https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=DanielcuthbertOWASP - User contributions [en]2026-05-18T00:39:29ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=238462Category:OWASP Application Security Verification Standard Project2018-03-09T19:34:53Z<p>Danielcuthbert: added spreadsheet</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 3.1 (early access) ==<br />
<br />
* [[ASVS V1 Architecture]]<br />
* [[ASVS V2 Authentication]]<br />
* [[ASVS V3 Session Management]]<br />
* [[ASVS V4 Access Control]]<br />
* [[ASVS V5 Input validation and output encoding]]<br />
* [[ASVS V7 Cryptography]]<br />
* [[ASVS V8 Error Handling]]<br />
* [[ASVS V9 Data Protection]]<br />
* [[ASVS V10 Communications]]<br />
* [[ASVS V13 Malicious Code]]<br />
* [[ASVS V15 Business Logic Flaws]]<br />
* [[ASVS V16 Files and Resources]]<br />
* [[ASVS V17 Mobile]]<br />
* [[ASVS V18 API]]<br />
* [[ASVS V19 Configuration]]<br />
* [[ASVS V20 Internet of Things]]<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2016)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2013)] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0.1 in English.<br/><br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== News and Events ==<br />
<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 3.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=238461Category:OWASP Application Security Verification Standard Project2018-03-09T19:32:24Z<p>Danielcuthbert: added spreadsheet</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 3.1 (early access) ==<br />
<br />
* [[ASVS V1 Architecture]]<br />
* [[ASVS V2 Authentication]]<br />
* [[ASVS V3 Session Management]]<br />
* [[ASVS V4 Access Control]]<br />
* [[ASVS V5 Input validation and output encoding]]<br />
* [[ASVS V7 Cryptography]]<br />
* [[ASVS V8 Error Handling]]<br />
* [[ASVS V9 Data Protection]]<br />
* [[ASVS V10 Communications]]<br />
* [[ASVS V13 Malicious Code]]<br />
* [[ASVS V15 Business Logic Flaws]]<br />
* [[ASVS V16 Files and Resources]]<br />
* [[ASVS V17 Mobile]]<br />
* [[ASVS V18 API]]<br />
* [[ASVS V19 Configuration]]<br />
* [[ASVS V20 Internet of Things]]<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2016)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2013)] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0.1 in English.<br/><br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== News and Events ==<br />
<br />
* [9 March 2018] [http://OWASP%20Application%20Security%20Verification%20Standard%203.1%20Spreadsheet https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 3.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201935Category:OWASP Application Security Verification Standard Project2015-10-09T21:08:07Z<p>Danielcuthbert: /* Version 3 (2015) = */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0 in English.<br/><br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201934Category:OWASP Application Security Verification Standard Project2015-10-09T21:06:51Z<p>Danielcuthbert: /* Volunteers */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0 in English.<br/><br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201933Category:OWASP Application Security Verification Standard Project2015-10-09T21:01:11Z<p>Danielcuthbert: /* Quick Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0 in English.<br/><br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201932Category:OWASP Application Security Verification Standard Project2015-10-09T21:00:51Z<p>Danielcuthbert: /* Quick Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]) ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201931Category:OWASP Application Security Verification Standard Project2015-10-09T21:00:20Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf] ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201929Category:OWASP Application Security Verification Standard Project2015-10-09T20:59:32Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf] ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf]<br />
* ASVS 2.0 in English ([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.6 MB]])<br />
Translation attempts wanted and appreciated. <br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201928Category:OWASP Application Security Verification Standard Project2015-10-09T20:58:41Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf] ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf]<br />
Translation attempts wanted and appreciated. <br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201926Category:OWASP Application Security Verification Standard Project2015-10-09T20:58:05Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf] ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf]<br />
Translation attempts wanted and appreciated. <br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Contributed'''<br />
* Simple English Excel Reporting ([[Media:Asvs_v2_items.xlsx|download Excel - 50KB]])<br />
* Simple French Excel Reporting ([[Media:Asvs_v2_items_fr.xlsx|download Excel - 35KB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201925Category:OWASP Application Security Verification Standard Project2015-10-09T20:57:47Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf] ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf]<br />
Translation attempts wanted and appreciated. <br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Contributed'''<br />
* Simple English Excel Reporting ([[Media:Asvs_v2_items.xlsx|download Excel - 50KB]])<br />
* Simple French Excel Reporting ([[Media:Asvs_v2_items_fr.xlsx|download Excel - 35KB]])<br />
<br />
[[File:Application_Security_Verification_Standard_.png]]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201924Category:OWASP Application Security Verification Standard Project2015-10-09T20:54:34Z<p>Danielcuthbert: /* News and Events */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf] ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 (draft - close to release candidate)'''<br />
<br />
This version is currently draft, but is getting ever closer to the final version. The final version will be released at AppSec USA 2015. See you there!<br />
<br />
* ASVS 3.0 in English <br />
** GitHub Repo - [https://github.com/OWASP/ASVS/issues if you find any issues, please log a new ticket]<br />
** Google Docs - [https://docs.google.com/document/d/1dUtjOASFAWoPBEKfXd5YHF_OE-k-DsctUiq0Qcz_oZw/edit?usp=sharing master document] <br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Contributed'''<br />
* Simple English Excel Reporting ([[Media:Asvs_v2_items.xlsx|download Excel - 50KB]])<br />
* Simple French Excel Reporting ([[Media:Asvs_v2_items_fr.xlsx|download Excel - 35KB]])<br />
<br />
[[File:Application_Security_Verification_Standard_.png]]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201923Category:OWASP Application Security Verification Standard Project2015-10-09T20:53:54Z<p>Danielcuthbert: /* Quick Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/6/67/OWASPApplicationSecurityVerificationStandard3.0.pdf] ASVS 3.0 in English.<br/><br />
<br />
== News and Events ==<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 (draft - close to release candidate)'''<br />
<br />
This version is currently draft, but is getting ever closer to the final version. The final version will be released at AppSec USA 2015. See you there!<br />
<br />
* ASVS 3.0 in English <br />
** GitHub Repo - [https://github.com/OWASP/ASVS/issues if you find any issues, please log a new ticket]<br />
** Google Docs - [https://docs.google.com/document/d/1dUtjOASFAWoPBEKfXd5YHF_OE-k-DsctUiq0Qcz_oZw/edit?usp=sharing master document] <br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Contributed'''<br />
* Simple English Excel Reporting ([[Media:Asvs_v2_items.xlsx|download Excel - 50KB]])<br />
* Simple French Excel Reporting ([[Media:Asvs_v2_items_fr.xlsx|download Excel - 35KB]])<br />
<br />
[[File:Application_Security_Verification_Standard_.png]]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:OWASPApplicationSecurityVerificationStandard3.0.pdf&diff=201922File:OWASPApplicationSecurityVerificationStandard3.0.pdf2015-10-09T20:53:11Z<p>Danielcuthbert: </p>
<hr />
<div></div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=194461Category:OWASP Application Security Verification Standard Project2015-05-05T13:43:19Z<p>Danielcuthbert: /* Project Leaders */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf Download] the standard in English.<br />
<br />
== News and Events ==<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Contributed'''<br />
* Simple English Excel Reporting ([[Media:Asvs_v2_items.xlsx|download Excel - 50KB]])<br />
* Simple French Excel Reporting ([[Media:Asvs_v2_items_fr.xlsx|download Excel - 35KB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=181234Category:OWASP Application Security Verification Standard Project2014-08-27T09:30:52Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf Download] the standard in English.<br />
<br />
== News and Events ==<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf download PDF - 1.6 MB])<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/a/a9/OWASP_ASVS_Version_2.docx download Word - 1.0MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_Version_2.docx&diff=181233File:OWASP ASVS Version 2.docx2014-08-27T09:29:52Z<p>Danielcuthbert: Danielcuthbert uploaded a new version of &quot;File:OWASP ASVS Version 2.docx&quot;</p>
<hr />
<div></div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_Version_2.pdf&diff=181232File:OWASP ASVS Version 2.pdf2014-08-27T09:29:15Z<p>Danielcuthbert: Danielcuthbert uploaded a new version of &quot;File:OWASP ASVS Version 2.pdf&quot;</p>
<hr />
<div>The OWASP Application Security Verification Standard version two</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180953Category:OWASP Application Security Verification Standard Project2014-08-22T07:31:02Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf Download] the standard in English.<br />
<br />
== News and Events ==<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf download PDF - 1.5 MB])<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/a/a9/OWASP_ASVS_Version_2.docx download Word - 1.5MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180952Category:OWASP Application Security Verification Standard Project2014-08-22T07:30:45Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf Download] the standard in English.<br />
<br />
== News and Events ==<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf download PDF - 1.5 MB])<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/a/a9/OWASP_ASVS_Version_2.docx download dock - 1.5MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_Version_2.docx&diff=180951File:OWASP ASVS Version 2.docx2014-08-22T07:29:43Z<p>Danielcuthbert: </p>
<hr />
<div></div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180398Category:OWASP Application Security Verification Standard Project2014-08-11T12:54:59Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Downloads ==<br />
<br />
{{#switchtablink:Downloads|Download}} the standard in multiple languages and formats, briefings and training information.<br />
<br />
== News and Events ==<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
[[Image:Asvs-step1.jpg]]'''1. About ASVS''' <br />
<br />
We are currently producing a series of guides/videos that will explain more about the ASVS and how you can use it, but for now, please have a look at:<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ASVS''' <br />
<br />
'''Application Security Verification Standard 2.0'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf download PDF - 1.5 MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Application Security Verification Standard 1.0 (final)'''<br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'''3. Learn ASVS''' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_Version_2.pdf&diff=180396File:OWASP ASVS Version 2.pdf2014-08-11T10:36:02Z<p>Danielcuthbert: Danielcuthbert uploaded a new version of &quot;File:OWASP ASVS Version 2.pdf&quot;</p>
<hr />
<div>The OWASP Application Security Verification Standard version two</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180395Category:OWASP Application Security Verification Standard Project2014-08-11T09:02:59Z<p>Danielcuthbert: /* News and Events */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Downloads ==<br />
<br />
{{#switchtablink:Downloads|Download}} the standard in multiple languages and formats, briefings and training information.<br />
<br />
== News and Events ==<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
[[Image:Asvs-step1.jpg]]'''1. About ASVS''' <br />
<br />
*Video presentation in English [http://www.youtube.com/watch?v=1DBW1RbQnY4 (YouTube)] <br />
*Project presentation in English ([http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt PowerPoint]) <br />
*Project presentation in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-presentation-fr.ppt PowerPoint]) <br />
*Project presentation in French (Microsoft TechDays) ([http://www.microsoft.com/france/vision/mstechdays10/Webcast.aspx?EID=413f809d-abbc-467d-a930-5e2d7da27fef Webcast])<br />
*Data sheet in English ([http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc Word]) <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ASVS''' <br />
<br />
'''Application Security Verification Standard 2.0'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf download PDF - 1.5 MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Application Security Verification Standard 1.0 (final)'''<br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'''3. Learn ASVS''' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180394Category:OWASP Application Security Verification Standard Project2014-08-11T09:02:17Z<p>Danielcuthbert: /* Version 2013 */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Downloads ==<br />
<br />
{{#switchtablink:Downloads|Download}} the standard in multiple languages and formats, briefings and training information.<br />
<br />
== News and Events ==<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
[[Image:Asvs-step1.jpg]]'''1. About ASVS''' <br />
<br />
*Video presentation in English [http://www.youtube.com/watch?v=1DBW1RbQnY4 (YouTube)] <br />
*Project presentation in English ([http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt PowerPoint]) <br />
*Project presentation in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-presentation-fr.ppt PowerPoint]) <br />
*Project presentation in French (Microsoft TechDays) ([http://www.microsoft.com/france/vision/mstechdays10/Webcast.aspx?EID=413f809d-abbc-467d-a930-5e2d7da27fef Webcast])<br />
*Data sheet in English ([http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc Word]) <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ASVS''' <br />
<br />
'''Application Security Verification Standard 2.0'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf download PDF - 1.5 MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Application Security Verification Standard 1.0 (final)'''<br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'''3. Learn ASVS''' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180393Category:OWASP Application Security Verification Standard Project2014-08-11T09:01:23Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Downloads ==<br />
<br />
{{#switchtablink:Downloads|Download}} the standard in multiple languages and formats, briefings and training information.<br />
<br />
== News and Events ==<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
[[Image:Asvs-step1.jpg]]'''1. About ASVS''' <br />
<br />
*Video presentation in English [http://www.youtube.com/watch?v=1DBW1RbQnY4 (YouTube)] <br />
*Project presentation in English ([http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt PowerPoint]) <br />
*Project presentation in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-presentation-fr.ppt PowerPoint]) <br />
*Project presentation in French (Microsoft TechDays) ([http://www.microsoft.com/france/vision/mstechdays10/Webcast.aspx?EID=413f809d-abbc-467d-a930-5e2d7da27fef Webcast])<br />
*Data sheet in English ([http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc Word]) <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ASVS''' <br />
<br />
'''Application Security Verification Standard 2.0'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf download PDF - 1.5 MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Application Security Verification Standard 1.0 (final)'''<br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'''3. Learn ASVS''' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2013 ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180392Category:OWASP Application Security Verification Standard Project2014-08-11T09:00:53Z<p>Danielcuthbert: /* Downloads */</p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Downloads ==<br />
<br />
{{#switchtablink:Downloads|Download}} the standard in multiple languages and formats, briefings and training information.<br />
<br />
== News and Events ==<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
[[Image:Asvs-step1.jpg]]'''1. About ASVS''' <br />
<br />
*Video presentation in English [http://www.youtube.com/watch?v=1DBW1RbQnY4 (YouTube)] <br />
*Project presentation in English ([http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt PowerPoint]) <br />
*Project presentation in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-presentation-fr.ppt PowerPoint]) <br />
*Project presentation in French (Microsoft TechDays) ([http://www.microsoft.com/france/vision/mstechdays10/Webcast.aspx?EID=413f809d-abbc-467d-a930-5e2d7da27fef Webcast])<br />
*Data sheet in English ([http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc Word]) <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ASVS''' <br />
<br />
'''Application Security Verification Standard 2.0'''<br />
<br />
* ASVS 2.0 in English ([https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf/download PDF - 1.5 MB])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Application Security Verification Standard 1.0 (final)'''<br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'''3. Learn ASVS''' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2013 ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_Version_2.pdf&diff=180391File:OWASP ASVS Version 2.pdf2014-08-11T08:57:03Z<p>Danielcuthbert: The OWASP Application Security Verification Standard version two</p>
<hr />
<div>The OWASP Application Security Verification Standard version two</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=180136Category:OWASP Application Security Verification Standard Project2014-08-06T13:33:08Z<p>Danielcuthbert: </p>
<hr />
<div>= Home =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|2400x160px|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
Sahba Kazerooni<br/><br />
Daniel Cuthbert<br />
<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
== Ohloh ==<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Downloads ==<br />
<br />
{{#switchtablink:Downloads|Download}} the standard in multiple languages and formats, briefings and training information.<br />
<br />
== News and Events ==<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
[[Image:Asvs-step1.jpg]]'''1. About ASVS''' <br />
<br />
*Video presentation in English [http://www.youtube.com/watch?v=1DBW1RbQnY4 (YouTube)] <br />
*Project presentation in English ([http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt PowerPoint]) <br />
*Project presentation in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-presentation-fr.ppt PowerPoint]) <br />
*Project presentation in French (Microsoft TechDays) ([http://www.microsoft.com/france/vision/mstechdays10/Webcast.aspx?EID=413f809d-abbc-467d-a930-5e2d7da27fef Webcast])<br />
*Data sheet in English ([http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc Word]) <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'''2. Get ASVS''' <br />
<br />
'''Application Security Verification Standard 2.0 (beta)'''<br />
<br />
* ASVS 2.0 beta in English ([http://sourceforge.net/projects/owasp/files/ASVS/OWASP%20ASVS%202013%20Beta_v1.0.docx/download Word - 510 KB]) ([http://sourceforge.net/projects/owasp/files/ASVS/OWASP%20ASVS%202013%20Beta%20_v1.0.pdf/download PDF - 1.2 MB])<br />
<br />
We are looking for translators for the final push. If you can help us, please contact the project mail list!<br />
<br />
'''Application Security Verification Standard 1.0 (final)'''<br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'''3. Learn ASVS''' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 2013 ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=User:DCuthbert&diff=105631User:DCuthbert2011-02-23T13:28:48Z<p>Danielcuthbert: </p>
<hr />
<div>Daniel Cuthbert has been involved with OWASP since 2002 and joined Mark Curphey in creating the OWASP Testing Guide. He is currently the Assessment Manager for SensePost in South Africa. Danie's experience ranges from application security assessments, threat modeling and security training. He is familiar with the Software Development Life Cycle (SDLC) and has trained developers in understanding where threats are introduced into the life cycle and how they can prevent common attacks from taking place. <br />
<br />
He holds two Masters degrees, one in Information Security from the University of Westminster, and is a published Documentary Photographer.<br />
<br />
[mailto:daniel.cuthbert(at)owasp.org Email address].</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=User:DCuthbert&diff=105250User:DCuthbert2011-02-16T14:55:33Z<p>Danielcuthbert: Created page with "Daniel Cuthbert has been involved with OWASP since the start and was responsible for the OWASP Testing Guide. He is currently the Assessment Manager for SensePost in South Africa..."</p>
<hr />
<div>Daniel Cuthbert has been involved with OWASP since the start and was responsible for the OWASP Testing Guide. He is currently the Assessment Manager for SensePost in South Africa and is responsible for penetration testing, code reviews and general security consulting. <br />
<br />
He is familiar with the SDLC approach and has trained extensively in subjects ranging from security assessments to secure development guidelines and approaches. <br />
<br />
He holds two Masters degrees and a fascination for shoes. <br />
<br />
[mailto:daniel.cuthbert(at)owasp.org Email address].</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Summit_2011/Open_letter_to_WebAppSec_Tool_and_Services_vendors:_Release_your_schemas_and_allow_automation&diff=103234Summit 2011/Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation2011-02-03T11:16:29Z<p>Danielcuthbert: /* Signed by */</p>
<hr />
<div><BR>__TOC__<BR><br />
'''IMPORTANT DISCLAIMER: THIS LETTER IS NOT AN OFFICIAL OWASP POSITION. THE OWNERSHIP OF ITS REQUEST BELONGS TO THE NAMES UNDER THE 'SIGNED BY' SECTION'''<br />
<br/><br/><br />
{{:Summit_2011/Open_letter_to_WebAppSec_Tool_and_Services_vendors:_Release_your_schemas_and_allow_automation/Letter_Content}}<br />
<br/><br/><br />
==Signed by==<br />
* Dinis Cruz - Application Security Consultant - Independent<br />
* Sebastien Deleersnyder - Managing Technical Consultant - SAIT Zenitel<br />
* Jim Manico - CEO - Infrared Security<br />
* Alexander Meisel - CTO - art of defence<br />
* Sven Vetsch - Senior Security Tester - Dreamlab Technologies<br />
* Daniel Cuthbert - Assessment Manager - SensePost<br />
<br />
Please use the format: {Name - Role - Company}<br />
<br />
==Vendors that commit to deliver the requested materials==<br />
* art of defence</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session024&diff=96551Summit 2011 Working Sessions/Session0242010-12-15T08:30:55Z<p>Danielcuthbert: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions tab</noinclude><br />
|-<br />
| summit_session_name = Computer Crime Laws<br />
| summit_session_url = http://www.owasp.org/index.php/Working_Sessions_Computer_Crime_Laws<br />
|-<br />
| summit_session_objective_name1= *Understand the current laws/frameworks in place in relation to computer crime and prevention<br><br />
| summit_session_objective_name2 = *Discuss ways these laws are currently failing consumers in protecting assets<br><br />
| summit_session_objective_name3 = *Discuss possible amendments to the laws/frameworks to better protect the public<br><br />
| summit_session_objective_name4 = <br />
| summit_session_objective_name5 = <br />
|-<br />
|summit_session_deliverable_name1 = <br />
|summit_session_deliverable_url_1 = <br />
|summit_session_deliverable_name2 = <br />
|summit_session_deliverable_url_2 = <br />
|summit_session_deliverable_name3 = <br />
|summit_session_deliverable_url_3 = <br />
|summit_session_deliverable_name4 = <br />
|summit_session_deliverable_url_4 = <br />
|summit_session_deliverable_name5 = <br />
|summit_session_deliverable_url_5 = <br />
|-<br />
| summit_session_leader_name1 = Daniel Cuthbert<br />
| summit_session_leader_email1 = Daniel.Cuthbert@owasp.org<br />
| summit_session_leader_wiki_username1 = <br />
| summit_session_leader_name2 = <br />
| summit_session_leader_email2 = <br />
| summit_session_leader_wiki_username2 =<br />
| summit_session_leader_name3 = <br />
| summit_session_leader_email3 = <br />
| summit_session_leader_wiki_username3 =<br />
|-<br />
| summit_session_attendee_name1 = <br />
| summit_session_attendee_email1 = <br />
| summit_session_attendee_wiki_username1 = <br />
| summit_session_attendee_name2 = <br />
| summit_session_attendee_email2 = <br />
| summit_session_attendee_wiki_username2 = <br />
| summit_session_attendee_name3 = <br />
| summit_session_attendee_email3 = <br />
| summit_session_attendee_wiki_username3 = <br />
| summit_session_attendee_name4 = <br />
| summit_session_attendee_email4 = <br />
| summit_session_attendee_wiki_username4 = <br />
| summit_session_attendee_name5 = <br />
| summit_session_attendee_email5 = <br />
| summit_session_attendee_wiki_username5 = <br />
| summit_session_attendee_name6 = <br />
| summit_session_attendee_email6 = <br />
| summit_session_attendee_wiki_username6 = <br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_wiki_username7 = <br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_wiki_username8 = <br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_wiki_username9 = <br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_wiki_username10 = <br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_wiki_username11 = <br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_wiki_username12 = <br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_wiki_username13 = <br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_wiki_username14 = <br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_wiki_username15 = <br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_wiki_username16 = <br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_wiki_username17= <br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_wiki_username18 = <br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_wiki_username19 = <br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_wiki_username20 = <br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session024<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session024<br />
}}</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session024&diff=96549Summit 2011 Working Sessions/Session0242010-12-15T08:29:01Z<p>Danielcuthbert: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions tab</noinclude><br />
|-<br />
| summit_session_name = Computer Crime Laws<br />
| summit_session_url = http://www.owasp.org/index.php/Working_Sessions_Computer_Crime_Laws<br />
|-<br />
| summit_session_objective_name1= Understand the current laws/frameworks in place in relation to computer crime and prevention<br />
| summit_session_objective_name2 = Discuss ways these laws are currently failing consumers in protecting assets<br />
| summit_session_objective_name3 = Discuss possible amendments to the laws/frameworks to better protect the public<br />
| summit_session_objective_name4 = <br />
| summit_session_objective_name5 = <br />
|-<br />
|summit_session_deliverable_name1 = <br />
|summit_session_deliverable_url_1 = <br />
|summit_session_deliverable_name2 = <br />
|summit_session_deliverable_url_2 = <br />
|summit_session_deliverable_name3 = <br />
|summit_session_deliverable_url_3 = <br />
|summit_session_deliverable_name4 = <br />
|summit_session_deliverable_url_4 = <br />
|summit_session_deliverable_name5 = <br />
|summit_session_deliverable_url_5 = <br />
|-<br />
| summit_session_leader_name1 = Daniel Cuthbert<br />
| summit_session_leader_email1 = Daniel.Cuthbert@owasp.org<br />
| summit_session_leader_wiki_username1 = <br />
| summit_session_leader_name2 = <br />
| summit_session_leader_email2 = <br />
| summit_session_leader_wiki_username2 =<br />
| summit_session_leader_name3 = <br />
| summit_session_leader_email3 = <br />
| summit_session_leader_wiki_username3 =<br />
|-<br />
| summit_session_attendee_name1 = <br />
| summit_session_attendee_email1 = <br />
| summit_session_attendee_wiki_username1 = <br />
| summit_session_attendee_name2 = <br />
| summit_session_attendee_email2 = <br />
| summit_session_attendee_wiki_username2 = <br />
| summit_session_attendee_name3 = <br />
| summit_session_attendee_email3 = <br />
| summit_session_attendee_wiki_username3 = <br />
| summit_session_attendee_name4 = <br />
| summit_session_attendee_email4 = <br />
| summit_session_attendee_wiki_username4 = <br />
| summit_session_attendee_name5 = <br />
| summit_session_attendee_email5 = <br />
| summit_session_attendee_wiki_username5 = <br />
| summit_session_attendee_name6 = <br />
| summit_session_attendee_email6 = <br />
| summit_session_attendee_wiki_username6 = <br />
| summit_session_attendee_name7 = <br />
| summit_session_attendee_email7 = <br />
| summit_session_attendee_wiki_username7 = <br />
| summit_session_attendee_name8 = <br />
| summit_session_attendee_email8 = <br />
| summit_session_attendee_wiki_username8 = <br />
| summit_session_attendee_name9 = <br />
| summit_session_attendee_email9 = <br />
| summit_session_attendee_wiki_username9 = <br />
| summit_session_attendee_name10 = <br />
| summit_session_attendee_email10 = <br />
| summit_session_attendee_wiki_username10 = <br />
| summit_session_attendee_name11 = <br />
| summit_session_attendee_email11 = <br />
| summit_session_attendee_wiki_username11 = <br />
| summit_session_attendee_name12 = <br />
| summit_session_attendee_email12 = <br />
| summit_session_attendee_wiki_username12 = <br />
| summit_session_attendee_name13 = <br />
| summit_session_attendee_email13 = <br />
| summit_session_attendee_wiki_username13 = <br />
| summit_session_attendee_name14 = <br />
| summit_session_attendee_email14 = <br />
| summit_session_attendee_wiki_username14 = <br />
| summit_session_attendee_name15 = <br />
| summit_session_attendee_email15 = <br />
| summit_session_attendee_wiki_username15 = <br />
| summit_session_attendee_name16 = <br />
| summit_session_attendee_email16 = <br />
| summit_session_attendee_wiki_username16 = <br />
| summit_session_attendee_name17 = <br />
| summit_session_attendee_email17 = <br />
| summit_session_attendee_wiki_username17= <br />
| summit_session_attendee_name18 = <br />
| summit_session_attendee_email18 = <br />
| summit_session_attendee_wiki_username18 = <br />
| summit_session_attendee_name19 = <br />
| summit_session_attendee_email19 = <br />
| summit_session_attendee_wiki_username19 = <br />
| summit_session_attendee_name20 = <br />
| summit_session_attendee_email20 = <br />
| summit_session_attendee_wiki_username20 = <br />
|-<br />
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session024<br />
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session024<br />
}}</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Summit_2011_Attendee/Attendee075&diff=96290Summit 2011 Attendee/Attendee0752010-12-14T13:58:39Z<p>Danielcuthbert: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP 2011 Global Summit Attendee Tab</noinclude><br />
|-<br />
| summit_attendee_name1 = Daniel Cuthbert<br />
| summit_attendee_email1 = Daniel.Cuthbert@owasp.org<br />
| summit_attendee_wiki_username1 = Danielcuthbert<br />
|-<br />
| summit_attendee_company = OWASP<br />
|-<br />
| summit_attendee_current_owasp_involvement_name1 = OWASP Testing Guide <br />
| summit_attendee_current_owasp_involvement_url_1 = <br />
| summit_attendee_current_owasp_involvement_name2 = OWASP Common Vulnerability List<br />
| summit_attendee_current_owasp_involvement_url_2 = <br />
| summit_attendee_current_owasp_involvement_name3 = <br />
| summit_attendee_current_owasp_involvement_url_3 = <br />
| summit_attendee_current_owasp_involvement_name4 = <br />
| summit_attendee_current_owasp_involvement_url_4 = <br />
| summit_attendee_current_owasp_involvement_name5 = <br />
| summit_attendee_current_owasp_involvement_url_5 = <br />
|-<br />
| summit_attendee_reason_for_summit_participation_name1 = Computer Crime Laws: Current shortcomings and how to make them more effective at combating crime.<br />
| summit_attendee_reason_for_summit_participation_url_1 = <br />
| notes_reason_for_participating_issues_to_be_discussed_1 = <br />
| summit_attendee_reason_for_summit_participation_name2 = <br />
| summit_attendee_reason_for_summit_participation_url_2 = <br />
| notes_reason_for_participating_issues_to_be_discussed_2 = <br />
| summit_attendee_reason_for_summit_participation_name3 = <br />
| summit_attendee_reason_for_summit_participation_url_3 = <br />
| notes_reason_for_participating_issues_to_be_discussed_3 = <br />
| summit_attendee_reason_for_summit_participation_name4 = <br />
| summit_attendee_reason_for_summit_participation_url_4 = <br />
| notes_reason_for_participating_issues_to_be_discussed_4 = <br />
| summit_attendee_reason_for_summit_participation_name5 = <br />
| summit_attendee_reason_for_summit_participation_url_5 = <br />
| notes_reason_for_participating_issues_to_be_discussed_5 = <br />
|-<br />
| summit_attendee_owasp_sponsor = <br />
|-<br />
| summit_attendee_summit_time_paid_by_name1 =<br />
| summit_attendee_summit_time_paid_by_url_1 =<br />
| summit_attendee_summit_time_paid_by_name2 =<br />
| summit_attendee_summit_time_paid_by_url_2 =<br />
|-<br />
| summit_attendee_summit_expenses_paid_by_name1 = <br />
| summit_attendee_summit_expenses_paid_by_url_1 = <br />
| summit_attendee_summit_expenses_paid_by_name2 = <br />
| summit_attendee_summit_expenses_paid_by_url_2 = <br />
|-<br />
| reason_for_sponsorship = OWASP History Leaders<br />
|-<br />
| status = Confirmed, seeking funds<br />
|-<br />
| letter sent to sponsor = <br />
|-<br />
| notes for Kate =<br />
|-<br />
| attendee_name_mask = <!--Please replace DO NOT EDIT this string --> Attendee075<br />
| attendee_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Attendee/Attendee075 <br />
}}</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=Summit_2011_Attendee/Attendee075&diff=96289Summit 2011 Attendee/Attendee0752010-12-14T13:55:38Z<p>Danielcuthbert: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP 2011 Global Summit Attendee Tab</noinclude><br />
|-<br />
| summit_attendee_name1 = Daniel Cuthbert<br />
| summit_attendee_email1 = Daniel.Cuthbert@owasp.org<br />
| summit_attendee_wiki_username1 = Danielcuthbert<br />
|-<br />
| summit_attendee_company = OWASP<br />
|-<br />
| summit_attendee_current_owasp_involvement_name1 = OWASP Testing Guide <br />
| summit_attendee_current_owasp_involvement_url_1 = <br />
| summit_attendee_current_owasp_involvement_name2 = OWASP Common Vulnerability List<br />
| summit_attendee_current_owasp_involvement_url_2 = <br />
| summit_attendee_current_owasp_involvement_name3 = <br />
| summit_attendee_current_owasp_involvement_url_3 = <br />
| summit_attendee_current_owasp_involvement_name4 = <br />
| summit_attendee_current_owasp_involvement_url_4 = <br />
| summit_attendee_current_owasp_involvement_name5 = <br />
| summit_attendee_current_owasp_involvement_url_5 = <br />
|-<br />
| summit_attendee_reason_for_summit_participation_name1 = Computer Crime Laws: What's wrong and how they could be made better.<br />
| summit_attendee_reason_for_summit_participation_url_1 = <br />
| notes_reason_for_participating_issues_to_be_discussed_1 = <br />
| summit_attendee_reason_for_summit_participation_name2 = <br />
| summit_attendee_reason_for_summit_participation_url_2 = <br />
| notes_reason_for_participating_issues_to_be_discussed_2 = <br />
| summit_attendee_reason_for_summit_participation_name3 = <br />
| summit_attendee_reason_for_summit_participation_url_3 = <br />
| notes_reason_for_participating_issues_to_be_discussed_3 = <br />
| summit_attendee_reason_for_summit_participation_name4 = <br />
| summit_attendee_reason_for_summit_participation_url_4 = <br />
| notes_reason_for_participating_issues_to_be_discussed_4 = <br />
| summit_attendee_reason_for_summit_participation_name5 = <br />
| summit_attendee_reason_for_summit_participation_url_5 = <br />
| notes_reason_for_participating_issues_to_be_discussed_5 = <br />
|-<br />
| summit_attendee_owasp_sponsor = <br />
|-<br />
| summit_attendee_summit_time_paid_by_name1 =<br />
| summit_attendee_summit_time_paid_by_url_1 =<br />
| summit_attendee_summit_time_paid_by_name2 =<br />
| summit_attendee_summit_time_paid_by_url_2 =<br />
|-<br />
| summit_attendee_summit_expenses_paid_by_name1 = <br />
| summit_attendee_summit_expenses_paid_by_url_1 = <br />
| summit_attendee_summit_expenses_paid_by_name2 = <br />
| summit_attendee_summit_expenses_paid_by_url_2 = <br />
|-<br />
| reason_for_sponsorship = <br />
|-<br />
| status = <br />
|-<br />
| letter sent to sponsor = <br />
|-<br />
| notes for Kate =<br />
|-<br />
| attendee_name_mask = <!--Please replace DO NOT EDIT this string --> Attendee075<br />
| attendee_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Attendee/Attendee075 <br />
}}</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_Request_for_Proposals/New_Project_Leader/ASVS/Application_3&diff=87306OWASP Request for Proposals/New Project Leader/ASVS/Application 32010-08-04T10:06:44Z<p>Danielcuthbert: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>New Project Leader Applicants</noinclude><br />
<br />
| Applicant_Name = Daniel Cuthbert <!--Please replace 'Applicant 3' by your name (REQUIRED field)--><br />
| Applicant_Email = daniel.cuthbert@owasp.org<!--Please replace all this text by your email address (REQUIRED field)--><br />
| Applicant_Wiki_Username = danielcuthbert<!--Please replace this text by your wiki username (REQUIRED field)--><br />
| Curriculum_Vitae_url = http://uk.linkedin.com/pub/daniel-cuthbert/18/622/b44<!--Please replace all this text by your CV's web link (REQUIRED field)--><br />
<br />
| Proposed_Roadmap_url = <!--Please replace all this text by your Roadmap's web link (OPTIONAL field - choose between this field and the following one)--><br />
<br />
| Proposed_Roadmap_Text =<br />
As one of the founding authors of the OWASP Testing Guide, I see the potential and need for a mature and industry accepted ASVS Project. ASVS has the potential to become an industry standard reference, to get there I think it needs: marketing, public acceptance by industry heavyweights and strict quality control of the current content. My aim as leader would be to drive the marketing campaign and discuss with as many big industry players about the benefits of adopting ASVS. <br />
<!--Please replace all this text with a Roadmap (OPTIONAL field - choose between this field and the previous one)--><br />
<br />
<!--##### Please replace/edit these variables ##### --> <br />
| Applicant_name_mask = Application_3 <br />
| Applicant_home_page = :OWASP_Request_for_Proposals/New_Project_Leader/ASVS/Application_3 <br />
| Applications_home_page = Seeking_New_Project_Leader_For/ASVS<br />
}}</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_Request_for_Proposals/New_Project_Leader/ASVS/Application_3&diff=87283OWASP Request for Proposals/New Project Leader/ASVS/Application 32010-08-03T10:54:51Z<p>Danielcuthbert: </p>
<hr />
<div>{{Template:<includeonly>{{{1}}}</includeonly><noinclude>New Project Leader Applicants</noinclude><br />
<br />
| Applicant_Name = Daniel Cuthbert <!--Please replace 'Applicant 3' by your name (REQUIRED field)--><br />
| Applicant_Email = daniel.cuthbert@owasp.org<!--Please replace all this text by your email address (REQUIRED field)--><br />
| Applicant_Wiki_Username = danielcuthbert<!--Please replace this text by your wiki username (REQUIRED field)--><br />
| Curriculum_Vitae_url = http://uk.linkedin.com/pub/daniel-cuthbert/18/622/b44<!--Please replace all this text by your CV's web link (REQUIRED field)--><br />
<br />
| Proposed_Roadmap_url = <!--Please replace all this text by your Roadmap's web link (OPTIONAL field - choose between this field and the following one)--><br />
<br />
| Proposed_Roadmap_Text = <!--Please replace all this text with a Roadmap (OPTIONAL field - choose between this field and the previous one)--><br />
<br />
<!--##### Please replace/edit these variables ##### --> <br />
| Applicant_name_mask = Application_3 <br />
| Applicant_home_page = :OWASP_Request_for_Proposals/New_Project_Leader/ASVS/Application_3 <br />
| Applications_home_page = Seeking_New_Project_Leader_For/ASVS<br />
}}</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_for_Charities&diff=76561OWASP for Charities2010-01-20T16:50:41Z<p>Danielcuthbert: </p>
<hr />
<div>'''OWASP for Charities'''<br />
<br />
OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure and trusted. As our organization matures we have taken those beliefs broader, and have started setting up ways for our members to donate to the global community. <br />
<br />
Among these initiatives are:<br />
<br />
*OWASP has an active Kiva lending team who have donated $9,125.00 to date. http://www.kiva.org/community/viewTeam?team_id=522<br />
*OWASP in response to the need in Haiti has set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. This allows our OWASP community to help another with a single global voice. 100% of the collected donations will be transferred directly to victims for disaster relief such as food and medical requirements. Please visit www.owasp.org and click the link for G33k-4-HAITI. <br />
<br />
As the world becomes more dependent on technology and particularly web applications, there are many who need protection who simply have no options to protect themselves. These include small companies, individuals, charities, and NGO's. The aim of OWASP for charities is to place skilled IT volunteers where their expertise and experience can be put to good use helping those helping others. <br />
<br />
<br />
<br />
'''What OWASP for Charities requires:'''<br />
<br />
*Volunteers in the IT community willing to give up an hour or more of their time helping Aid organisations/NGO's and other smaller companies and charities, tackle their technology issues. This could be anything from the hardening of web servers and donation pages to ensuring the servers themselves can withstand the loads often seen during times of crisis. <br />
*Volunteers able to help charities on the ground with basic IT problem solving and development. <br />
*Suggestions of charities/organisations in need. <br />
<br />
<br />
<br />
'''If you are able to volunteer:'''<br />
*Send me an email outlining your expertise and how you can help. In addition, tell me where you are located<br />
<br />
<br />
'''If you are a charity or organisation in need:'''<br />
*Let us know how you need help and what can be done. We have a wide reach of IT professionals all over the globe who are in a position to help with most IT related problems. <br />
<br />
<br />
What makes OWASP different to others offering the same service?. We are a global organisation, with a ever-widening reach globally. With over 10 000 active members worldwide, it is possible to help in areas that others might not be able to. To that end, we all share the same end goal of helping where possible and as much as we can. Johnny's Hackers for Charity [http://www.hackersforcharity.org] project has done some amazing work in East Africa and one we fully support. <br />
<br />
We hope you will support OWASPs efforts to make a difference in any of the above ways. We are also open to suggestions in regards to where you feel the OWASP Community can be of service.<br />
<br />
I can be reached via email at daniel.cuthbert@owasp.org</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_for_Charities&diff=76560OWASP for Charities2010-01-20T16:31:38Z<p>Danielcuthbert: </p>
<hr />
<div>'''OWASP for Charities'''<br />
<br />
OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure and trusted. As our organization matures we have taken those beliefs broader, and have started setting up ways for our members to donate to the global community. <br />
<br />
Among these initiatives are:<br />
<br />
*OWASP has an active Kiva lending team who have donated $9,125.00 to date. http://www.kiva.org/community/viewTeam?team_id=522<br />
*OWASP in response to the need in Haiti has set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. This allows our OWASP community to help another with a single global voice. 100% of the collected donations will be transferred directly to victims for disaster relief such as food and medical requirements. Please visit www.owasp.org and click the link for G33k-4-HAITI. <br />
<br />
As the world becomes more dependent on technology and particularly web applications, there are many who need protection who simply have no options to protect themselves. These include small companies, individuals, charities, and NGO's. The aim of OWASP for charities is to place skilled IT volunteers where their expertise and experience can be put to good use helping those helping others. <br />
<br />
<br />
<br />
'''What OWASP for Charities requires:'''<br />
<br />
*Volunteers in the IT community willing to give up an hour or more of their time helping Aid organisations/NGO's and other smaller companies and charities, tackle their technology issues. This could be anything from the hardening of web servers and donation pages to ensuring the servers themselves can withstand the loads often seen during times of crisis. <br />
*Volunteers able to help charities on the ground with basic IT problem solving and development. <br />
*Suggestions of charities/organisations in need. <br />
<br />
<br />
<br />
'''If you are able to volunteer:'''<br />
*Send me an email outlining your expertise and how you can help. In addition, tell me where you are located<br />
<br />
<br />
'''If you are a charity or organisation in need:'''<br />
*Let us know how you need help and what can be done. We have a wide reach of IT professionals all over the globe who are in a position to help with most IT related problems. <br />
<br />
<br />
<br />
We hope you will support OWASPs efforts to make a difference in any of the above ways. We are also open to suggestions in regards to where you feel the OWASP Community can be of service.<br />
<br />
I can be reached via email at daniel.cuthbert@owasp.org</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_for_Charities&diff=76557OWASP for Charities2010-01-20T15:02:34Z<p>Danielcuthbert: </p>
<hr />
<div>'''OWASP for Charities'''<br />
<br />
OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure and trusted. As our organization matures we have taken those beliefs broader, and have started setting up ways for our members to donate to the global community. <br />
<br />
Among these initiatives are:<br />
<br />
*OWASP has an active Kiva lending team who have donated $9,125.00 to date. http://www.kiva.org/community/viewTeam?team_id=522<br />
*OWASP in response to the need in Haiti has set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. This allows our OWASP community to help another with a single global voice. 100% of the collected donations will be transferred directly to victims for disaster relief such as food and medical requirements. Please visit www.owasp.org and click the link for G33k-4-HAITI. <br />
<br />
As the world becomes more dependent on technology and particularly web applications, there are many who need protection who simply have no options to protect themselves. These include small companies, individuals, charities, and NGO's. The aim of OWASP for charities is to place skilled IT volunteers where their expertise and experience can be put to good use helping those helping others. <br />
<br />
<br />
<br />
'''What OWASP for Charities requires:'''<br />
<br />
*Volunteers in the IT community willing to give up and hour or more of their time helping Aid organisations/NGO's and other smaller companies and charities, tackle their technology issues. This could be anything from the hardening of web servers and donation pages to ensuring the servers themselves can withstand the loads often seen during times of crisis. <br />
*Volunteers able to help charities on the ground with basic IT problem solving and development. <br />
*Suggestions of charities/organisations in need. <br />
<br />
<br />
<br />
'''If you are able to volunteer:'''<br />
*Send me an email outlining your expertise and how you can help. In addition, tell me where you are located<br />
<br />
<br />
We hope you will support OWASPs efforts to make a difference in any of the above ways. We are also open to suggestions in regards to where you feel the OWASP Community can be of service.<br />
<br />
I can be reached via email at daniel.cuthbert@owasp.org</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_for_Charities&diff=76555OWASP for Charities2010-01-20T15:00:04Z<p>Danielcuthbert: </p>
<hr />
<div>'''OWASP for Charities'''<br />
<br />
OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure and trusted. As our organization matures we have taken those beliefs broader, and have started setting up ways for our members to donate to the global community. <br />
<br />
Among these initiatives are:<br />
<br />
*OWASP has an active Kiva lending team who have donated $9,125.00 to date. http://www.kiva.org/community/viewTeam?team_id=522<br />
*OWASP in response to the need in Haiti has set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. This allows our OWASP community to help another with a single global voice. 100% of the collected donations will be transferred directly to victims for disaster relief such as food and medical requirements. Please visit www.owasp.org and click the link for G33k-4-HAITI. <br />
<br />
As the world becomes more dependent on technology and particularly web applications, there are many who need protection who simply have no options to protect themselves. These include small companies, individuals, charities, and NGO's. The aim of OWASP for charities is to place skilled IT volunteers where their expertise and experience can be put to good use helping those helping others. <br />
<br />
<br />
<br />
'''What OWASP for Charities requires:'''<br />
<br />
*Volunteers in the IT community willing to give up and hour or more of their time helping Aid organisations/NGO's and other smaller companies and charities, tackle their technology issues. This could be anything from hardening web servers and donation pages to ensuring the servers themselves can withstand the loads often seen during times of crisis. <br />
*Volunteers able to help charities on the ground with basic IT problem solving and development. <br />
*Suggestions of charities/organisations in need. <br />
<br />
<br />
<br />
'''If you are able to volunteer:'''<br />
*Send me an email outlining your expertise and how you can help. In addition, tell me where you are located<br />
<br />
<br />
We hope you will support OWASPs efforts to make a difference in any of the above ways. We are also open to suggestions in regards to where you feel the OWASP Community can be of service.<br />
<br />
I can be reached via email at daniel.cuthbert@owasp.org</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_for_Charities&diff=76554OWASP for Charities2010-01-20T14:47:55Z<p>Danielcuthbert: Created page with ''''OWASP for Charities''' OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure…'</p>
<hr />
<div>'''OWASP for Charities'''<br />
<br />
OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure and trusted. As our organization matures we have taken those beliefs broader, and have started setting up ways for our members to donate to the global community. <br />
<br />
Among these initiatives are:<br />
<br />
*OWASP has an active Kiva lending team who have donated $9,125.00 to date. http://www.kiva.org/community/viewTeam?team_id=522<br />
*OWASP in response to the need in Haiti has set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. This allows our OWASP community to help another with a single global voice. 100% of the collected donations will be transferred directly to victims for disaster relief such as food and medical requirements. Please visit www.owasp.org and click the link for G33k-4-HAITI. <br />
<br />
As the world becomes more dependent on technology and particularly web applications, there are many who need protection who simply have no options to protect themselves. These include small companies, individuals, charities, and NGO's. The aim of OWASP for charities is to place skilled IT volunteers where their expertise and experience can be put to good use helping those helping others. <br />
<br />
<br />
'''What OWASP for Charities requires:'''<br />
<br />
*Volunteers in the IT community willing to give up and hour or more of their time helping Aid organisations/NGO's and other smaller companies and charities, tackle their technology issues. This could be anything from hardening web servers and donation pages to ensuring the servers themselves can withstand the loads often seen during times of crisis. <br />
*Volunteers able to help charities on the ground with basic IT problem solving and development. <br />
*Suggestions of charities/organisations in need. <br />
<br />
<br />
We hope you will support OWASPs efforts to make a difference in any of the above ways. We are also open to suggestions in regards to where you feel the OWASP Community can be of service.<br />
<br />
I can be reached via email at daniel.cuthbert@owasp.org</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_NYC_AppSec_2008_Conference&diff=30330OWASP NYC AppSec 2008 Conference2008-06-04T05:44:30Z<p>Danielcuthbert: /* OWASP NYC AppSec 2008 Conference Schedule – Sept 24th - Sept 25th */</p>
<hr />
<div>= OWASP NYC AppSec 2008 - September 22th-25th 2008 =<br />
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}<br />
In association with: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net ISACA], [http://www.issa.org ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at <b>[http://www.pace.edu/page.cfm?doc_id=16157 Pace University]</b>, located in downtown New York City at <b>One Pace Plaza New York, NY 10038.</b> Event Fees: $300 for 2 days of seminars, $675 for 1-day training classes and $1,350 for 2-day courses. [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif] - do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]<br />
<hr><br />
<center>[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Diamond Sponsor] - [http://www.imperva.com https://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg]<br><br />
<br>[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Platinum Sponsor] - [http://www.cenzic.com/ https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif] - [https://www.owasp.org/images/6/60/NY_Sponsorship.pdf https://www.owasp.org/images/f/f8/Sponsorsm.gif] </center><br><br />
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Gold & Silver Sponsors] -<br />
[http://www.proactiverisk.com https://www.owasp.org/images/9/97/Proactiverisk_logo.jpg] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.accessitgroup.com https://www.owasp.org/images/6/6d/Accessit.JPG] - [http://www.ouncelabs.com https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg] - [http://www.isc2.org http://www.owasp.org/images/4/45/Isc2logo.gif] - [https://www.owasp.org/images/6/60/NY_Sponsorship.pdf https://www.owasp.org/images/f/f8/Sponsorsm.gif]<br />
<br><br />
<center>[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities] -- [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center> <br />
<hr><br />
<br />
== OWASP NYC AppSec 2008 Conference Schedule – Sept 24th - Sept 25th ==<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: <br />
| style="width:30%; background:#BCA57A" | Track 2: <br />
| style="width:30%; background:#7B8ABD" | Track 3: <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:00-09:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Registration Opens and Tech Expo'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:15-10:15 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Introduction, OWASP Version 3.0 where we are.. where we are going <br />
''OWASP Foundation Board Jeff Williams, Tom Brennan, Dinis Cruz, Sebastien Deleersnyder & Dave Wichers''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:30 || style="width:30%; background:#BC857A" align="left" | Logic Attacks and Inefficiencies of Robotic Detection<br />
''Robert "RSnake" Hansen CEO [http://www.sectheory.com SecTheory]''<br />
| style="width:30%; background:#BCA57A" align="left" | Offensive Assessing Financial Apps<br />
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert Daniel Cuthbert]''<br />
| style="width:30%; background:#7B8ABD" align="left" | Web Intrusion Detection with ModSecurity <br />
''Ivan Ristic''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:30%; background:#BC857A" align="left" | Reverse Engineering .NET<br />
''Adam Boulton''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz] 0.1 - 1.1: [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Building a Java Fuzzer for the Web]<br />
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou] - Senior Director - [http://www.ouncelabs.com Ounce Labs] ''<br />
| style="width:30%; background:#7B8ABD" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LIVE CD] <br />
''Joshua Perrymon - CEO [http://www.packetfocus.com Packetfocus]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:30-13:30 || style="width:30%; background:#BC857A" align="left" | [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]<br />
''Gunter Ollmann, Director Security Strategy, [http://www.iss.net IBM Internet Security Systems]''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP CLASP<br />
''Pravir Chandra''<br />
| style="width:30%; background:#7B8ABD" align="left" | Shootout at the Blackbox Corral <br />
''Dinis Cruz & Larry Suto''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:30-14:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Collective Intelligence - Jennifer Bayuk-CISO Bear Stearns, Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik Royal Bank of Scotland & Philip Venables CIRO, Goldman, Sachs<br />
Moderator: Mahi Dontamsetti<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:30-15:30 || style="width:30%; background:#BC857A" align="left" | [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho w3af, a framework to own the web] - <br />
[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho ''Andres Riancho''], [http://www.cybsec.com/ Cybsec]<br />
<br />
| style="width:30%; background:#BCA57A" align="left" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What's_hot_for_2008 | Trends in Web Hacking: What's hot in 2008<br/>Analysis of the Web Hacking Incidents Database (WHID)]]<br />
''[http://blog.shezaf.com Ofer Shezaf], Breach''<br />
| style="width:30%; background:#7B8ABD" align="left" | Security in Agile Development<br />
''Dave Wichers, COO [http://www.aspectsecurity.com Aspect Security]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:30-16:30 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/ESAPI OWASP Enterprise Security API (ESAPI) Project]<br />
''Jeff Williams, CEO [http://www.aspectsecurity.com Aspect Security]''<br />
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms<br />
''Arshan Dabirsiaghi, Director of Research [http://www.aspectsecurity.com Aspect Security]''<br />
| style="width:30%; background:#7B8ABD" align="left" | "Threading the Needle:<br />
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks."<br />
''Arian Evans, Director of Operations [http://www.whitehatsec.com WhiteHat Security]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || style="width:30%; background:#BC857A" align="left" | Shhhh Don’t Tell Anybody<br />
''Petko D. Petkov, a.k.a. pdp''<br />
| style="width:30%; background:#BCA57A" align="left" | Secure PHP<br />
''Hans Zaunere, CEO [http://www.nyphp.com NYCPHP]''<br />
| style="width:30%; background:#7B8ABD" align="left" | Payment Card Data Security and the new Enterprise Java<br />
''Dr. B. V. Kumar & Mr. Abhay ''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-18:30 || style="width:30%; background:#BC857A" align="left" | Notes Security<br />
''Jian Hui Wang''<br />
| style="width:30%; background:#BCA57A" align="left" | Mastering PCI Section 6.6<br />
''Taylor McKinley and Jacob West''<br />
| style="width:30%; background:#7B8ABD" align="left" | AppSec Techniques<br />
''JD Glaser, CEO [http://www.ntobjectives.com/company/management.php NTO Objectives]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Web Application Capture the Flag - [http://isis.poly.edu/projects Polytechnic University] & OWASP Chapter Leader Meeting - '''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 20:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | ''' Speaker/Attendee Reception'''<br />
|-<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 8:00-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Breakfast @ Tech-Expo <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 0900-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | [http://www.aeispeakers.com/speakerbio.php?SpeakerID=1192 Prof. Howard A. Schmidt, CISSP, CISM (Hon.)] |<br />
Current (ISC)² Security Strategist and Former White House Cyber Security Advisor <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-11:00 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling<br />
''John Steven''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://reversebenchmarking.com Open Reverse Benchmarking Project]<br />
''Marce Luck & Tom Stracener''<br />
| style="width:30%; background:#7B8ABD" align="left" | Building Usable Security<br />
''Zed Abbadi''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:00-12:00 || style="width:30%; background:#BC857A" align="left" | Offshoring Application Development? Security is Still Your Problem<br />
''Rohyt Belani''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP Orizon Project<br />
''Paolo Perego''<br />
| style="width:30%; background:#7B8ABD" align="left" | NIST SAMATE Static Analysis Tool Exposition (SATE)<br />
''Vadim Okun''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || style="width:30%; background:#BC857A" align="left" | The Art and Nature of Web Application Security<br />
''Mano Paul CEO [http://www.expresscertifications.com Express Certifications]''<br />
| style="width:30%; background:#BCA57A" align="left" | Software Liability<br />
''Jack Danahy''<br />
| style="width:30%; background:#7B8ABD" align="left" | Cross-Site Scripting Filter Evasion<br />
''Alexios Fakos''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-14:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Projects "Dinis Cruz & OWASP Project Leaders"<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:00-15:00 || style="width:30%; background:#BC857A" align="left" | Projects with OWASP<br />
''Steve Malson''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP Pantera Advances<br />
''Simon Roses Femerling''<br />
| style="width:30%; background:#7B8ABD" align="left" | Software-as-a-Service (SaaS)<br />
''James Landis''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-16:00 || style="width:30%; background:#BC857A" align="left" | "Out of Band" Injection<br />
''Vijay Akasapu & Marshall Heilman''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth<br />
''Christian Heinrich''<br />
| style="width:30%; background:#7B8ABD" align="left" | Caution, Java ahead<br />
''Jeremiah Grossman CTO [http://www.whitehatsec.com WhiteHat Security]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:00-17:00 || style="width:30%; background:#BC857A" align="left" | [[Input validation: the Good, the Bad and the Ugly]]<br />
''[[Johan Peeters]]''<br />
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)<br />
''Ayal Yogev & Yuval Baror''<br />
| style="width:30%; background:#7B8ABD" align="left" | Learning the .Net Debugging API<br />
''Kevin Spett''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || style="width:30%; background:#BC857A" align="left" | Secure System Development Life Cycle (SSDLC) Methodology for SOA<br />
''Ken Huang''<br />
| style="width:30%; background:#BCA57A" align="left" | Web Security Education using Open Source Tools<br />
''Prof. Li-Chiou Chen & Chienitng Lin''<br />
| style="width:30%; background:#7B8ABD" align="left" | Friend or Foe: Penetration Testing VS Source Code Analysis<br />
''Tom Ryan''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Closing Remarks / CTF Awards / Raffles'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 21:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Farewell dinner.. Go secure the world'''<br />
|}<br />
<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
== Technology Pavilion - September 24th and 25th ==<br />
<br />
Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th there will be 2 full days of exhibits by service providers and manufacturers from around the world.<br />
<br />
<hr><br />
<br />
== [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Jason Rouse, Sr. Consultant, [http://www.cigital.com/training/series https://www.owasp.org/images/b/be/Cigital_OWASP.GIF]''' <br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:<br />
# Java EE security overview,<br />
# All coding examples and recommendations are specifically focused on Java and Java servers, and<br />
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.<br />
<br />
[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]<br />
'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675<br />
|-<br />
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T6. Application Security Forensics - 1-Day - Sep 23rd - $675<br />
|-<br />
| style="background:#F2F2F2" | Web application forensics and incident response, requires a solid understanding of web application, security issues – this 1 day class will provide you with a crashcourse on chain of custody and issues related to dealing with a breach<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T7. Encryption Programming Using SKSML - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.<br />
<br />
This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Arshad Noor, CTO, StrongAuth Inc.''' [http://www.strongauth.com https://www.owasp.org/images/8/86/StrongAuth.jpg]<br />
|}<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
<h2> HOTELS / TRAVEL </h2><br />
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotel's in the area of the event]<br />
<br />
New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html<br />
<br />
New York City Subway & walking directions: http://www.hopstop.com/?city=newyork<br />
<br />
New York Sights & Sounds - SightsSounds<br />
<br />
New York City Travel Guide - http://www.nytoday.com/<br />
<br />
New York City Attractions - http://www.nycvisit.com<br />
<br />
New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/<br />
<br />
New York City local news: http://www.ny1news.com<br />
<br />
<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.<br />
<br />
<b>[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]</b></div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_NYC_AppSec_2008_Conference&diff=29963OWASP NYC AppSec 2008 Conference2008-05-29T05:02:39Z<p>Danielcuthbert: /* OWASP NYC AppSec 2008 Conference Schedule – Sept 24th - Sept 25th */</p>
<hr />
<div><center>[[Image:NYC08_468x60_72_newdates.gif]]</center><br />
<br />
= OWASP NYC AppSec 2008 - September 22th-25th 2008 =<br />
Last Update: {{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}<br />
In association with: [http://www.webappsec.org WASC], [http://www.nym-infragard.us NYM InfraGard], [http://aitglobal.com AITGlobal], [http://nyphp.org/index.php NYC PHP], [http://www.nycbug.org NYCBUG], [http://www.isacany.net ISACA], [http://www.issa.org ISSA] and [http://www.pace.edu Pace University] you're invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at <b>[http://www.pace.edu/page.cfm?doc_id=16157 Pace University]</b>, located in downtown New York City at <b>One Pace Plaza New York, NY 10038.</b> Event Fees: $350 for 2 days of seminars, $675 for 1-day training classes and $1,350 for 2-day courses. [http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif] - do you want to preview the event space [http://www.flickr.com/photos/21550725@N04/sets/72157604662279903/detail Click Here]<br />
<hr><br />
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Diamond Sponsor] - [http://www.imperva.com https://www.owasp.org/images/d/de/Imperva_2color_RGB.jpg]<br><br />
<br><br />
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Platinum Sponsor] - [http://www.cenzic.com/ https://www.owasp.org/images/b/bf/CenzicLogo_RGB.gif]<br><br />
<br><br />
[https://www.owasp.org/images/6/60/NY_Sponsorship.pdf Gold & Silver Sponsors] -[http://www.accessitgroup.com/products/inspectit.php https://www.owasp.org/images/6/6d/Accessit.JPG] - [http://www.fortify.com https://www.owasp.org/images/a/ac/Fortify.jpg] - [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif] - [http://www.cigital.com/ https://www.owasp.org/images/b/be/Cigital_OWASP.GIF] - [http://www.ouncelabs.com/ https://www.owasp.org/images/6/6e/OunceLabs_logo.jpg]<br />
[http://www.proactiverisk.com https://www.owasp.org/images/9/97/Proactiverisk_logo.jpg]<br />
<br />
<br><br />
<center>[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities] -- [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-PRESS Press Registration] -- [http://www.owasp.org/index.php/Member_Offers Other OWASP Member Offers] </center> <br />
<hr><br />
<br />
== OWASP NYC AppSec 2008 Conference Schedule – Sept 24th - Sept 25th ==<br />
{| style="width:80%" border="0" align="center"<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 1 – Sept 24th, 2008<br />
|-<br />
| style="width:10%; background:#7B8ABD" | || style="width:30%; background:#BC857A" | Track 1: <br />
| style="width:30%; background:#BCA57A" | Track 2: <br />
| style="width:30%; background:#7B8ABD" | Track 3: <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 08:00-09:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Registration Opens and Tech Expo'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 09:15-10:15 || colspan="3" style="width:80%; background:#F2F2F2" align="center" | Introduction, OWASP Version 3.0 where we are.. where we are going <br />
''OWASP Foundation Board Jeff Williams, Tom Brennan, Dinis Cruz, Sebastien Deleersnyder & Dave Wichers''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:30-11:30 || style="width:30%; background:#BC857A" align="left" | Logic Attacks and Inefficiencies of Robotic Detection<br />
''Robert "RSnake" Hansen CEO [http://www.sectheory.com SecTheory]''<br />
| style="width:30%; background:#BCA57A" align="left" | Offensive Assessing Financial Apps<br />
''Daniel Cuthbert''<br />
| style="width:30%; background:#7B8ABD" align="left" | Web Intrusion Detection with ModSecurity <br />
''Ivan Ristic''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:30-12:30 || style="width:30%; background:#BC857A" align="left" | Reverse Engineering .NET<br />
''Adam Boulton''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz] 0.1 - 1.1: [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Building a Java Fuzzer for the Web]<br />
''[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Yiannis_Pavlosoglou Yiannis Pavlosoglou] - Senior Director - [http://www.ouncelabs.com Ounce Labs] ''<br />
| style="width:30%; background:#7B8ABD" align="left" | [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LIVE CD] <br />
''Joshua Perrymon - CEO [http://www.packetfocus.com Packetfocus]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:30-13:30 || style="width:30%; background:#BC857A" align="left" | [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-GunterOllmann Multidisciplinary Bank Attacks]<br />
''Gunter Ollmann, Director Security Strategy, [http://www.iss.net IBM Internet Security Systems]''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP CLASP<br />
''Pravir Chandra''<br />
| style="width:30%; background:#7B8ABD" align="left" | Shootout at the Blackbox Corral <br />
''Dinis Cruz & Larry Suto''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:30-14:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Collective Intelligence - Jennifer Bayuk-CISO Bear Stearns, Mark Clancy EVP CitiGroup, Jim Routh CISO DTCC, Sunil Seshadri CISO NYSE-Euronet, Warren Axelrod SVP Bank of America, Joe Bernik Royal Bank of Scotland & Philip Venables CIRO, Goldman, Sachs<br />
Moderator: Mahi Dontamsetti<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:30-15:30 || style="width:30%; background:#BC857A" align="left" | [https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho w3af, a framework to own the web] - <br />
[https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference-SPEAKER-Andres_Riancho ''Andres Riancho''], [http://www.cybsec.com/ Cybsec]<br />
<br />
| style="width:30%; background:#BCA57A" align="left" | [[AppSecEU08_Trends_in_Web_Hacking_Incidents:_What's_hot_for_2008 | Trends in Web Hacking: What's hot in 2008<br/>Analysis of the Web Hacking Incidents Database (WHID)]]<br />
''[http://blog.shezaf.com Ofer Shezaf], Breach''<br />
| style="width:30%; background:#7B8ABD" align="left" | Security in Agile Development<br />
''Dave Wichers, COO [http://www.aspectsecurity.com Aspect Security]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:30-16:30 || style="width:30%; background:#BC857A" align="left" | [http://www.owasp.org/index.php/ESAPI OWASP Enterprise Security API (ESAPI) Project]<br />
''Jeff Williams, CEO [http://www.aspectsecurity.com Aspect Security]''<br />
| style="width:30%; background:#BCA57A" align="left" | Next Generation Cross Site Scripting Worms<br />
''Arshan Dabirsiaghi, Director of Research [http://www.aspectsecurity.com Aspect Security]''<br />
| style="width:30%; background:#7B8ABD" align="left" | "Threading the Needle:<br />
Bypassing web application/service security controls using Encoding, Transcoding, Filter Evasion, and other Canonicalization Attacks."<br />
''Arian Evans, Director of Operations [http://www.whitehatsec.com WhiteHat Security]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:30-17:30 || style="width:30%; background:#BC857A" align="left" | Shhhh Don’t Tell Anybody<br />
''Petko D. Petkov, a.k.a. pdp''<br />
| style="width:30%; background:#BCA57A" align="left" | Secure PHP<br />
''Hans Zaunere, CEO [http://www.nyphp.com NYCPHP]''<br />
| style="width:30%; background:#7B8ABD" align="left" | Payment Card Data Security and the new Enterprise Java<br />
''Dr. B. V. Kumar & Mr. Abhay ''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:30-18:30 || style="width:30%; background:#BC857A" align="left" | Notes Security<br />
''Jian Hui Wang''<br />
| style="width:30%; background:#BCA57A" align="left" | Mastering PCI Section 6.6<br />
''Taylor McKinley and Jacob West''<br />
| style="width:30%; background:#7B8ABD" align="left" | AppSec Techniques<br />
''JD Glaser, CEO [http://www.ntobjectives.com/company/management.php NTO Objectives]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Web Application Capture the Flag - [http://isis.poly.edu/projects Polytechnic University]'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 20:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | ''' Speaker/Attendee Reception'''<br />
|-<br />
! colspan="4" align="center" style="background:#4058A0; color:white" | Day 2 – Sept 25th, 2008<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 8:00-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | Breakfast @ Tech-Expo <br />
|-<br />
| style="width:10%; background:#7B8ABD" | 0900-10:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''"We have all the tools, policies, frameworks, documents, community support available what works... what does not?" ' Industry Panel: Arian J. Evans, Jeremiah Grossman, Gunter Ollmann, Ofer Shezaf, Moderator: Daniel Cuthbert''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 10:00-11:00 || style="width:30%; background:#BC857A" align="left" | Practical Advanced Threat Modeling<br />
''John Steven''<br />
| style="width:30%; background:#BCA57A" align="left" | [http://reversebenchmarking.com Open Reverse Benchmarking Project]<br />
''Marce Luck & Tom Stracener''<br />
| style="width:30%; background:#7B8ABD" align="left" | Building Usable Security<br />
''Zed Abbadi''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 11:00-12:00 || style="width:30%; background:#BC857A" align="left" | Offshoring Application Development? Security is Still Your Problem<br />
''Rohyt Belani''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP Orizon Project<br />
''Paolo Perego''<br />
| style="width:30%; background:#7B8ABD" align="left" | NIST SAMATE Static Analysis Tool Exposition (SATE)<br />
''Vadim Okun''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 12:00-13:00 || style="width:30%; background:#BC857A" align="left" | The Art and Nature of Web Application Security<br />
''Mano Paul CEO [http://www.expresscertifications.com Express Certifications]''<br />
| style="width:30%; background:#BCA57A" align="left" | Software Liability<br />
''Jack Danahy''<br />
| style="width:30%; background:#7B8ABD" align="left" | Cross-Site Scripting Filter Evasion<br />
''Alexios Fakos''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 13:00-14:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | OWASP Projects "Dinis Cruz & OWASP Project Leaders"<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 14:00-15:00 || style="width:30%; background:#BC857A" align="left" | Projects with OWASP<br />
''Steve Malson''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP Pantera Advances<br />
''Simon Roses Femerling''<br />
| style="width:30%; background:#7B8ABD" align="left" | Software-as-a-Service (SaaS)<br />
''James Landis''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 15:00-16:00 || style="width:30%; background:#BC857A" align="left" | "Out of Band" Injection<br />
''Vijay Akasapu & Marshall Heilman''<br />
| style="width:30%; background:#BCA57A" align="left" | OWASP V2 Testing Guide 4.2.3 Spidering and Googling in depth<br />
''Christian Heinrich''<br />
| style="width:30%; background:#7B8ABD" align="left" | Caution, Java ahead<br />
''Jeremiah Grossman CTO [http://www.whitehatsec.com WhiteHat Security]''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 16:00-17:00 || style="width:30%; background:#BC857A" align="left" | [[Input validation: the Good, the Bad and the Ugly]]<br />
''[[Johan Peeters]]''<br />
| style="width:30%; background:#BCA57A" align="left" | Flash Parameter Injection (FPI)<br />
''Ayal Yogev & Yuval Baror''<br />
| style="width:30%; background:#7B8ABD" align="left" | Learning the .Net Debugging API<br />
''Kevin Spett''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 17:00-18:00 || style="width:30%; background:#BC857A" align="left" | Secure System Development Life Cycle (SSDLC) Methodology for SOA<br />
''Ken Huang''<br />
| style="width:30%; background:#BCA57A" align="left" | Web Security Education using Open Source Tools<br />
''Prof. Li-Chiou Chen & Chienitng Lin''<br />
| style="width:30%; background:#7B8ABD" align="left" | Friend or Foe: Penetration Testing VS Source Code Analysis<br />
''Tom Ryan''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 18:30 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Closing Remarks / CTF Awards / Raffles'''<br />
|-<br />
| style="width:10%; background:#7B8ABD" | 21:00 || colspan="3" style="width:80%; background:#C2C2C2" align="center" | '''Farewell dinner.. Go secure the world'''<br />
|}<br />
<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
== Technology Pavilion - September 24th and 25th ==<br />
<br />
Want to see the latest offerings from technology product and service firms, visit the Technology Pavilion. On September 24th and 25th there will be 2 full days of exhibits by service providers and manufacturers from around the world.<br />
<br />
<hr><br />
<br />
== [https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference_Training OWASP NYC AppSec 2008 Training Courses - September 22nd and 23rd, 2008] ==<br />
{| style="width:80%" border="0" align="center"<br />
! align="center" style="background:#4058A0; color:white" | T1. Defensive Programming - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This class will teach you how to program defensively. A must for developers, managers, testers and security professionals. Learn the latest techniques to build attack resistant code, protect from current and future vulnerabilities and how to secure an application from both implementation bugs and design flaws. The instructor Pravir Chandra is well known security expert, project lead for OWASP CLASP project and former co-founder & CTO of secure software [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Pravir Chandra, Project Lead OWASP [[:Category:OWASP_CLASP_Project | CLASP]] Project, Principal Consultant, [http://www.cigital.com https://www.owasp.org/images/b/be/Cigital_OWASP.GIF]''' <br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T2. Secure Coding for Java EE - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | This course is similar to Aspect's Building and Testing Secure Web Applications except it includes a significant amount of Java focused content, including:<br />
# Java EE security overview,<br />
# All coding examples and recommendations are specifically focused on Java and Java servers, and<br />
# 3 additional hands on coding labs where the students find and then fix security vulnerabilities in a Java EE application developed for the class.<br />
<br />
[[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]<br />
'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T3. Web Services and XML Security - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | The movement towards Web Services and Service Oriented architecture (SOA) paradigms requires new security paradigms to deal with new risks posed by these architectures. This session takes a pragmatic approach towards identifying Web Services security risks and selecting and applying countermeasures to the application, code, web servers, databases, application, and identity servers and related software. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Gunnar Peterson''' [http://www.arctecgroup.net https://www.owasp.org/images/b/bf/Arctec.jpg]<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T4. Advanced Web Application Security Testing - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Course Overview While all developers need to know the basics of web application security testing, application security specialists will want to know all the advanced techniques for finding and diagnosing security problems in applications. Aspect’s Advanced Web Application Security Testing training is based on a decade of work verifying the security of critical applications. The course is taught by an experienced application security practitioner in an interactive manner. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T5. Leading the Development of Secure Applications 1-Day - Sept 22nd- $675<br />
|-<br />
| style="background:#F2F2F2" | In this one-day management session you’ll get the answers to the ten key questions that most CIOs and development managers face when trying to improve security in the development process. The course provides proven techniques and valuable lessons learned that can be applied to projects at any phase of their application’s lifecycle. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
Instructor: This tutorial is provided by longtime OWASP contributor: [http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]'''<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T6. Application Security Forensics - 1-Day - Sep 23rd - $675<br />
|-<br />
| style="background:#F2F2F2" | Web application forensics and incident response, requires a solid understanding of web application, security issues – this 1 day class will provide you with a crashcourse on chain of custody and issues related to dealing with a breach<br />
|-<br />
! align="center" style="background:#4058A0; color:white" | T7. Encryption Programming Using SKSML - 2-Days - $1350<br />
|-<br />
| style="background:#F2F2F2" | Application developers are increasingly required to protect sensitive data through encryption. While there are many libraries that can assist with cryptography, there are few to none that focus on encryption key management.<br />
<br />
This class will introduce you to an OASIS standards protocol - Symmetric Key Services Markup Language (SKSML) - and show you how it can be used to securely encrypt sensitive data and manage encryption keys across the enterprise. [[:Category:OWASP_AppSec_Conference_Training | Learn More Here]]<br />
<br />
Instructor: Arshad Noor, CTO, StrongAuth Inc.''' [http://www.strongauth.com https://www.owasp.org/images/8/86/StrongAuth.jpg]<br />
|}<br />
<center>[http://guest.cvent.com/i.aspx?4W,M3,828ca6d1-1b60-4105-8034-d344700e6956 https://www.owasp.org/images/7/7f/Register.gif]</center><br />
<br />
<h2> HOTELS / TRAVEL </h2><br />
[http://maps.google.com/maps?near=Pace+Plz,+New+York,+NY+10038+(Pace+University+New+York+Cmps)&geocode=15467452012610799558,40.711640,-74.005820&q=hotel&f=l&dq=Pace+University-New+York&ie=UTF8&z=15&om=0 Hotel's in the area of the event]<br />
<br />
New York City MTA: http://www.mta.nyc.ny.us/nyct/index.html<br />
<br />
New York City Subway & walking directions: http://www.hopstop.com/?city=newyork<br />
<br />
New York Sights & Sounds - SightsSounds<br />
<br />
New York City Travel Guide - http://www.nytoday.com/<br />
<br />
New York City Attractions - http://www.nycvisit.com<br />
<br />
New York TV Show Tickets - Get free tickets to TV shows! - http://www.nytix.com/<br />
<br />
New York City local news: http://www.ny1news.com<br />
<br />
<h2>EVENT SPONSORSHIP </h2>The OWASP Conferences & Training security technologists including CSOs,admins, application admins, MIS directors, homeland defense chiefs. These important influencers drive buying decisions exclusive access to its audiences. OWASP has established strategic relationships with security—print publications, newsletters, portals, consultants,message—and leadership positioning OWASP events. OWASP’s mission is supported by organizations who share our application, and software security communities. This approach should be part of your mix.<br />
<br />
<b>[https://www.owasp.org/images/9/98/NY_Sponsorship_Form.pdf Sponsorship Opportunities]- Register online: [http://guest.cvent.com/i.aspx?4W,M3,09e3b490-ba93-4474-851e-be803b1a01c2 click here]</b></div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert&diff=29410OWASP NYC AppSec 2008 Conference-daniel-cuthbert2008-05-15T13:37:51Z<p>Danielcuthbert: </p>
<hr />
<div>[[Image:Daniel_cuthbert.jpg|thumb|100px|frame|left|Daniel Cuthbert]]<br />
<br />
<br />
Daniel is a Principal Consultant at [http://www.corsaire.com Corsaire] and has been involved with OWASP since the start in 2001. He started the OWASP Testing Project with Mark Curphey and helped the project grow to what it is today. Through security roles in investment banks, technology firms, global media organisations and security consultancies he has been researching, and involved with, web application security for a decade. Daniel has worked on a wide range of projects to ensure that the development life cycle is secure and the resulting applications are robust and can withstand today’s attacks. <br />
<br />
Outside of security, he is a published Fashion and Documentary Photographer.</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert&diff=29409OWASP NYC AppSec 2008 Conference-daniel-cuthbert2008-05-15T13:30:20Z<p>Danielcuthbert: </p>
<hr />
<div>[[Image:https://www.owasp.org/index.php/Image:Daniel_cuthbert.jpg]]<br />
<br />
'''Daniel Cuthbert'''<br />
<br />
Daniel is a Principal Consultant at [http://www.corsaire.com Corsaire] and has been involved with OWASP since the start in 2001. He started the OWASP Testing Project with Mark Curphey and helped the project grow to what it is today. Through security roles in investment banks, technology firms, global media organisations and security consultancies he has been researching, and involved with, web application security for a decade. Daniel has worked on a wide range of projects to ensure that the development life cycle is secure and the resulting applications are robust and can withstand today’s attacks. <br />
<br />
Outside of security, he is a published Fashion and Documentary Photographer.</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=OWASP_NYC_AppSec_2008_Conference-daniel-cuthbert&diff=29408OWASP NYC AppSec 2008 Conference-daniel-cuthbert2008-05-15T13:29:17Z<p>Danielcuthbert: New page: Image:https://www.owasp.org/images/d/d2/Daniel_cuthbert.jpg '''Daniel Cuthbert''' Daniel is a Principal Consultant at [http://www.corsaire.com Corsaire] and has been involved with OW...</p>
<hr />
<div>[[Image:https://www.owasp.org/images/d/d2/Daniel_cuthbert.jpg]]<br />
<br />
'''Daniel Cuthbert'''<br />
<br />
Daniel is a Principal Consultant at [http://www.corsaire.com Corsaire] and has been involved with OWASP since the start in 2001. He started the OWASP Testing Project with Mark Curphey and helped the project grow to what it is today. Through security roles in investment banks, technology firms, global media organisations and security consultancies he has been researching, and involved with, web application security for a decade. Daniel has worked on a wide range of projects to ensure that the development life cycle is secure and the resulting applications are robust and can withstand today’s attacks. <br />
<br />
Outside of security, he is a published Fashion and Documentary Photographer.</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:Daniel_cuthbert.jpg&diff=29407File:Daniel cuthbert.jpg2008-05-15T13:23:42Z<p>Danielcuthbert: uploaded a new version of "Image:Daniel cuthbert.jpg"</p>
<hr />
<div>Self Portrait</div>Danielcuthberthttps://wiki.owasp.org/index.php?title=File:Daniel_cuthbert.jpg&diff=29404File:Daniel cuthbert.jpg2008-05-15T13:20:58Z<p>Danielcuthbert: Self Portrait</p>
<hr />
<div>Self Portrait</div>Danielcuthbert