How to specify verification requirements in contracts - Revision history

Deleted user at 04:45, 8 February 2009

2009-02-08T04:45:44Z

Deleted user at 19:27, 22 January 2009

2009-01-22T19:27:21Z

Deleted user at 18:58, 22 January 2009

2009-01-22T18:58:29Z

Deleted user at 18:57, 22 January 2009

2009-01-22T18:57:42Z

Deleted user at 02:17, 30 December 2008

2008-12-30T02:17:14Z

Jeff Williams at 15:08, 20 December 2008

2008-12-20T15:08:05Z

Jeff Williams at 15:07, 20 December 2008

2008-12-20T15:07:18Z

Jeff Williams at 15:05, 20 December 2008

2008-12-20T15:05:31Z

Deleted user: First draft of article

2008-12-11T20:22:18Z

First draft of article

Deleted user: New page: If you are specifying web application security verification requirements in contracts, you can use the OWASP ASVS to do so. … The author of this article can be reached at boberski_mich...

2008-12-11T18:11:52Z

New page: If you are specifying web application security verification requirements in contracts, you can use the OWASP ASVS to do so. … The author of this article can be reached at boberski_mich...

New page

If you are specifying web application security verification requirements in contracts, you can use the OWASP ASVS to do so.

…

The author of this article can be reached at boberski_michael(at)bah.com

Good luck!

[[Category:OWASP Application Security Verification Standard Project]]
[[Category:OWASP Legal Project]]

{{Stub}}

← Older revision		Revision as of 04:45, 8 February 2009
Line 5:		Line 5:


−	The contract annex and this article have been place in the public domain to facilitate use in private contracts. The [[OWASP Secure Software Contract Annex]] ~~can be~~ updated to make use of the [[OWASP Application Security Verification Standard]] as follows:	+	The contract annex and this article have been place in the public domain to facilitate use in private contracts. The [[OWASP Secure Software Contract Annex]] has been updated to make use of the [[OWASP Application Security Verification Standard]] as follows:
−

−	~~Simply, update 9(e) to read:~~
−

	''9(e) Security Analysis and Testing.'' Developer will perform		''9(e) Security Analysis and Testing.'' Developer will perform

← Older revision		Revision as of 19:27, 22 January 2009
Line 11:		Line 11:


−	''9(e) Security Analysis and Testing. Developer will perform application security analysis and testing (also called "verification") according to the verification requirements of an agreed-upon standard (such as the OWASP ASVS). The Developer shall document verification findings according to the reporting requirements of the standard. The Developer shall provide the verification findings to Client.''	+	''9(e) Security Analysis and Testing.'' Developer will perform
		+	application security analysis and testing (also called
		+	"verification") according to the verification requirements of
		+	an agreed-upon standard (such as the OWASP ASVS). The
		+	Developer shall document verification findings according to
		+	the reporting requirements of the standard. The Developer
		+	shall provide the verification findings to Client.

← Older revision		Revision as of 18:58, 22 January 2009
Line 11:		Line 11:


−	''9(e) Security Analysis and Testing. Developer will perform application security analysis and testing (also called "verification") according to the verification requirements of an agreed-upon standard. The Developer shall document verification findings according to the reporting requirements of the standard. The Developer shall provide the verification findings to Client.''	+	''9(e) Security Analysis and Testing. Developer will perform application security analysis and testing (also called "verification") according to the verification requirements of an agreed-upon standard (such as the OWASP ASVS). The Developer shall document verification findings according to the reporting requirements of the standard. The Developer shall provide the verification findings to Client.''

@@ Line 1: / Line 1: @@
-If you are specifying web application security verification requirements in contracts, you can use the [[OWASP Application Security Verification Standard]] (ASVS) to do so. One approach is to start with the [[OWASP Secure Software Contract Annex]]. The Annex helps software buyers and vendors discuss security and capture the important terms. '''Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.''' The contract annex and this article have been place in the public domain to facilitate use in private contracts.
+If you are specifying web application security verification requirements in contracts, you can use the [[OWASP Application Security Verification Standard]] (ASVS) to do so. One approach is to start with the [[OWASP Secure Software Contract Annex]]. The Annex helps software buyers and vendors discuss security and capture the important terms.
-One of the best things you can do to facilitate communication between a software buyer and seller is to agree on the technical security requirements for the application and how they will be verified.  The ASVS is a simple way to require all this simply by specifying a level from 1 to 4.
+'''Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.'''
-The [[OWASP Secure Software Contract Annex]] can be updated to make use of the [[OWASP Application Security Verification Standard]] as follows:
+The contract annex and this article have been place in the public domain to facilitate use in private contracts. The [[OWASP Secure Software Contract Annex]] can be updated to make use of the [[OWASP Application Security Verification Standard]] as follows:
-*Update section 3 so that its contents read: ''This agreement uses predefined levels that define ranges in coverage and levels of rigor as defined in the the OWASP Application Security Verification Standard (ASVS). The “level of rigor” for the agreement may be selected by a software development organization by specifying an ASVS level. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels.  The breadth is defined in each level by a set of security requirements that must be addressed.  The depth of the verification is defined by the approach and level of rigor required in verifying each security requirement.''
+Simply, update 9(e) to read:

@@ Line 1: / Line 1: @@
-== How to specify verification requirements in contracts ==
+If you are specifying web application security verification requirements in contracts, you can use the [[OWASP Application Security Verification Standard]] (ASVS) to do so. One approach is to start with the [[OWASP Secure Software Contract Annex]]. The Annex helps software buyers and vendors discuss security and capture the important terms. '''Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.''' The contract annex and this article have been place in the public domain to facilitate use in private contracts.
-== Example: Using the OWASP Secure Software Contract Annex ==
+One of the best things you can do to facilitate communication between a software buyer and seller is to agree on the technical security requirements for the application and how they will be verified.  The ASVS is a simple way to require all this simply by specifying a level from 1 to 4.
-== Updating the OWASP Secure Software Contract Annex ==
+The [[OWASP Secure Software Contract Annex]] can be updated to make use of the [[OWASP Application Security Verification Standard]] as follows:
-'''Change #1:'''
+*Update section 3 so that its contents read: ''This agreement uses predefined levels that define ranges in coverage and levels of rigor as defined in the the OWASP Application Security Verification Standard (ASVS). The “level of rigor” for the agreement may be selected by a software development organization by specifying an ASVS level. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels.  The breadth is defined in each level by a set of security requirements that must be addressed.  The depth of the verification is defined by the approach and level of rigor required in verifying each security requirement.''
-''This agreement uses predefined levels that define ranges in coverage and levels of rigor as defined in the the OWASP Application Security Verification Standard (ASVS). The “level of rigor” for the agreement may be selected by a software development organization by specifying an ASVS level. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels.  The breadth is defined in each level by a set of security requirements that must be addressed.  The depth of the verification is defined by the approach and level of rigor required in verifying each security requirement.''
+*Update section 9, bullet (e) so that its contents read: ''Security Analysis and Testing. Developer agrees to provide and follow a security test plan that defines an approach for performing a level <insert ASVS level here> verification according to OWASP Application Security Verification Standard – Web Edition 2008 (Beta), December 2008. The range in coverage and level of rigor of this activity are defined in the referenced standard. Developer will execute the verification and provide the test results to Client according to the reporting requirements which are also defined in the referenced standard.''
-''In addition, the requirements shall include a set of specific vulnerabilities that shall not be found in the software. If not otherwise specified, then the software shall not include any of the flaws described in the current “OWASP Top Ten Most Critical Web Application Vulnerabilities.”''
+*Update section 10, first paragraph, so that its contents read: ''OWASP Application Security Verification Standard defines topic areas that must be considered during the risk understanding and requirements definition activities for the targeted verification level. This effort should produce a set of specific, tailored, and testable requirements. Both Developer and Client should be involved in this process and must agree on the final set of requirements. In addition, the requirements shall include a set of specific vulnerabilities that shall not be found in the software. If not otherwise specified, then the software shall not include any of the flaws described in the current “OWASP Top Ten Most Critical Web Application Vulnerabilities.”''
-In addition as part of change #3, delete section 10 bullets (a) - (j).
+In addition as part of the above change, delete section 10 bullets (a) - (j).
-'''Change #4:'''
+*Update section 11, to add a bullet (d), so that its contents read: ''Verifier. Developer will be responsible for providing a person or team to review the web application against the OWASP Application Security Verification Standard requirements.''

@@ Line 1: / Line 1: @@
 == How to specify verification requirements in contracts ==
-If you are specifying web application security verification requirements in contracts, you can use the [[OWASP Application Security Verification Standard Project]] (ASVS)to do so. One approach is to start with the OWASP Secure Software Contract Annex. The Annex helps software buyers and vendors discuss security and capture the important terms. '''Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.''' The contract annex and this article have been place in the public domain to facilitate use in private contracts.
+If you are specifying web application security verification requirements in contracts, you can use the [[OWASP Application Security Verification Standard]] (ASVS) to do so. One approach is to start with the OWASP Secure Software Contract Annex. The Annex helps software buyers and vendors discuss security and capture the important terms. '''Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.''' The contract annex and this article have been place in the public domain to facilitate use in private contracts.
 == Example: Using the OWASP Secure Software Contract Annex ==
@@ Line 42: / Line 42: @@
 [[Category:OWASP Application Security Verification Standard Project]]
 [[Category:OWASP Legal Project]]