CLASP Concepts - Revision history

Jmanico at 20:33, 8 August 2016

2016-08-08T20:33:10Z

Jmanico at 20:23, 8 August 2016

2016-08-08T20:23:58Z

Jmanico at 20:22, 8 August 2016

2016-08-08T20:22:57Z

Zqc0512: /* Overview of CLASP Taxonomy */

2008-12-11T03:30:55Z

‎Overview of CLASP Taxonomy

Zqc0512: /* Overview of CLASP Taxonomy */

2008-12-11T03:28:58Z

‎Overview of CLASP Taxonomy

Pravir Chandra at 10:49, 29 May 2006

2006-05-29T10:49:08Z

Pravir Chandra at 10:38, 29 May 2006

2006-05-29T10:38:19Z

Pravir Chandra: CLASP moved to CLASP Concepts

2006-05-27T14:03:43Z

CLASP moved to CLASP Concepts

Pravir Chandra at 23:14, 25 May 2006

2006-05-25T23:14:38Z

Pravir Chandra: /* CLASP Best Practices */

2006-05-24T00:11:53Z

‎CLASP Best Practices

← Older revision		Revision as of 20:33, 8 August 2016
Line 141:		Line 141:
	The figure below shows how [[Glossary#CLASP\|CLASP]] can help secure the IT internal controls that are necessary to assure the integrity of data in financial applications within the scope of security-related software development projects.		The figure below shows how [[Glossary#CLASP\|CLASP]] can help secure the IT internal controls that are necessary to assure the integrity of data in financial applications within the scope of security-related software development projects.
	[[Image:CLASP_IT_Internal_Controls.gif\|none\|thumb\|600px\|Figure 8: How CLASP can help secure the IT internal controls that are necessary to assure the integrity of data in financial applications within the scope of security-related software development projects. Centers on Sarbanes-Oxley sections 302, 404 and 409]]		[[Image:CLASP_IT_Internal_Controls.gif\|none\|thumb\|600px\|Figure 8: How CLASP can help secure the IT internal controls that are necessary to assure the integrity of data in financial applications within the scope of security-related software development projects. Centers on Sarbanes-Oxley sections 302, 404 and 409]]
−
−	~~[[Category:OWASP CLASP Project]]~~

@@ Line 1: / Line 1: @@
 {{taggedDocument
 | type=historical
-| link=https://www.owasp.org/index.php/OWASP_SAMM_Project
+| link=OWASP_SAMM_Project
 }}

← Older revision		Revision as of 20:22, 8 August 2016
Line 1:		Line 1:
		+	{{taggedDocument
		+	\| type=historical
		+	\| link=https://www.owasp.org/index.php/OWASP_SAMM_Project
		+	}}
		+
	{{Template:SecureSoftware}}		{{Template:SecureSoftware}}

@@ Line 116: / Line 116: @@
 * '''Resources''' required for attack against vulnerabilities.
 * '''Risk assessment''' of exploitable/exploited vulnerabilities.
-* '''Avoidance and mitigation periods''' (i.e., SDLC phases) in which preventative measures and countermeasures can be applied.   yes test
+* '''Avoidance and mitigation periods''' (i.e., SDLC phases) in which preventative measures and countermeasures can be applied.
 See figure 6.
 [[Image:CLASP_Taxonomy.gif|none|thumb|600px|Figure 6: CLASP taxonomy and the relationship between its parts]]

@@ Line 116: / Line 116: @@
 * '''Resources''' required for attack against vulnerabilities.
 * '''Risk assessment''' of exploitable/exploited vulnerabilities.
-* '''Avoidance and mitigation periods''' (i.e., SDLC phases) in which preventative measures and countermeasures can be applied.
+* '''Avoidance and mitigation periods''' (i.e., SDLC phases) in which preventative measures and countermeasures can be applied.   yes test
 See figure 6.
 [[Image:CLASP_Taxonomy.gif|none|thumb|600px|Figure 6: CLASP taxonomy and the relationship between its parts]]

@@ Line 80: / Line 80: @@
 ===CLASP Best Practices===
 The foundation of CLASP is in seven key Best Practices for application security. See [[:Category:CLASP Best Practice|CLASP Best Practices]].
-# [[BP1 Institute awareness programs|Institute awareness programs]]
+# [[:Category:BP1 Institute awareness programs|Institute awareness programs]]
-# [[BP2 Perform application assessments|Perform application assessments]]
+# [[:Category:BP2 Perform application assessments|Perform application assessments]]
-# [[BP3 Capture security requirements|Capture security requirements]]
+# [[:Category:BP3 Capture security requirements|Capture security requirements]]
-# [[BP4 Implement secure development practices|Implement secure development practices]]
+# [[:Category:BP4 Implement secure development practices|Implement secure development practices]]
-# [[BP5 Build vulnerability remediation procedures|Build vulnerability remediation procedures]]
+# [[:Category:BP5 Build vulnerability remediation procedures|Build vulnerability remediation procedures]]
-# [[BP6 Define and monitor metrics|Define and monitor metrics]]
+# [[:Category:BP6 Define and monitor metrics|Define and monitor metrics]]
-# [[BP7 Publish operational security guidelines|Publish operational security guidelines]]
+# [[:Category:BP7 Publish operational security guidelines|Publish operational security guidelines]]

@@ Line 79: / Line 79: @@
 ===CLASP Best Practices===
-If security vulnerabilities built into your applications’ source code survive into production, they can become corporate liabilities with broad and severe business impact on your organization. In view of the consequences of exploited security vulnerabilities, there is no reasonable alternative to using best practices of application security as early as possible in — and throughout — your software development lifecycle. See figure 3.
+The foundation of CLASP is in seven key Best Practices for application security. See [[:Category:CLASP Best Practice|CLASP Best Practices]].
-[[Image:CLASP_Best_Practices.gif|none|thumb|600px|Figure 3: Business View of Best Practices of Software Security]]
+# [[BP1 Institute awareness programs|Institute awareness programs]]
 ==CLASP and Security Policies==

← Older revision	Revision as of 14:03, 27 May 2006
(No difference)

@@ Line 29: / Line 29: @@
 See figure 1.
-[[Image:CLASP_Views.gif|none|thumb|300px|Figure 1: CLASP Views and their interactions]]
+[[Image:CLASP_Views.gif|none|thumb|600px|Figure 1: CLASP Views and their interactions]]
 ===CLASP Resources===
@@ Line 76: / Line 76: @@
 It is recommended to understand the [[Glossary#CLASP|CLASP]] Use Cases as a bridge from the Concepts View of [[Glossary#CLASP|CLASP]] to the Vulnerability Lexicon (in the Vulnerability View) since they provide specific examples of security services becoming vulnerable in software applications
 See figure 2.
-[[Image:CLASP_Vulnerability_Use_Cases.gif|none|thumb|300px|Figure 2: Recommended position of the Use Cases within the CLASP process]]
+[[Image:CLASP_Vulnerability_Use_Cases.gif|none|thumb|600px|Figure 2: Recommended position of the Use Cases within the CLASP process]]
 ===CLASP Best Practices===
 If security vulnerabilities built into your applications’ source code survive into production, they can become corporate liabilities with broad and severe business impact on your organization. In view of the consequences of exploited security vulnerabilities, there is no reasonable alternative to using best practices of application security as early as possible in — and throughout — your software development lifecycle. See figure 3.
-[[Image:CLASP_Best_Practices.gif|none|thumb|300px|Figure 3: Business View of Best Practices of Software Security]]
+[[Image:CLASP_Best_Practices.gif|none|thumb|600px|Figure 3: Business View of Best Practices of Software Security]]
 To be effective, best practices of software application security must have a reliable process to guide a development team in creating and deploying a software application that is as resistant as possible to security vulnerabilities.
@@ Line 95: / Line 95: @@
 ==CLASP and Security Policies==
 A high-level view of [[Glossary#CLASP|CLASP]] can help increase awareness of the importance of implementing application security on these organizational levels, from the bottom up: > best practices of application-security > application-security policy > IT security policy > operations security policy > corporate security policy.
-[[Image:CLASP_and_Security_Policies.gif|none|thumb|300px|Figure 4: Interaction of CLASP and Security Policies]]
+[[Image:CLASP_and_Security_Policies.gif|none|thumb|600px|Figure 4: Interaction of CLASP and Security Policies]]
 ==What is a Security Vulnerability==
@@ Line 109: / Line 109: @@
 * Non-repudiation
 The following figure shows in which phases of the software development lifecycle a security-related vulnerability can occur and also which points in an operational system an attack can target.
-[[Image:CLASP_Vulnerabilities_SDLC_Phases.gif|none|thumb|300px|Figure 5: Vulnerabilities from Perspective of SDLC Phases]]
+[[Image:CLASP_Vulnerabilities_SDLC_Phases.gif|none|thumb|600px|Figure 5: Vulnerabilities from Perspective of SDLC Phases]]
 ==Overview of CLASP Taxonomy==
@@ Line 122: / Line 122: @@
 * '''Avoidance and mitigation periods''' (i.e., SDLC phases) in which preventative measures and countermeasures can be applied.
 See figure 6.
-[[Image:CLASP_Taxonomy.gif|none|thumb|300px|Figure 6: CLASP taxonomy and the relationship between its parts]]
+[[Image:CLASP_Taxonomy.gif|none|thumb|600px|Figure 6: CLASP taxonomy and the relationship between its parts]]
 ==Applying CLASP Components==
 This page describes a possible sequence for applying [[Glossary#CLASP|CLASP]] components, using the Sample Coding Guidelines ([[Glossary#CLASP|CLASP]] Resource E) as a basis. See figure 7.
-[[Image:CLASP_Applying_Components.gif|none|thumb|300px|Figure 7: a possible sequence for applying CLASP components]]
+[[Image:CLASP_Applying_Components.gif|none|thumb|600px|Figure 7: a possible sequence for applying CLASP components]]
 The steps below describe a possible sequence for applying [[Glossary#CLASP|CLASP]] components depicted in the figure above:
 * Read the [[Glossary#CLASP|CLASP]] Concepts View to gain an overview of the [[Glossary#CLASP|CLASP]] process.
@@ Line 139: / Line 139: @@
 A significant number of the internal controls required by the Sarbanes-Oxley Act for assurance of accurate and reliable corporate financial reporting are located in the IT area.
 The figure below shows how [[Glossary#CLASP|CLASP]] can help secure the IT internal controls that are necessary to assure the integrity of data in financial applications within the scope of security-related software development projects.
-[[Image:CLASP_IT_Internal_Controls.gif|none|thumb|300px|Figure 8: How CLASP can help secure the IT internal controls that are necessary to assure the integrity of data in financial applications within the scope of security-related software development projects. Centers on Sarbanes-Oxley sections 302, 404 and 409]]
+[[Image:CLASP_IT_Internal_Controls.gif|none|thumb|600px|Figure 8: How CLASP can help secure the IT internal controls that are necessary to assure the integrity of data in financial applications within the scope of security-related software development projects. Centers on Sarbanes-Oxley sections 302, 404 and 409]]
 [[Category:OWASP CLASP Project]]

@@ Line 85: / Line 85: @@
 Within a software development project, the [[Glossary#CLASP|CLASP]] Best Practices are the basis of all security-related software development activities — whether planning, designing or implementing — including the use of all tools and techniques that support [[Glossary#CLASP|CLASP]].
 These are the [[Glossary#CLASP|CLASP]] Best Practices:
-* [[CLASP#Institute awareness programs|Institute awareness programs]]
+* [[CLASP Best Practices#Institute awareness programs|Institute awareness programs]]
-* [[CLASP#Perform application assessments|Perform application assessments]]
+* [[CLASP Best Practices#Perform application assessments|Perform application assessments]]
-* [[CLASP#Capture security requirements|Capture security requirements]]
+* [[CLASP Best Practices#Capture security requirements|Capture security requirements]]
-* [[CLASP#Implement secure development practices|Implement secure development practices]]
+* [[CLASP Best Practices#Implement secure development practices|Implement secure development practices]]
-* [[CLASP#Build vulnerability remediation procedures|Build vulnerability remediation procedures]]
+* [[CLASP Best Practices#Build vulnerability remediation procedures|Build vulnerability remediation procedures]]
-* [[CLASP#Define and monitor metrics|Define and monitor metrics]]
+* [[CLASP Best Practices#Define and monitor metrics|Define and monitor metrics]]
-* [[CLASP#Publish operational security guidelines|Publish operational security guidelines]]
+* [[CLASP Best Practices#Publish operational security guidelines|Publish operational security guidelines]]
 ==CLASP and Security Policies==