This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Corporate Application Security Rating Guide
From OWASP
|
This Project has been discontinued and therefore marked by the OWASP Global Projects Committee as an Inactive one. |
| |
Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.
| PROJECT IDENTIFICATION | ||||||
|---|---|---|---|---|---|---|
| Project Name | OWASP Corporate Application Security Rating Guide Project | |||||
| Short Project Description | This project will help to organize and structure publicly available data that large companies will share of the lessons learned about how to organize an application security initiative, best practices for training and testing, and more. Analysis of publicly available data such as interviews, presentations, briefings for details. The project will link to all source material used in creating the rating. The rating will involve application security and awareness training; defining security requirements and verification for each application; establishing a dedicated application team and process for responding to security issues and allocating points to each issues. | |||||
| Email Contacts | SoC's Project Leader Parvathy Iyer |
Project Contributors (if applicable) Name&Email |
Mailing List/Subscribe Mailing List/Use |
First Reviewer Neal Kirschner |
Second Reviewer Omar Sherin |
OWASP Board Member Name&Email |
| PROJECT MAIN LINKS | |||||
|---|---|---|---|---|---|
| |||||
| RELATED PROJECTS | |||||
|---|---|---|---|---|---|
| SPONSORS & GUIDELINES | |||||
|---|---|---|---|---|---|
| Sponsor - OWASP Summer of Code 2008 | Sponsored Project/Guidelines/Roadmap | ||||
| ASSESSMENT AND REVIEW PROCESS | ||||
|---|---|---|---|---|
| Review/Reviewer | Author's Self Evaluation (applicable for Alpha Quality & further) |
First Reviewer (applicable for Alpha Quality & further) |
Second Reviewer (applicable for Beta Quality & further) |
OWASP Board Member (applicable just for Release Quality) |
| 50% Review | Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit:50% Review/Self-Evaluation (A) |
Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50% Review/1st Reviewer (C) |
Objectives & Deliveries reached? Yes/No (To update) --------- See&Edit: 50%Review/2nd Reviewer (E) |
X |
| Final Review | Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/SelfEvaluation (B) |
Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/1st Reviewer (D) |
Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See&Edit: Final Review/2nd Reviewer (F) |
Objectives & Deliveries reached? Yes/No (To update) --------- Which status has been reached? Season of Code - (To update) --------- See/Edit: Final Review/Board Member (G) |
OWASP is building a directory of public application security claims from a variety of organizations. All the information referenced must be on the company's public website or some other reputable source of information, such as a public interview of the company's CSO.
Note this is a survey of what companies are claiming not what they actually do. The purpose is to gain insight into how the software market is changing. In addition, we hope that this effort will encourage organizations to disclose their application security practices.
Characteristics
Organizations have been rated on the following five characteristics:
- 1. The organization has established an ongoing application security awareness and training program.
- The training program must ensure that software developers, architects, and testers have been exposed to application security and understand how to find and prevent the common vulnerabilities. Leaders and managers must also be trained in how to lead projects and teams to produce secure applications.
- 2. The organization defines security requirements for each application.
- The organization must define application security requirements for each application based on understanding of the threat model for the business. These requirements are used to drive security through the software development process and are verified as part of the testing and acceptance processes.
- 3. The organization verifies the security of all applications.
- All of the company's applications (including internal applications) receive some level of scrutiny to verify security and check for common vulnerabilities before they are deployed and at least yearly thereafter. The most critical applications must receive a detailed code review and penetration test, while less critical applications must receive at least an automated security scan.
- 4. The organization has established a dedicated application security team.
- The organization has an application security team that provides expert application security support to development projects across the software development lifecycle. In particular, the team helps with security requirements, threat modeling, architecture reviews, code reviews, and penetration testing.
- 5. The organization has established a clear process for responding to security issues.
- The organization will provide a working point of contact for all application security issues. The organization must have a defined process for handling issues through their conclusion, and they must follow the process.
Scoring
Each organization has been rated according to the following scheme:
- Full (2 points)
- All parts of the characteristic are specifically mentioned in the public materials.
- Partial (1 point)
- Some of parts of the characteristic are mentioned in the public materials.
- None (0 points)
- The public materials have been thoroughly researched and do not demonstrate that characteristic
- Unknown (0 points)
- The claims on this subject have not yet been investigated
Template
Here is a template for a new entry
|- | [http://www.foobar.com FooBar] | [http://www.foobar.com/asfasf Full] | [http://www.foobar.com/asfasf Partial] | None | [http://www.foobar.com/asfasf Partial] | [http://www.foobar.com/asfasf Full] | 6
Software Vendors
This table should be used for companies selling software products.
| Organization | 1. Awareness | 2. Requirements | 3. Verification | 4. AppSec Team | 5. Response | Score |
|---|---|---|---|---|---|---|
| Microsoft | Full | Full | Full | Full | Full | 10 |
| Oracle | Full | None | Partial | None | Full | 5 |
| Foobar | Full | Full | Full | Full | Full | ? |
Commercial Companies
This table is for companies that do not sell software, but develop custom software for internal and external web applications, web services, and other software.
| Organization | 1. Awareness | 2. Verification | 3. AppSec Team | 4. SDLC | 5. Responsibility | Score |
|---|---|---|---|---|---|---|
| Example | Partial | Unknown | Unknown | Unknown | Unknown | 1 |
