect of an application's behavior, causing a particular class of test to generate a false positive. Because most tools lack intelligence and cannot adapt to such conditions, test results include a large number of identical false positives. <br />
** For valid findings, the tools will often find dozens or hundreds of nearly identical findings, each with the same root cause. <br />
* Tool based findings are only indications of problems. Manual review (by someone well versed in web application testing) is usually necessary to draw the necessary parallels between different findings, and determine which findings identify unique problems, and which represent repetition.<br />
<br />
Recommended use:<br />
* Handling routine, manually intensive steps (e.g., input validation, field “fuzzing”, etc.) in an assessment is useful, particularly in large applications. However, scanner-based results can be used as the starting point from which expert testing can take over.<br />
* Testing less critical applications (i.e., applications that do not contain/handle business sensitive data and/or are not critical to business operation) where the perceived lower risk does not warrant performing hands-on testing.<br />
<br />
If a tool is used, it is important to define the technical limitations of the tool when the findings are presented. An example of this may involve noting the potential for SQL injection attacks based upon verbose SQL error messages, but also the tool’s inability to produce the correct syntax needed to extract specific information from the vulnerable database. A failure to convey the differences between automated and expert testing increases the risk that the application assessment results will be interpreted as being more “secure” than they actually are. <br />
<br />
<br />
'''Expert Testing (Hands On Based)''' – “Expert Testing” involves application analysis performed by an experienced analyst, usually using a combination of open source automated utilities (either self created or through security community) for performing task-specific functions and hands-on analysis to attempt to further ‘hack’ the application as an attacker.<br />
<br />
''Advantages:''<br />
* Open source tools utilized by the expert tester are developed usually for specific purposes rather than wrapping multiple functionality into a GUI. Typically are one of many components in the testers toolkit.<br />
* “Expert testing” is an intuitive approach (Business logic analysis), with the ability to identify flaws in business logic that automated scanners are usually incapable of finding.<br />
* Addresses many of the disadvantages noted in Automated Testing.<br />
* Ability to correlate events and minor issues that may lead to larger exposure. This is a critical advantage of hands-on testing and simulates how a real attacker would operate. <br />
* Ability to communicate complex technical findings in a manner that all can understand. The job is not done until the assessment end-client understands the nature of the vulnerability discovered and its security implications. <br />
** The analysis phase of expert testing provides “root cause” identification and recommendations based upon the unique, developmental characteristics of an application. Results from an automated tool cannot provide customized, specific recommendations tailored for each application and the end-client’s requirements. <br />
<br />
''Disadvantages:''<br />
* Often confused with Automated Testing – Marketing of commercial tools uses terms such as “expert” and “intuitive”, normally associated with an assessment performed by an experienced analyst.<br />
* Inability of most end-client organizations to determine if tester has appropriate application security skills required. There are no community accepted credentials/certifications established for this area of security.<br />
* Cost to conduct will be higher though there is no upfront capital cost.<br />
* Without establishing clear metrics up front, ongoing testing to determine trends within business environment or iterations of application is difficult.<br />
<br />
Recommended use:<br />
* Testing critical applications (i.e., applications that do contain/handle business sensitive data and/or are critical to business operation) where the perceived higher risk does not warrant performing automated testing.<br />
* Best suited for B2B, B2C and/or any transactional based and/or multi-level access application.<br />
<br />
<br />
'''Application Code Review''' – Reviews the underlying foundational level to identify coding issues, which may create/enable an attacker to compromise an applications systems and/or business functionality. Web applications in particular are likely to have these vulnerabilities, as they are frequently developed quickly in an environment that does not allow for much security planning and testing. This should not be viewed as simply a generic software audit. Code reviews should be specifically tailored to find vulnerabilities common in applications. <br />
<br />
''Advantages:''<br />
* If integrated into application SDLC, coding issues can be resolved early in the development and functional testing process. (which is much less expensive to fix than a post-production revision of the code).<br />
* Provides the ability to identify and address serious coding issues (e.g., input validation, hard-coded credentials, debugging features, etc.) prior to production.<br />
* …<br />
<br />
''Disadvantages:''<br />
* …<br />
* If conducted solely by tools, results will be mostly static signature matching though some tools claim to walk codepath (follow nested loops and other regression through objects).<br />
* Even applications that exhibit strong and thorough software development practices (e.g., documentation, seamless modularity, string checking to prevent buffer overflows, etc.) can fall victim to attack if the underlying business logic doesn’t follow security requirements.<br />
* Requires specific programming expertise (e.g., Java, .NET, PHP, etc.) that many application testers do not have.<br />
<br />
Recommended use:<br />
* …<br />
<br />
<br />
<br />
References/Sources:<br />
<br />
* Testing Taxonomy &�Testing Tools Classification : http://www.owasp.org/index.php/Image:AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt<br />
<br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=9192Category:OWASP Application Security Assessment Standards Project2006-08-22T14:51:23Z<p>Cbarlow: /* Current Project Status: */</p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Current Project Status: ==<br />
<br />
'''Phase I – Project Approach:'''<br />
<br />
* Minimal feedback obtained. Contributors jumped in.<br />
<br />
'''Phase II - Definitions:'''<br />
<br />
* Define Common Business Application Types – Stub Started.<br />
* Define Security Assessment Types – Stub Started.<br />
<br />
'''Phase III – Assessment Context:'''<br />
<br />
* Define Standard Application Assessment Process – Need Stub<br />
* Define Standard Assessment Scope Per Application Type – Need Stub<br />
* Define Standard Testing Boundaries For Application Assessments – Need Stub<br />
* Define Business End Preparation For Application Assessment – Need Stub<br />
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub<br />
* Establish Baseline Assessor Qualifications And Evaluation Criteria – Need Stub<br />
<br />
Also refer to project Roadmap.<br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
* Vinay Bansal, Cisco Systems<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Application Security Assessment Standards Project is sponsored by: [[Image:Kore_Logo.jpg]][http://www.korelogic.com]<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=9191Definition for Security Assessment Techniques2006-08-22T14:50:51Z<p>Cbarlow: </p>
<hr />
<div>This articles focus is to define, where practical, nomenclature and definitions of the differing security assessment types.<br />
<br />
== Assessment Type Categories - Defined: ==<br />
<br />
'''Application Scanning (Tool Based)''' – (Definition)<br />
<br />
<br />
'''Hands On Based Application Testing''' – (Definition)<br />
<br />
<br />
'''Application Code Review''' – (Definition)<br />
<br />
<br />
'''?''' – (Definition)<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Definition_for_Security_Assessment_Techniques&diff=9190Definition for Security Assessment Techniques2006-08-22T14:49:28Z<p>Cbarlow: </p>
<hr />
<div>This articles focus is to define, where practical, nomenclature and definitions of the differing security assessment types.<br />
<br />
== Assessment Type Categories - Defined: ==<br />
<br />
'''Application Scanning (Tool Based)''' – <br />
<br />
'''Hands On Based Application Testing''' – <br />
<br />
'''Application Code Review''' – <br />
<br />
'''?''' – <br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]<br />
{{Template:Stub}}</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=9189Category:OWASP Application Security Assessment Standards Project2006-08-22T14:41:22Z<p>Cbarlow: </p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Current Project Status: ==<br />
<br />
'''Phase I – Project Approach:'''<br />
<br />
* Minimal feedback obtained. Contributors jumped in.<br />
<br />
'''Phase II - Definitions:'''<br />
<br />
* Define Common Business Application Types – Stub Started.<br />
* Define Security Assessment Types – Need Stub.<br />
<br />
'''Phase III – Assessment Context:'''<br />
<br />
* Define Standard Application Assessment Process – Need Stub<br />
* Define Standard Assessment Scope Per Application Type – Need Stub<br />
* Define Standard Testing Boundaries For Application Assessments – Need Stub<br />
* Define Business End Preparation For Application Assessment – Need Stub<br />
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub<br />
* Establish Baseline Assessor Qualifications And Evaluation Criteria – Need Stub<br />
<br />
Also refer to project Roadmap.<br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
* Vinay Bansal, Cisco Systems<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Application Security Assessment Standards Project is sponsored by: [[Image:Kore_Logo.jpg]][http://www.korelogic.com]<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Metrics_Project&diff=9188Category:OWASP Application Security Metrics Project2006-08-22T14:25:57Z<p>Cbarlow: </p>
<hr />
<div>== Welcome to the Application Security Metrics Security Project ==<br />
<br />
This OWASP Project will first identify and provide the OWASP community a set of application security metrics that have been found by contributors to be effective in measuring application security. This will be followed by the development of new metrics that build on the initial metrics foundation to fulfill unmet metrics requirements.<br />
The goals of this Project are to make a baseline set of application security metrics available to the OWASP community and subsequently to provide a forum for the community to contribute metrics back into the baseline. <br />
<br />
== Project Guiding Principles: ==<br />
<br />
The Application Security Metrics Security Project Project’s Guiding Principles were created in order to express the intentions of its contributors when designing application security metrics.<br />
<br />
* Effective security metrics have proven to be challenging to develop. As such, provide a means for the OWASP community to initially leverage what others have developed and find useful (i.e., provide the OWASP community useful metrics in use today).<br />
<br />
* Where practical, attempt to “standardize” nomenclature with other security metrics initiatives such as securitymetrics.org, Systems Security Engineering Capability Maturity Model (SSE-CMM), etc.<br />
<br />
* In selecting best practice metrics, make use of high-level filters. For example, use Dr. Dan Geer’s decision support mantra regarding security metrics: “How would that proposed measure advance appropriate decision making?"<br />
<br />
* Link each metric to the business driver for the metric (e.g., Metric “X” helps support regulatory compliance and risk management objectives.”<br />
<br />
Comments to the editor or endorsements are welcome.<br />
<br />
== Project Scope: ==<br />
<br />
In keeping with OWASP’s mission, this project will focus primarily on application security metrics.<br />
<br />
== Feedback and Participation: ==<br />
<br />
We hope you find the OWASP Application Security Metrics Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Application Security Metrics Project mailing list or view the archives, please visit the subscription page.<br />
<br />
== Project Contributors: ==<br />
<br />
If you contribute to this Project, please add your name here<br />
Project Lead:<br />
<br />
* Bob Austin of KoreLogic Security. He can be reached at austinb@korelogic.com. <br />
<br />
Contributors:<br />
<br />
* Cliff Barlow, KoreLogic Security<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Metrics_Project_Roadmap&diff=9187Category:OWASP Application Security Metrics Project Roadmap2006-08-22T14:23:59Z<p>Cbarlow: /* DETAILED PHASE ONE TASKS */</p>
<hr />
<div>Subject to Contributor feedback, the following Roadmap is proposed. Phase One tasks are more specifically defined. Phase Two tasks will be developed and defined over time based on Phase One experience.<br />
<br />
== Proposed Project Phases: ==<br />
<br />
'''Phase One - Collect and Provide Proven Metrics'''<br />
<br />
The objective is to provide useful current state metrics to the OWASP community in the near-term.<br />
<br />
'''Phase Two - Develop “Next Generation” metrics'''<br />
<br />
Develop new metrics using Contributor feedback on Phase One metrics and metrics that organizations have asked for but do not currently exist.<br />
<br />
== Summary of Proposed Phase One Tasks ==<br />
<br />
* Comment Period for Proposed Project Approach, Solicit Contributor Support<br />
* Develop Metric Collection Survey Instrument<br />
* Solicit Organizational Participants<br />
* Conduct Metric Collection Survey<br />
* Organize and Analyze Collected Survey Data<br />
* Prepare Draft Findings and Provide to Reviewers<br />
* Comment Period for Published Draft Findings<br />
* Publish Final Findings, Metrics and Resources<br />
* Conduct Phase One Project Post-Mortem<br />
<br />
== Detailed Phase One Tasks ==<br />
<br />
'''Task 1 – Comment Period for Proposed Project Approach'''<br />
<br />
Solicit Contributor feedback to ensure the most effective and widely supported approach. <br />
<br />
Target Time Frame: Complete by August 1st, 2006<br />
Current Status: Call for Contributors <br />
<br />
'''Task 2 – Develop Metric Collection Survey Instrument'''<br />
<br />
Develop a survey instrument that can be used by Contributors to gather metrics data in a uniform fashion. Design considerations will include “organizational” demographic data required (e.g., industry vertical), the format of the metric description, etc. Ideally, we can categorize the metric types using a standard nomenclature. The final survey instrument will be based on the 80/20 principle – developing the “perfect” instrument will excessively delay the Project. Contributor support in developing a survey form that will allow efficient data aggregation and analysis would be appreciated (or at least ideas how this could be accomplished). <br />
<br />
Target Time Frame: Complete by August 15, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: Bob Austin<br />
<br />
'''Task 3– Solicit Organizational Participants'''<br />
<br />
Contributors will be asked to approach organizations that are known to have effective metrics in use and request their (anonymous) participation in the survey. It may be wise to limit the number of organizations participating in the survey to 30 or so organizations. One incentive to participate is the sharing of current “best practice” metrics. From a confidentiality perspective, each Contributor would ensure that data provided by an organization is sanitized to ensure anonymity.<br />
<br />
Target Time Frame: Complete by August 15, 2006<br />
Current Status: Call for Volunteers<br />
<br />
'''Task 4 – Conduct Metric Collection Survey'''<br />
<br />
Using the survey instrument, collect survey data. It may be wise to conduct a “pilot” survey with 1 or 2 organizations, make fine-tuning adjustments to the survey instrument, and then complete the surveys.<br />
<br />
Target Time Frame: Complete by September 15, 2006 (this date is particularly dependent upon Contributor support)<br />
Current Status: Call for Volunteers<br />
<br />
'''Task 5 – Organize and Analyze Collected Survey Data'''<br />
<br />
This will involve merging and organizing the collected data to allow effective analysis and presentation of the data. <br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 6 – Prepare Draft Findings and Provide to Reviewers'''<br />
<br />
We envision capturing a number of key data points including a description of metrics used, consumers of the metrics, length of time used, barriers to metric collection, metrics needed, planned metrics initiatives, useful tools/resources that facilitate metrics collection/analysis, etc. We also will attempt to provide insight into management’s interest and support for the metrics program.<br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 7 – Comment Period for Published Draft Findings'''<br />
<br />
Solicit feedback from the OWASP community, address errors/ambiguity. Make edits based on feedback.<br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 8 – Publish Final Findings, Metrics, and Resources'''<br />
<br />
Self-explanatory. Ideally, present the metrics in a way that Contributors can continue to add to and comment on over time. Create a Resources Page that incorporates the resources recommended by survey participants.<br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 9 – Conduct Phase One Project Post-Mortem'''<br />
<br />
Solicit feedback and lessons learned on Phase One to improve Phase Two approach.<br />
<br />
Target Time Frame:<br />
Current Status: Call for Volunteers<br />
<br />
[[Category:OWASP Application Security Metrics Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Metrics_Project_Roadmap&diff=9186Category:OWASP Application Security Metrics Project Roadmap2006-08-22T14:23:09Z<p>Cbarlow: </p>
<hr />
<div>Subject to Contributor feedback, the following Roadmap is proposed. Phase One tasks are more specifically defined. Phase Two tasks will be developed and defined over time based on Phase One experience.<br />
<br />
== Proposed Project Phases: ==<br />
<br />
'''Phase One - Collect and Provide Proven Metrics'''<br />
<br />
The objective is to provide useful current state metrics to the OWASP community in the near-term.<br />
<br />
'''Phase Two - Develop “Next Generation” metrics'''<br />
<br />
Develop new metrics using Contributor feedback on Phase One metrics and metrics that organizations have asked for but do not currently exist.<br />
<br />
== Summary of Proposed Phase One Tasks ==<br />
<br />
* Comment Period for Proposed Project Approach, Solicit Contributor Support<br />
* Develop Metric Collection Survey Instrument<br />
* Solicit Organizational Participants<br />
* Conduct Metric Collection Survey<br />
* Organize and Analyze Collected Survey Data<br />
* Prepare Draft Findings and Provide to Reviewers<br />
* Comment Period for Published Draft Findings<br />
* Publish Final Findings, Metrics and Resources<br />
* Conduct Phase One Project Post-Mortem<br />
<br />
== DETAILED PHASE ONE TASKS ==<br />
<br />
'''Task 1 – Comment Period for Proposed Project Approach'''<br />
<br />
Solicit Contributor feedback to ensure the most effective and widely supported approach. <br />
<br />
Target Time Frame: Complete by August 1st, 2006<br />
Current Status: Call for Contributors <br />
<br />
'''Task 2 – Develop Metric Collection Survey Instrument'''<br />
<br />
Develop a survey instrument that can be used by Contributors to gather metrics data in a uniform fashion. Design considerations will include “organizational” demographic data required (e.g., industry vertical), the format of the metric description, etc. Ideally, we can categorize the metric types using a standard nomenclature. The final survey instrument will be based on the 80/20 principle – developing the “perfect” instrument will excessively delay the Project. Contributor support in developing a survey form that will allow efficient data aggregation and analysis would be appreciated (or at least ideas how this could be accomplished). <br />
<br />
Target Time Frame: Complete by August 15, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: Bob Austin<br />
<br />
'''Task 3– Solicit Organizational Participants'''<br />
<br />
Contributors will be asked to approach organizations that are known to have effective metrics in use and request their (anonymous) participation in the survey. It may be wise to limit the number of organizations participating in the survey to 30 or so organizations. One incentive to participate is the sharing of current “best practice” metrics. From a confidentiality perspective, each Contributor would ensure that data provided by an organization is sanitized to ensure anonymity.<br />
<br />
Target Time Frame: Complete by August 15, 2006<br />
Current Status: Call for Volunteers<br />
<br />
'''Task 4 – Conduct Metric Collection Survey'''<br />
<br />
Using the survey instrument, collect survey data. It may be wise to conduct a “pilot” survey with 1 or 2 organizations, make fine-tuning adjustments to the survey instrument, and then complete the surveys.<br />
<br />
Target Time Frame: Complete by September 15, 2006 (this date is particularly dependent upon Contributor support)<br />
Current Status: Call for Volunteers<br />
<br />
'''Task 5 – Organize and Analyze Collected Survey Data'''<br />
<br />
This will involve merging and organizing the collected data to allow effective analysis and presentation of the data. <br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 6 – Prepare Draft Findings and Provide to Reviewers'''<br />
<br />
We envision capturing a number of key data points including a description of metrics used, consumers of the metrics, length of time used, barriers to metric collection, metrics needed, planned metrics initiatives, useful tools/resources that facilitate metrics collection/analysis, etc. We also will attempt to provide insight into management’s interest and support for the metrics program.<br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 7 – Comment Period for Published Draft Findings'''<br />
<br />
Solicit feedback from the OWASP community, address errors/ambiguity. Make edits based on feedback.<br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 8 – Publish Final Findings, Metrics, and Resources'''<br />
<br />
Self-explanatory. Ideally, present the metrics in a way that Contributors can continue to add to and comment on over time. Create a Resources Page that incorporates the resources recommended by survey participants.<br />
<br />
Target Time Frame: <br />
Current Status: Call for Volunteers<br />
<br />
'''Task 9 – Conduct Phase One Project Post-Mortem'''<br />
<br />
Solicit feedback and lessons learned on Phase One to improve Phase Two approach.<br />
<br />
Target Time Frame:<br />
Current Status: Call for Volunteers<br />
<br />
[[Category:OWASP Application Security Metrics Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=9185Category:OWASP Project2006-08-22T13:53:01Z<p>Cbarlow: /* Project descriptions */</p>
<hr />
<div>An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.<br />
<br />
==Proposing a new project==<br />
<br />
To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"<br />
<br />
==Project descriptions==<br />
<br />
* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Project]] - investigating the security of AJAX enabled applications<br />
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment<br />
* [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]] - identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security <br />
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics<br />
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite<br />
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security<br />
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code<br />
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security<br />
* [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]] - a comprehensive and integrated guide to the fundamental building blocks of application security<br />
* [[:Category:OWASP Legal Project|OWASP Legal Project]] - a project focused on contracting for secure software<br />
* [[:Category:OWASP Logging Project|OWASP Logging Project]] - a project to define best practices for logging and log management<br />
* [[:Category:OWASP Metrics Project|OWASP Metrics Project]] - a project to define workable application security metrics<br />
* [[:Category:OWASP .NET Project|OWASP .NET Project]] - a project focused on helping .NET developers build secure applications<br />
* [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]] - a project focused on combining automated capabilities with complete manual testing to get the best results<br />
* [[:Category:OWASP PHP Project|OWASP PHP Project]] - a project focused on helping PHP developers build secure applications<br />
* [[:Category:OWASP Java Project|OWASP Java Project]] - a project focused on helping Java and J2EE developers build secure applications<br />
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk<br />
* [[:Category:OWASP Testing Project|OWASP Testing Project]] - a project focused on application security testing procedures and checklists<br />
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities<br />
* [[:Category:OWASP Validation Project|OWASP Validation Project]] - a project that provides guidance and tools related to validation. <br />
* [[:Category:OWASP WASS Project|OWASP WASS Project]] - a standards project to develop more concrete criteria for secure applications<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security<br />
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services<br />
<br />
<br />
[[OWASP Project Mailing Lists]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Metrics_Project&diff=9184Category:OWASP Application Security Metrics Project2006-08-22T13:48:03Z<p>Cbarlow: </p>
<hr />
<div>== Welcome to the Application Security Metrics Security Project ==<br />
<br />
This OWASP Project will first identify and provide the OWASP community a set of application security metrics that have been found by contributors to be effective in measuring application security. This will be followed by the development of new metrics that build on the initial metrics foundation to fulfill unmet metrics requirements.<br />
The goals of this Project are to make a baseline set of application security metrics available to the OWASP community and subsequently to provide a forum for the community to contribute metrics back into the baseline. <br />
<br />
== Project Guiding Principles: ==<br />
<br />
The Application Security Metrics Security Project Project’s Guiding Principles were created in order to express the intentions of its contributors when designing application security metrics.<br />
<br />
* Effective security metrics have proven to be challenging to develop. As such, provide a means for the OWASP community to initially leverage what others have developed and find useful (i.e., provide the OWASP community useful metrics in use today).<br />
<br />
* Where practical, attempt to “standardize” nomenclature with other security metrics initiatives such as securitymetrics.org, Systems Security Engineering Capability Maturity Model (SSE-CMM), etc.<br />
<br />
* In selecting best practice metrics, make use of high-level filters. For example, use Dr. Dan Geer’s decision support mantra regarding security metrics: “How would that proposed measure advance appropriate decision making?"<br />
<br />
* Link each metric to the business driver for the metric (e.g., Metric “X” helps support regulatory compliance and risk management objectives.”<br />
<br />
Comments to the editor or endorsements are welcome.<br />
<br />
== Project Scope: ==<br />
<br />
In keeping with OWASP’s mission, this project will focus primarily on application security metrics.<br />
<br />
== Feedback and Participation: ==<br />
<br />
We hope you find the OWASP Application Security Metrics Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Application Security Metrics Project mailing list or view the archives, please visit the subscription page.<br />
<br />
== Project Contributors: ==<br />
<br />
If you contribute to this Project, please add your name here<br />
Project Lead:<br />
<br />
* Bob Austin of KoreLogic Security. He can be reached at austinb@korelogic.com. <br />
<br />
Contributors:<br />
<br />
* Cliff Barlow, KoreLogic Security</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Metrics_Project&diff=9182Category:OWASP Application Security Metrics Project2006-08-22T13:41:21Z<p>Cbarlow: </p>
<hr />
<div>OWASP Application Security Metrics Project</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=7966Category:OWASP Application Security Assessment Standards Project2006-07-24T16:41:52Z<p>Cbarlow: </p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Application Security Assessment Standards Project is sponsored by: [[Image:Kore_Logo.jpg]][http://www.korelogic.com]<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=File:Kore_Logo.jpg&diff=7958File:Kore Logo.jpg2006-07-24T16:36:32Z<p>Cbarlow: </p>
<hr />
<div></div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=7955Category:OWASP Application Security Assessment Standards Project2006-07-24T16:33:56Z<p>Cbarlow: </p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Application Security Assessment Standards Project is sponsored by: KoreLogic, Inc. [http://www.korelogic.com]<br />
<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Project&diff=7952Category:OWASP Project2006-07-24T16:26:36Z<p>Cbarlow: /* Project descriptions */</p>
<hr />
<div>An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.<br />
<br />
==Proposing a new project==<br />
<br />
To propose a new project, please send an email to owasp@owasp.org. Each project should have a roadmap page that details the current set of tasks and rough schedule. The page should be named "OWASP XXX Project Roadmap"<br />
<br />
==Project descriptions==<br />
<br />
* [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Project]] - investigating the security of AJAX enabled applications<br />
* [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]] - establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment<br />
* [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]] - an FAQ covering many application security topics<br />
* [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]] - a JavaScript based web application security testing suite<br />
* [[:Category:OWASP CLASP Project|OWASP CLASP Project]] - a project focused on defining process elements that reinforce application security<br />
* [[:Category:OWASP Code Review Project|OWASP Code Review Project]] - a new project to capture best practices for reviewing code<br />
* [[:Category:OWASP Guide Project|OWASP Guide Project]] - a massive document covering all aspects of web application and web service security<br />
* [[:Category:OWASP Legal Project|OWASP Legal Project]] - a project focused on contracting for secure software<br />
* [[:Category:OWASP Logging Project|OWASP Logging Project]] - a project to define best practices for logging and log management<br />
* [[:Category:OWASP Metrics Project|OWASP Metrics Project]] - a project to define workable application security metrics<br />
* [[:Category:OWASP .NET Project|OWASP .NET Project]] - a project focused on helping .NET developers build secure applications<br />
* [[:Category:OWASP PHP Project|OWASP PHP Project]] - a project focused on helping PHP developers build secure applications<br />
* [[:Category:OWASP Java Project|OWASP Java Project]] - a project focused on helping Java and J2EE developers build secure applications<br />
* [[:Category:OWASP Risk Management Project|OWASP Risk Management Project]] - a new project focused on processes for managing application security risk<br />
* [[:Category:OWASP Testing Project|OWASP Testing Project]] - a project focused on application security testing procedures and checklists<br />
* [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] - an awareness document that describes the top ten web application security vulnerabilities<br />
* [[:Category:OWASP Validation Project|OWASP Validation Project]] - a project that provides guidance and tools related to validation. <br />
* [[:Category:OWASP WASS Project|OWASP WASS Project]] - a standards project to develop more concrete criteria for secure applications<br />
* [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]] - an online training environment for hands-on learning about application security<br />
* [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]] - a tool for performing all types of security testing on web applications and web services<br />
<br />
<br />
[[OWASP Project Mailing Lists]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=7919Category:OWASP Application Security Assessment Standards Project2006-07-24T10:58:03Z<p>Cbarlow: </p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
* Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
* Define standard application assessment process in SWIM flow chart. <br />
<br />
* Define standard assessment scope per application type. <br />
<br />
* Define standard testing boundaries for application assessments. <br />
<br />
* Define what is needed on business end to prepare for application assessment. <br />
<br />
* Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
* Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
* Establish a common set of application assessment levels:<br />
<br />
** Define degree of assessment depth per level<br />
** Define testing components required per level<br />
** Establish level of tool usage/type vs. hands on assessment per level<br />
** Establish linkages between level results and security metrics derived<br />
** Establish linkages between levels and Security Maturity Models <br />
<br />
* Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
* Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
* Bob Austin, KoreLogic Security<br />
<br />
* Jeff Williams, Aspect Security<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=7918Category:OWASP Application Security Assessment Standards Project2006-07-24T10:41:22Z<p>Cbarlow: </p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
- Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
- Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
- Define standard application assessment process in SWIM flow chart. <br />
<br />
- Define standard assessment scope per application type. <br />
<br />
- Define standard testing boundaries for application assessments. <br />
<br />
- Define what is needed on business end to prepare for application assessment. <br />
<br />
- Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
- Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
- Establish a common set of application assessment levels:<br />
<br />
- Define degree of assessment depth per level<br />
- Define testing components required per level<br />
- Establish level of tool usage/type vs. hands on assessment per level<br />
- Establish linkages between level results and security metrics derived<br />
- Establish linkages between levels and Security Maturity Models <br />
<br />
- Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
- Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributers ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
<br />
- Bob Austin, KoreLogic Security<br />
<br />
- Jeff Williams, Aspect Security<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Assessment_Standards_Project&diff=7917Category:OWASP Application Security Assessment Standards Project2006-07-24T10:28:14Z<p>Cbarlow: Initial population</p>
<hr />
<div>Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.<br />
<br />
== Objective ==<br />
<br />
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:<br />
<br />
- Where practical, attempt to “standardize” nomenclature and definitions for common business application types. <br />
<br />
- Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types. <br />
<br />
- Define standard application assessment process in SWIM flow chart. <br />
<br />
- Define standard assessment scope per application type. <br />
<br />
- Define standard testing boundaries for application assessments. <br />
<br />
- Define what is needed on business end to prepare for application assessment. <br />
<br />
- Establish where in SDLC should assessment steps be defined/conducted. <br />
<br />
- Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria. <br />
<br />
- Establish a common set of application assessment levels:<br />
<br />
- Define degree of assessment depth per level<br />
- Define testing components required per level<br />
- Establish level of tool usage/type vs. hands on assessment per level<br />
- Establish linkages between level results and security metrics derived<br />
- Establish linkages between levels and Security Maturity Models <br />
<br />
- Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
<br />
- Document integration/linkages to other OWASP projects.<br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Feedback and Participation ==<br />
<br />
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. <br />
<br />
== Project Contributer ==<br />
<br />
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at cbarlow@korelogic.com. <br />
<br />
Key contributors:<br />
- Bob Austin, KoreLogic Security<br />
- Jeff Williams, Aspect Security<br />
<br />
[[Category:OWASP Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=OWASP_Application_Security_Assessment_Standards_Project_Roadmap&diff=7916OWASP Application Security Assessment Standards Project Roadmap2006-07-24T10:20:04Z<p>Cbarlow: </p>
<hr />
<div>The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. <br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Overall Roadmap Phases ==<br />
<br />
'''Phase I – Project Approach''': Comment Period for Proposed Project Approach, Solicit Contributor Support<br />
<br />
'''Phase II – Application Assessment Definitions:''' Establish core assessment definitions to ensure common base terminology.<br />
<br />
'''Phase III – Assessment Context:''' Establish standard assessment context, selection, qualification and process frameworks.<br />
<br />
'''Phase IV – Assessment Levels:''' Establish a common set of application assessment levels to be used as business guidance to ensure conducting appropriate level based on business-application-security requirements.<br />
<br />
'''Phase V – OWASP Integration:''' Document integration components and linkages with existing and underway OWASP projects.<br />
<br />
== Per Phase Project Objectives ==<br />
<br />
'''Phase I – Project Approach and Objectives'''<br />
Project Objective: Solicit Contributor feedback to ensure the most effective and widely supported approach.<br />
Target Time Frame: August, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase II – Application Assessment Definitions'''<br />
Project Objective: Establish common business application and security assessment type’s definitions. <br />
Target Time Frame: September, 2006<br />
Current Status: Call for Volunteers <br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase III – Assessment Context'''<br />
Project Objective: Define standard application assessment process in SWIM flow chart.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase III – Assessment Context'''<br />
Project Objective: Define standard assessment scope of work per application type. Includes standard testing boundaries and requirements/needs placed upon end user requesting assessment.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase III – Assessment Context'''<br />
Project Objective: Plot where within standard System Development Lifecycle (SDLC) application security assessment steps should be defined and conducted.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase III – Assessment Context'''<br />
Project Objective: Establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.).<br />
Target Time Frame: December, 2006<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Create assessment levels based on previous Phase III objective. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.<br />
Target Time Frame: March, 2007<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.<br />
Target Time Frame: May, 2007<br />
Current Status: In hold based on outcome of Phase I and II.<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
Target Time Frame: May, 2007<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers:<br />
<br />
'''Phase V – OWASP Integration:'''<br />
Project Objective: Document integration components and linkages with existing and underway OWASP projects.<br />
Target Time Frame: July, 2007<br />
Current Status: In hold based on outcome of Phases I through III.<br />
Contributors: <br />
Reviewers: <br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=OWASP_Application_Security_Assessment_Standards_Project_Roadmap&diff=7915OWASP Application Security Assessment Standards Project Roadmap2006-07-24T10:11:08Z<p>Cbarlow: /* Per Phase Project Objectives */</p>
<hr />
<div>The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. <br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Overall Roadmap Phases ==<br />
<br />
'''Phase I – Project Approach''': Comment Period for Proposed Project Approach, Solicit Contributor Support<br />
'''<br />
Phase II – Application Assessment Definitions:''' Establish core assessment definitions to ensure common base terminology.<br />
'''<br />
Phase III – Assessment Context:''' Establish standard assessment context, selection, qualification and process frameworks.<br />
'''<br />
Phase IV – Assessment Levels:''' Establish a common set of application assessment levels to be used as business guidance to ensure conducting appropriate level based on business-application-security requirements.<br />
<br />
'''Phase V – OWASP Integration:''' Document integration components and linkages with existing and underway OWASP projects.<br />
<br />
<br />
== Per Phase Project Objectives ==<br />
'''<br />
Phase I – Project Approach and Objectives'''<br />
Project Objective: Solicit Contributor feedback to ensure the most effective and widely supported approach.<br />
Target Time Frame: August, 2006<br />
Current Status: Call for Volunteers <br />
Contributors: <br />
Reviewers:<br />
<br />
<br />
'''Phase II – Application Assessment Definitions'''<br />
Project Objective: Establish common business application and security assessment type’s definitions.<br />
Target Time Frame: September, 2006<br />
Current Status: Call for Volunteers <br />
Contributors: <br />
Reviewers: <br />
<br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Define standard application assessment process in SWIM flow chart.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
<br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Define standard assessment scope of work per application type. Includes standard testing boundaries and requirements/needs placed upon end user requesting assessment.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
<br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Plot where within standard System Development Lifecycle (SDLC) application security assessment steps should be defined and conducted.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
<br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.).<br />
Target Time Frame: December, 2006<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers: <br />
<br />
'''<br />
Phase IV – Assessment Levels'''<br />
Project Objective: Create assessment levels based on previous Phase III objective. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.<br />
Target Time Frame: March, 2007<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers: <br />
<br />
'''<br />
Phase IV – Assessment Levels'''<br />
Project Objective: Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.<br />
Target Time Frame: May, 2007<br />
Current Status: In hold based on outcome of Phase I and II.<br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
Target Time Frame: May, 2007<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase V – OWASP Integration: ''' <br />
Project Objective: Document integration components and linkages with existing and underway OWASP projects.<br />
Target Time Frame: July, 2007<br />
Current Status: In hold based on outcome of Phases I through III.<br />
Contributors: <br />
Reviewers: <br />
<br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]</div>Cbarlowhttps://wiki.owasp.org/index.php?title=OWASP_Application_Security_Assessment_Standards_Project_Roadmap&diff=7914OWASP Application Security Assessment Standards Project Roadmap2006-07-24T10:09:44Z<p>Cbarlow: Initial population of project roadmap</p>
<hr />
<div>The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. <br />
<br />
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. <br />
<br />
== Overall Roadmap Phases ==<br />
<br />
'''Phase I – Project Approach''': Comment Period for Proposed Project Approach, Solicit Contributor Support<br />
'''<br />
Phase II – Application Assessment Definitions:''' Establish core assessment definitions to ensure common base terminology.<br />
'''<br />
Phase III – Assessment Context:''' Establish standard assessment context, selection, qualification and process frameworks.<br />
'''<br />
Phase IV – Assessment Levels:''' Establish a common set of application assessment levels to be used as business guidance to ensure conducting appropriate level based on business-application-security requirements.<br />
<br />
'''Phase V – OWASP Integration:''' Document integration components and linkages with existing and underway OWASP projects.<br />
<br />
<br />
== Per Phase Project Objectives ==<br />
'''<br />
Phase I – Project Approach and Objectives'''<br />
Project Objective: Solicit Contributor feedback to ensure the most effective and widely supported approach.<br />
Target Time Frame: August, 2006<br />
Current Status: Call for Volunteers <br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase II – Application Assessment Definitions'''<br />
Project Objective: Establish common business application and security assessment type’s definitions.<br />
Target Time Frame: September, 2006<br />
Current Status: Call for Volunteers <br />
Contributors: <br />
Reviewers: <br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Define standard application assessment process in SWIM flow chart.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Define standard assessment scope of work per application type. Includes standard testing boundaries and requirements/needs placed upon end user requesting assessment.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Plot where within standard System Development Lifecycle (SDLC) application security assessment steps should be defined and conducted.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
'''<br />
Phase III – Assessment Context'''<br />
Project Objective: Establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type.<br />
Target Time Frame: October, 2006<br />
Current Status: Call for Volunteers<br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.).<br />
Target Time Frame: December, 2006<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers: <br />
'''<br />
Phase IV – Assessment Levels'''<br />
Project Objective: Create assessment levels based on previous Phase III objective. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.<br />
Target Time Frame: March, 2007<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers: <br />
'''<br />
Phase IV – Assessment Levels'''<br />
Project Objective: Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.<br />
Target Time Frame: May, 2007<br />
Current Status: In hold based on outcome of Phase I and II.<br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase IV – Assessment Levels'''<br />
Project Objective: Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.<br />
Target Time Frame: May, 2007<br />
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.<br />
Contributors: <br />
Reviewers: <br />
<br />
'''Phase V – OWASP Integration: ''' <br />
Project Objective: Document integration components and linkages with existing and underway OWASP projects.<br />
Target Time Frame: July, 2007<br />
Current Status: In hold based on outcome of Phases I through III.<br />
Contributors: <br />
Reviewers: <br />
<br />
[[Category:OWASP Application Security Assessment Standards Project]]</div>Cbarlow