How to write verifier job requisitions - Revision history

KirstenS: /* How to write verifier job requisitions */

2009-03-29T12:17:19Z

‎How to write verifier job requisitions

Deleted user at 01:05, 30 December 2008

2008-12-30T01:05:50Z

Deleted user at 13:58, 22 December 2008

2008-12-22T13:58:18Z

Deleted user at 13:18, 22 December 2008

2008-12-22T13:18:42Z

Brennan at 19:48, 13 December 2008

2008-12-13T19:48:46Z

Deleted user: /* Example: Software Assurance Engineer, Sr */

2008-12-13T19:05:54Z

‎Example: Software Assurance Engineer, Sr

Deleted user: New page: == How to write verifier job requisitions == If you are responsible for hiring staff to perform application security verifications, you can use OWASP ASVS to help write job requisitions....

2008-12-13T19:04:26Z

New page: == How to write verifier job requisitions == If you are responsible for hiring staff to perform application security verifications, you can use OWASP ASVS to help write job requisitions....

New page

== How to write verifier job requisitions ==

If you are responsible for hiring staff to perform application security verifications, you can use OWASP ASVS to help write job requisitions. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels. Each level requires a different skill set. Job requisitions can be written by reusing verification level requirements as skill set requirements. Examples are provided below.

== Example: Software Assurance Engineer, Jr ==

The OWASP ASVS level 1 requirements can be used to help write a job requisition for a junior-level software assurance engineer:

'''Sample Job Description:'''

''The ideal candidate will be proficient in basic system administration and application development, but not necessarily possess experience performing application security verifications. Perform automated verification of minimum risk applications. Use automated tools augmented with manual verification according to OWASP ASVS verification requirements. Perform manual verification to verify that each automated finding is correct and not a false positive. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by identifying individual or groups of source files, libraries, and/or executables. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''

== Example: Software Assurance Engineer, Mid ==

The OWASP ASVS level 2 requirements can be used to help write a job requisition for a middle-level software assurance engineer:

'''Sample Job Description:'''

''The ideal candidate will be proficient in performing application security verifications, but not necessarily according to the OWASP ASVS. Perform manual verification of applications that handle personal transactions, business-to-business transactions, process credit card information, or process personally identifiable information according to OWASP ASVS verification requirements. Run automated tools and use just manual techniques. Use automated tool results to support manual analysis. Verify that all security controls make decisions using a whitelist approach and that security controls cannot be bypassed. Perform manual penetration testing. Perform manual source code review. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components). Define components by identifying individual and groups of source files, libraries, and/or executables. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''

== Example: Software Assurance Engineer, Sr ==

The OWASP ASVS level 3 and 4 requirements can be used to help write a job requisition for a senior-level software assurance engineer:

'''Sample Job Description:'''

''
The ideal candidate will provide subject matter expertise in application security verifications, but not necessarily according to the OWASP ASVS. Perform design verification of applications that handle significant business-to-business transactions, including those that process healthcare information, implement business critical or sensitive functions, or process other sensitive assets according to OWASP ASVS verification requirements. Perform internal verification of critical applications that protect life and safety, critical infrastructure, or defense functions according to OWASP ASVS verification requirements. Ensure that security controls themselves are working correctly, and that security controls are used everywhere within the application that they need to be used to enforce application-specific policies. Ensure that secure coding practices were followed. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components), including defining the relationships between components and groups of components. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''

== Postscript ==

The author of this article can be reached at boberski_michael(at)bah.com

Good luck!

[[Category:OWASP Application Security Verification Standard Project]]

@@ Line 1: / Line 1: @@
 == How to write verifier job requisitions ==
-If you are responsible for hiring staff to perform application security verifications, you can use [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard (ASVS)] to help write job requisitions. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels. Each level requires a different skill set. Job requisitions can be written by reusing verification level requirements as skill set requirements. Examples are provided below.
+If you are responsible for hiring staff to perform application security verifications, you can use [[::Category:OWASP_Application_Security_Verification_Standard_Project |OWASP Application Security Verification Standard (ASVS)]] to help write job requisitions. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels. Each level requires a different skill set. Job requisitions can be written by reusing verification level requirements as skill set requirements. Examples are provided below.
 == Example: Verifier, Jr ==

← Older revision		Revision as of 13:58, 22 December 2008
Line 28:		Line 28:

	[[Category:OWASP Application Security Verification Standard Project]]		[[Category:OWASP Application Security Verification Standard Project]]
		+	[[Category:How To]]

← Older revision		Revision as of 13:18, 22 December 2008
Line 26:		Line 26:

	''The ideal candidate will provide subject matter expertise in application security verifications, but not necessarily according to the OWASP ASVS. Perform design verification of applications that handle significant business-to-business transactions, including those that process healthcare information, implement business critical or sensitive functions, or process other sensitive assets according to OWASP ASVS verification requirements. Perform internal verification of critical applications that protect life and safety, critical infrastructure, or defense functions according to OWASP ASVS verification requirements. Ensure that security controls themselves are working correctly, and that security controls are used everywhere within the application that they need to be used to enforce application-specific policies. Ensure that secure coding practices were followed. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components), including defining the relationships between components and groups of components. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''		''The ideal candidate will provide subject matter expertise in application security verifications, but not necessarily according to the OWASP ASVS. Perform design verification of applications that handle significant business-to-business transactions, including those that process healthcare information, implement business critical or sensitive functions, or process other sensitive assets according to OWASP ASVS verification requirements. Perform internal verification of critical applications that protect life and safety, critical infrastructure, or defense functions according to OWASP ASVS verification requirements. Ensure that security controls themselves are working correctly, and that security controls are used everywhere within the application that they need to be used to enforce application-specific policies. Ensure that secure coding practices were followed. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components), including defining the relationships between components and groups of components. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''
−
−	~~== Postscript ==~~
−
−	~~The author of this article can be reached at boberski_michael(at)bah.com~~
−
−	~~Good luck!~~

	[[Category:OWASP Application Security Verification Standard Project]]		[[Category:OWASP Application Security Verification Standard Project]]

@@ Line 1: / Line 1: @@
 == How to write verifier job requisitions ==
-If you are responsible for hiring staff to perform application security verifications, you can use [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Overview OWASP ASVS] to help write job requisitions. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels. Each level requires a different skill set. Job requisitions can be written by reusing verification level requirements as skill set requirements. Examples are provided below.
+If you are responsible for hiring staff to perform application security verifications, you can use [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard (ASVS)] to help write job requisitions. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels. Each level requires a different skill set. Job requisitions can be written by reusing verification level requirements as skill set requirements. Examples are provided below.
-== Example: Software Assurance Engineer, Jr ==
+== Example: Verifier, Jr ==
-The OWASP ASVS level 1 requirements can be used to help write a job requisition for a junior-level software assurance engineer:
+The OWASP ASVS level 1 requirements can be used to help write a job requisition for a junior-level software assurance engineer, a.k.a. a junior-level "verifier":
 '''Sample Job Description:'''
@@ Line 11: / Line 11: @@
 ''The ideal candidate will be proficient in basic system administration and application development, but not necessarily possess experience performing application security verifications. Perform automated verification of minimum risk applications. Use automated tools augmented with manual verification according to OWASP ASVS verification requirements. Perform manual verification to verify that each automated finding is correct and not a false positive.  Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by identifying individual or groups of source files, libraries, and/or executables. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''
-== Example: Software Assurance Engineer, Mid ==
+== Example: Verifier, Mid ==
-The OWASP ASVS level 2 requirements can be used to help write a job requisition for a middle-level software assurance engineer:
+The OWASP ASVS level 2 requirements can be used to help write a job requisition for a middle-level verifier:
 '''Sample Job Description:'''
@@ Line 19: / Line 19: @@
 ''The ideal candidate will be proficient in performing application security verifications, but not necessarily according to the OWASP ASVS. Perform manual verification of applications that handle personal transactions, business-to-business transactions, process credit card information, or process personally identifiable information according to OWASP ASVS verification requirements. Run automated tools and use just manual techniques. Use automated tool results to support manual analysis. Verify that all security controls make decisions using a whitelist approach and that security controls cannot be bypassed. Perform manual penetration testing. Perform manual source code review. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components). Define components by identifying individual and groups of source files, libraries, and/or executables. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''
-== Example: Software Assurance Engineer, Sr ==
+== Example: Verifier, Sr ==
-The OWASP ASVS level 3 and 4 requirements can be used to help write a job requisition for a senior-level software assurance engineer:
+The OWASP ASVS level 3 and 4 requirements can be used to help write a job requisition for a senior-level verifier:
 '''Sample Job Description:'''

@@ Line 25: / Line 25: @@
 '''Sample Job Description:'''
-''
+''The ideal candidate will provide subject matter expertise in application security verifications, but not necessarily according to the OWASP ASVS. Perform design verification of applications that handle significant business-to-business transactions, including those that process healthcare information, implement business critical or sensitive functions, or process other sensitive assets according to OWASP ASVS verification requirements. Perform internal verification of critical applications that protect life and safety, critical infrastructure, or defense functions according to OWASP ASVS verification requirements. Ensure that security controls themselves are working correctly, and that security controls are used everywhere within the application that they need to be used to enforce application-specific policies. Ensure that secure coding practices were followed. Create verification reports that detail the web application security architecture, and the results of the verification according to OWASP ASVS reporting requirements. Define web application security architectures by grouping application components into a high-level architecture (for example MVC controller components, business function components, and data layer components), including defining the relationships between components and groups of components. Analyze multiple instances of vulnerability patterns that can be traced to single root causes that can be combined into a single risk.''
 == Postscript ==