OWASP Application Security Assessment Standards Project/Roadmap

• Define the Application Security Assessment procedure into a Vulnerability Management procedure. Every step of the Application Security Assessment process should make some outputs related to Vulnerabilities/Risk related to the application.
• Define how to prioritize WebApp Vulnerabilities working with CWE mapping and scoring systems as CWSS (referring to OWASP TOP 10)
• Define a process of App Security Assessment that is Threat/Vulnerability Centric and that contains at least the following milestones:
  • Use OWASP ASVS in order to define the AS-IS of the application validation process using the following techniques:
    • Maturity Model (referring to OWASP SAMM Project)
    • Attack Surface of the Application (referring to OWASP Code Review Project)
    • Threat Modeling of the Application (referring to OWASP Code Review Project)
    • WAPT/Code Review/VA (referring to OWASP Testing/Code Review Projects)
  • Use OWASP ASVS in order to define the TO-BE of the application validation process.
  • For each level definable as TO-BE of the application validation process define how to implement
    • Processes:
      • SSDLC (Referring to OWASP Development Guide)
      • Code Review (referring to OWASP Code Review Project and OWASP SAMM)
      • WAPT (referring to OWASP Testing Guide and OWASP SAMM)
    • Technical Projects:
      • OWASP ESAPI
      • OWASP AppSensor
  • Practical Examples
    • Demo on how to implement ESAPI/AppSensor in a production project
    • Tips on how to implement an Application Security Assessment Process into a production environment

>>>>A diagram which describes at high level the idea of the Application Security Process from initial assessment to final mitigation and review.