Top 10 2010-What's Next For Verifiers - Revision history

Wichers at 17:40, 22 April 2010

2010-04-22T17:40:17Z

Wichers at 17:03, 22 April 2010

2010-04-22T17:03:30Z

Wichers at 17:00, 22 April 2010

2010-04-22T17:00:35Z

Neil Smithline at 20:25, 21 April 2010

2010-04-21T20:25:46Z

Neil Smithline: moved Top 10 2010-Verifiers to Top 10 2010-What's Next For Verifiers

2010-04-20T16:52:13Z

moved Top 10 2010-Verifiers to Top 10 2010-What's Next For Verifiers

Neil Smithline: moved Top 10 2010-+V to Top 10 2010-Verifiers

2010-04-20T16:51:53Z

moved Top 10 2010-+V to Top 10 2010-Verifiers

Neil Smithline at 16:51, 20 April 2010

2010-04-20T16:51:20Z

Neil Smithline: Created page with '{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}} {{Top_…'

2010-04-20T16:50:29Z

Created page with '{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}} {{Top_…'

New page

{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

{{Top_10_2010:SubsectionColoredTemplate|Get Organized|
To verify the security of a web application you have developed, or one you are considering purchasing, OWASP recommends that you review the application’s code (if available), and test the application as well. OWASP recommends a combination of security code review and application penetration testing whenever possible, as that allows you to leverage the strengths of both techniques, and the two approaches complement each other. Tools for assisting the verification process can improve the efficiency and effectiveness of an expert analyst. OWASP’s assessment tools are focused on helping an expert become more effective, rather than trying to automate the analysis process itself.

Standardizing How You Verify Web Application Security: To help organizations develop consistency and a defined level of rigor when assessing the security of web applications, OWASP has produced the [http://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS)]. This document defines a minimum verification standard for performing web application security assessments. OWASP recommends that you use the ASVS as guidance for not only what to look for when verifying the security of a web application, but also which techniques are most appropriate to use, and to help you define and select a level of rigor when verifying the security of a web application. OWASP also recommends you use the ASVS to help define and select any web application assessment services you might procure from a third party provider.

Assessment Tools Suite: The [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project] has pulled together some of the best open source security tools into a single bootable environment. Web developers, testers, and security professionals can boot from this Live CD and immediately have access to a full security testing suite. No installation or configuration is required to use the tools provided on this CD.}}

{{Top_10_2010:SubsectionColoredTemplate|Code Review|Reviewing the code is the strongest way to verify whether an application is secure. Testing can only prove that an application is insecure.

Reviewing the Code: As a companion to the [http://www.owasp.org/index.php/Guide OWASP Developer's Guide], and the [http://www.owasp.org/index.php/Testing_Guide OWASP Testing Guide], OWASP has produced the [http://www.owasp.org/index.php/Code_Review_Guide OWASP Code Review Guide] to help developers and application security specialists understand how to efficiently and effectively review a web application for security by reviewing the code. There are numerous web application security issues, such as Injection Flaws, that are far easier to find through code review, than external testing.

Code Review Tools: OWASP has been doing some promising work in the area of assisting experts in performing code analysis, but these tools are still in their early stages. The authors of these tools use them every day when performing their security code reviews, but non-experts may find these tools a bit difficult to use. These include [http://www.owasp.org/index.php/Category:OWASP_Code_Crawler CodeCrawler], [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon], and [http://www.owasp.org/index.php/OWASP_O2_Platform O2].}}

{{Top_10_2010:SubsectionColoredTemplate|Security and Penetration Testing|
Testing the Application: OWASP produced the [http://www.owasp.org/index.php/Testing_Guide Testing Guide] to help developers, testers, and application security specialists understand how to efficiently and effectively test the security of web applications. This enormous guide, which had dozens of contributors, provides wide coverage on many web application security testing topics. Just as code review has its strengths, so does security testing. It’s very compelling when you can prove that an application is insecure by demonstrating the exploit. There are also many security issues, particularly all the security provided by the application infrastructure, that simply cannot be seen by a code review, since the application is not providing the security itself.

Application Penetration Testing Tools: [http://www.owasp.org/index.php/WebScarab WebScarab], which is one of the most widely used of all OWASP projects, is a web application testing proxy. It allows a security analyst to intercept web application requests, so the analyst can figure out how the application works, and then allows the analyst to submit test requests to see if the application responds securely to such requests. This tool is particularly effective at assisting an analyst in identifying XSS flaws, Authentication flaws, and Access Control flaws.}}
 {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

← Older revision		Revision as of 17:40, 22 April 2010
Line 20:		Line 20:
	<b>Application Penetration Testing Tools</b>: [[WebScarab]], which is one of the most widely used of all OWASP projects, is a web application testing proxy. It allows a security analyst to intercept web application requests, so the analyst can figure out how the application works, and then allows the analyst to submit test requests to see if the application responds securely to such requests. This tool is particularly effective at assisting an analyst in identifying XSS flaws, Authentication flaws, and Access Control flaws.}}		<b>Application Penetration Testing Tools</b>: [[WebScarab]], which is one of the most widely used of all OWASP projects, is a web application testing proxy. It allows a security analyst to intercept web application requests, so the analyst can figure out how the application works, and then allows the analyst to submit test requests to see if the application responds securely to such requests. This tool is particularly effective at assisting an analyst in identifying XSS flaws, Authentication flaws, and Access Control flaws.}}
	{{Top_10_2010:BottomTemplate\|useprev=2010PrevLink\|usenext=2010NextLink\|prev=What's Next For Developers\|next=What's Next For Organizations}}		{{Top_10_2010:BottomTemplate\|useprev=2010PrevLink\|usenext=2010NextLink\|prev=What's Next For Developers\|next=What's Next For Organizations}}
		+
		+	[[Category:OWASP Top Ten Project]]

← Older revision		Revision as of 17:03, 22 April 2010
Line 5:		Line 5:
	<b>Standardizing How You Verify Web Application Security</b>: To help organizations develop consistency and a defined level of rigor when assessing the security of web applications, OWASP has produced the [[ASVS \| Application Security Verification Standard (ASVS)]]. This document defines a minimum verification standard for performing web application security assessments. OWASP recommends that you use the ASVS as guidance for not only what to look for when verifying the security of a web application, but also which techniques are most appropriate to use, and to help you define and select a level of rigor when verifying the security of a web application. OWASP also recommends you use the ASVS to help define and select any web application assessment services you might procure from a third party provider.		<b>Standardizing How You Verify Web Application Security</b>: To help organizations develop consistency and a defined level of rigor when assessing the security of web applications, OWASP has produced the [[ASVS \| Application Security Verification Standard (ASVS)]]. This document defines a minimum verification standard for performing web application security assessments. OWASP recommends that you use the ASVS as guidance for not only what to look for when verifying the security of a web application, but also which techniques are most appropriate to use, and to help you define and select a level of rigor when verifying the security of a web application. OWASP also recommends you use the ASVS to help define and select any web application assessment services you might procure from a third party provider.

−	<b>Assessment Tools Suite</b>: The [[Category:OWASP_Live_CD_Project \| OWASP Live CD Project]] has pulled together some of the best open source security tools into a single bootable environment. Web developers, testers, and security professionals can boot from this Live CD and immediately have access to a full security testing suite. No installation or configuration is required to use the tools provided on this CD.}}	+	<b>Assessment Tools Suite</b>: The [[:Category:OWASP_Live_CD_Project \| OWASP Live CD Project]] has pulled together some of the best open source security tools into a single bootable environment. Web developers, testers, and security professionals can boot from this Live CD and immediately have access to a full security testing suite. No installation or configuration is required to use the tools provided on this CD.}}

@@ Line 3: / Line 3: @@
 To verify the security of a web application you have developed, or one you are considering purchasing, OWASP recommends that you review the application’s code (if available), and test the application as well. OWASP recommends a combination of security code review and application penetration testing whenever possible, as that allows you to leverage the strengths of both techniques, and the two approaches complement each other. Tools for assisting the verification process can improve the efficiency and effectiveness of an expert analyst. OWASP’s assessment tools are focused on helping an expert become more effective, rather than trying to automate the analysis process itself.
-<b>Standardizing How You Verify Web Application Security</b>: To help organizations develop consistency and a defined level of rigor when assessing the security of web applications, OWASP has produced the [http://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS)]. This document defines a minimum verification standard for performing web application security assessments. OWASP recommends that you use the ASVS as guidance for not only what to look for when verifying the security of a web application, but also which techniques are most appropriate to use, and to help you define and select a level of rigor when verifying the security of a web application. OWASP also recommends you use the ASVS to help define and select any web application assessment services you might procure from a third party provider.
+<b>Standardizing How You Verify Web Application Security</b>: To help organizations develop consistency and a defined level of rigor when assessing the security of web applications, OWASP has produced the [[ASVS | Application Security Verification Standard (ASVS)]]. This document defines a minimum verification standard for performing web application security assessments. OWASP recommends that you use the ASVS as guidance for not only what to look for when verifying the security of a web application, but also which techniques are most appropriate to use, and to help you define and select a level of rigor when verifying the security of a web application. OWASP also recommends you use the ASVS to help define and select any web application assessment services you might procure from a third party provider.
-<b>Assessment Tools Suite</b>: The [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project] has pulled together some of the best open source security tools into a single bootable environment. Web developers, testers, and security professionals can boot from this Live CD and immediately have access to a full security testing suite. No installation or configuration is required to use the tools provided on this CD.}}
+<b>Assessment Tools Suite</b>: The [[Category:OWASP_Live_CD_Project | OWASP Live CD Project]] has pulled together some of the best open source security tools into a single bootable environment. Web developers, testers, and security professionals can boot from this Live CD and immediately have access to a full security testing suite. No installation or configuration is required to use the tools provided on this CD.}}
 {{Top_10_2010:SubsectionColoredTemplate|Code Review|Reviewing the code is the strongest way to verify whether an application is secure. Testing can only prove that an application is insecure.
-<b>Reviewing the Code</b>: As a companion to the [http://www.owasp.org/index.php/Guide OWASP Developer's Guide], and the [http://www.owasp.org/index.php/Testing_Guide OWASP Testing Guide], OWASP has produced the [http://www.owasp.org/index.php/Code_Review_Guide OWASP Code Review Guide] to help developers and application security specialists understand how to efficiently and effectively review a web application for security by reviewing the code. There are numerous web application security issues, such as Injection Flaws, that are far easier to find through code review, than external testing.
+<b>Reviewing the Code</b>: As a companion to the [[Guide | OWASP Developer's Guide]], and the [[Testing_Guide | OWASP Testing Guide]], OWASP has produced the [[Code_Review_Guide | OWASP Code Review Guide]] to help developers and application security specialists understand how to efficiently and effectively review a web application for security by reviewing the code. There are numerous web application security issues, such as Injection Flaws, that are far easier to find through code review, than external testing.
-<b>Code Review Tools</b>: OWASP has been doing some promising work in the area of assisting experts in performing code analysis, but these tools are still in their early stages. The authors of these tools use them every day when performing their security code reviews, but non-experts may find these tools a bit difficult to use. These include [http://www.owasp.org/index.php/Category:OWASP_Code_Crawler CodeCrawler], [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon], and [http://www.owasp.org/index.php/OWASP_O2_Platform O2].}}
+<b>Code Review Tools</b>: OWASP has been doing some promising work in the area of assisting experts in performing code analysis, but these tools are still in their early stages. The authors of these tools use them every day when performing their security code reviews, but non-experts may find these tools a bit difficult to use. These include [[:Category:OWASP_Code_Crawler | CodeCrawler]], [[:Category:OWASP_Orizon_Project | Orizon]], and [[OWASP_O2_Platform | O2]].}}
 {{Top_10_2010:SubsectionColoredTemplate|Security and Penetration Testing|
-<b>Testing the Application</b>: OWASP produced the [http://www.owasp.org/index.php/Testing_Guide Testing Guide] to help developers, testers, and application security specialists understand how to efficiently and effectively test the security of web applications. This enormous guide, which had dozens of contributors, provides wide coverage on many web application security testing topics. Just as code review has its strengths, so does security testing. It’s very compelling when you can prove that an application is insecure by demonstrating the exploit. There are also many security issues, particularly all the security provided by the application infrastructure, that simply cannot be seen by a code review, since the application is not providing the security itself.
+<b>Testing the Application</b>: OWASP produced the [[Testing Guide]] to help developers, testers, and application security specialists understand how to efficiently and effectively test the security of web applications. This enormous guide, which had dozens of contributors, provides wide coverage on many web application security testing topics. Just as code review has its strengths, so does security testing. It’s very compelling when you can prove that an application is insecure by demonstrating the exploit. There are also many security issues, particularly all the security provided by the application infrastructure, that simply cannot be seen by a code review, since the application is not providing the security itself.
-<b>Application Penetration Testing Tools</b>: [http://www.owasp.org/index.php/WebScarab WebScarab], which is one of the most widely used of all OWASP projects, is a web application testing proxy. It allows a security analyst to intercept web application requests, so the analyst can figure out how the application works, and then allows the analyst to submit test requests to see if the application responds securely to such requests. This tool is particularly effective at assisting an analyst in identifying XSS flaws, Authentication flaws, and Access Control flaws.}}
+<b>Application Penetration Testing Tools</b>: [[WebScarab]], which is one of the most widely used of all OWASP projects, is a web application testing proxy. It allows a security analyst to intercept web application requests, so the analyst can figure out how the application works, and then allows the analyst to submit test requests to see if the application responds securely to such requests. This tool is particularly effective at assisting an analyst in identifying XSS flaws, Authentication flaws, and Access Control flaws.}}
 {{Top_10_2010:BottomTemplate|useprev=2010PrevLink|usenext=2010NextLink|prev=What's Next For Developers|next=What's Next For Organizations}}

@@ Line 1: / Line 1: @@
-{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
+{{Top_10_2010:TopTemplate|useprev=2010PrevLink|usenext=2010NextLink|prev=What's Next For Developers|next=What's Next For Organizations}}
 {{Top_10_2010:SubsectionColoredTemplate|Get Organized|
 To verify the security of a web application you have developed, or one you are considering purchasing, OWASP recommends that you review the application’s code (if available), and test the application as well. OWASP recommends a combination of security code review and application penetration testing whenever possible, as that allows you to leverage the strengths of both techniques, and the two approaches complement each other. Tools for assisting the verification process can improve the efficiency and effectiveness of an expert analyst. OWASP’s assessment tools are focused on helping an expert become more effective, rather than trying to automate the analysis process itself.
@@ Line 21: / Line 19: @@
 <b>Application Penetration Testing Tools</b>: [http://www.owasp.org/index.php/WebScarab WebScarab], which is one of the most widely used of all OWASP projects, is a web application testing proxy. It allows a security analyst to intercept web application requests, so the analyst can figure out how the application works, and then allows the analyst to submit test requests to see if the application responds securely to such requests. This tool is particularly effective at assisting an analyst in identifying XSS flaws, Authentication flaws, and Access Control flaws.}}
-<br> {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
+{{Top_10_2010:BottomTemplate|useprev=2010PrevLink|usenext=2010NextLink|prev=What's Next For Developers|next=What's Next For Organizations}}

@@ Line 8: / Line 8: @@
 <b>Assessment Tools Suite</b>: The [http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project] has pulled together some of the best open source security tools into a single bootable environment. Web developers, testers, and security professionals can boot from this Live CD and immediately have access to a full security testing suite. No installation or configuration is required to use the tools provided on this CD.}}
 {{Top_10_2010:SubsectionColoredTemplate|Code Review|Reviewing the code is the strongest way to verify whether an application is secure. Testing can only prove that an application is insecure.
@@ Line 14: / Line 15: @@
 <b>Code Review Tools</b>: OWASP has been doing some promising work in the area of assisting experts in performing code analysis, but these tools are still in their early stages. The authors of these tools use them every day when performing their security code reviews, but non-experts may find these tools a bit difficult to use. These include [http://www.owasp.org/index.php/Category:OWASP_Code_Crawler CodeCrawler], [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project Orizon], and [http://www.owasp.org/index.php/OWASP_O2_Platform O2].}}
 {{Top_10_2010:SubsectionColoredTemplate|Security and Penetration Testing|

← Older revision	Revision as of 16:52, 20 April 2010
(No difference)

← Older revision	Revision as of 16:51, 20 April 2010
(No difference)