This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:OWASP Application Security Verification Standard Project"
Deleted user (talk | contribs) |
Deleted user (talk | contribs) |
||
| Line 2: | Line 2: | ||
Proj_About= | Proj_About= | ||
[[Image:Asvs-bannerbug.JPG|200px|right]] | [[Image:Asvs-bannerbug.JPG|200px|right]] | ||
| − | Whereas the [[OWASP Top Ten Project]] is a tool that provides web application security awareness, the '''OWASP "Application Security Verification Standard" (also known as "ASVS")''' is a commercially-workable open standard that defines ranges in coverage and levels of rigor that can be used to perform application security verifications. | + | Whereas the [[OWASP Top Ten Project]] is a tool that provides web application security awareness, the '''OWASP "Application Security Verification Standard" (also known as "ASVS")''' is a commercially-workable open standard that defines ranges in coverage and levels of rigor that can be used to perform application security verifications. There are three main parts to ASVS. The requirements in ASVS define: levels of application-level security verification that increase in breadth and depth as one moves up the levels; verification requirements that prescribe a unique white-list approach for security controls; reporting requirements that ensure reports are sufficiently detailed to make verification repeatable, and to determine if the verification was accurate and complete. OWASP ASVS is the first standard that OWASP has published, and '''ASVS is the first internationally-recognized standard for performing application security assessments!''' There are currently versions in English. |
<br> | <br> | ||
<br> | <br> | ||
| − | |||
| + | '''What problems are intended to be solved by ASVS?''' | ||
| − | Both of these problems have a single root cause: the lack of a standard for performing application-level security verification that is web application and web service independent, Software Development Life Cycle (SDLC) independent, and that can be used for any application without special interpretation. The OWASP ASVS was designed to normalize the range in coverage and level of rigor available in the market when it comes to performing application security verification. | + | What becomes quickly apparent during procurement when attempting to capture contractual terms and conditions related to the security of web applications and web services is that specifying security analysis and testing requirements is very hard. It also becomes quickly apparent when reviewing web application and web service security verification reports that there is no way to tell the difference between someone running a grep tool, and someone doing painstaking code review and manual testing. Both of these problems have a single root cause: the lack of a standard for performing application-level security verification that is web application and web service independent, Software Development Life Cycle (SDLC) independent, and that can be used for any application without special interpretation. The OWASP ASVS was designed to normalize the range in coverage and level of rigor available in the market when it comes to performing application security verification. |
| Line 14: | Line 14: | ||
The OWASP ASVS project is led by [[User:Mike.boberski|Mike Boberski]] (Booz Allen Hamilton). The primary authors are [[User:Mike.boberski|Mike Boberski]], [[User:Jeff Williams|Jeff Williams]] (Aspect Security), and [[User:Wichers|Dave Wichers]] (Aspect Security). The ASVS is the result of the collection and consolidation of decades of collective subject matter expertise in application security. If you’d like to volunteer to help on the project, you can contact [mailto:[email protected] Mike Boberski]. | The OWASP ASVS project is led by [[User:Mike.boberski|Mike Boberski]] (Booz Allen Hamilton). The primary authors are [[User:Mike.boberski|Mike Boberski]], [[User:Jeff Williams|Jeff Williams]] (Aspect Security), and [[User:Wichers|Dave Wichers]] (Aspect Security). The ASVS is the result of the collection and consolidation of decades of collective subject matter expertise in application security. If you’d like to volunteer to help on the project, you can contact [mailto:[email protected] Mike Boberski]. | ||
| + | |||
| + | |||
| + | '''Users and Adopters''' | ||
| + | |||
| + | Coming soon! Pilots are already underway at various companies and agencies around the globe. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached at [email protected] Thanks for supporting OWASP! | ||
<br> | <br> | ||
<br> | <br> | ||
| + | |||
| | | | ||
Revision as of 14:00, 12 March 2009
About
Whereas the OWASP Top Ten Project is a tool that provides web application security awareness, the OWASP "Application Security Verification Standard" (also known as "ASVS") is a commercially-workable open standard that defines ranges in coverage and levels of rigor that can be used to perform application security verifications. There are three main parts to ASVS. The requirements in ASVS define: levels of application-level security verification that increase in breadth and depth as one moves up the levels; verification requirements that prescribe a unique white-list approach for security controls; reporting requirements that ensure reports are sufficiently detailed to make verification repeatable, and to determine if the verification was accurate and complete. OWASP ASVS is the first standard that OWASP has published, and ASVS is the first internationally-recognized standard for performing application security assessments! There are currently versions in English.
What problems are intended to be solved by ASVS?
What becomes quickly apparent during procurement when attempting to capture contractual terms and conditions related to the security of web applications and web services is that specifying security analysis and testing requirements is very hard. It also becomes quickly apparent when reviewing web application and web service security verification reports that there is no way to tell the difference between someone running a grep tool, and someone doing painstaking code review and manual testing. Both of these problems have a single root cause: the lack of a standard for performing application-level security verification that is web application and web service independent, Software Development Life Cycle (SDLC) independent, and that can be used for any application without special interpretation. The OWASP ASVS was designed to normalize the range in coverage and level of rigor available in the market when it comes to performing application security verification.
Where did ASVS come from?
The OWASP ASVS project is led by Mike Boberski (Booz Allen Hamilton). The primary authors are Mike Boberski, Jeff Williams (Aspect Security), and Dave Wichers (Aspect Security). The ASVS is the result of the collection and consolidation of decades of collective subject matter expertise in application security. If you’d like to volunteer to help on the project, you can contact Mike Boberski.
Users and Adopters
Coming soon! Pilots are already underway at various companies and agencies around the globe. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached at [email protected] Thanks for supporting OWASP!
FAQ
|
This project has produced a book that can be downloaded or purchased. Feel free to browse the full catalog of available OWASP books. |
More About OWASP ASVS
- Project Presentation (PowerPoint)
- Executive-Level Presentation (PowerPoint)
- Presentation Abstract (Word)
- One Page Datasheet (PDF, Word)
- Articles - More About ASVS and Using It
Related projects:
Web Application Edition
OWASP ASVS - Beta (This is the current official release version)
Download free:
OWASP ASVS - Beta (This is the current official release version)
OWASP ASVS Alpha Downloads
Download free:
OWASP ASVS - Alpha
Web Service Edition
Not yet available for release!
The Web Service Edition of the OWASP ASVS will be able to be used to establish a level of confidence in the security of web services. It is currently under development and is not yet available for release. Please contact Mike Boberski for further details. Tentatively, the following sets of detailed verification requirements will be added to create the web service edition from the web application edition:
- Negotiation of contracts
- Trust management
Additionally, further refinements to data protection and communication security to go beyond TLS may be required. Session management requirements may go away.
News
Project News:
- 02/25/2009 – OWASP ASVS proposed updates based on pilots being considered.
- 01/22/2009 - OWASP ASVS has been integrated into the OWASP Secure Software Contract Annex in the OWASP Legal Project.
- 01/08/2009 - OWASP ASVS is presented by Mike Boberski at the OWASP Washington VA Local Chapter meeting.
- 12/29/2008 - OWASP ASVS is the subject of an article by DarkReading.
- 12/08/2008 - OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments.
- 12/05/2008 - OWASP ASVS exits the Summer of Code 2008! The Beta draft of the Web Application Edition is released! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.
- 11/03/2008 - OWASP ASVS is presented by Jeff Williams at OWASP EU Summit 2008.
- 10/03/2008 - OWASP ASVS Alpha draft is released! Mike Boberski is the primary author.
- 04/16/2008 - OWASP ASVS Summer of Code 2008 proposal submitted by Mike Boberski wins!
Project Mail List:
Subscribe here
Use here
Contributors/Users
Project Leader
Mike Boberski
Project Contributors
Jeff Williams
Dave Wichers
The OWASP ASVS project is co-sponsored by:
This project licensed under the Licensed under Creative Commons Attribution ShareAlike 3.0.
Pages in category "OWASP Application Security Verification Standard Project"
The following 21 pages are in this category, out of 21 total.
H
- How to bootstrap the NIST risk management framework with verification activities
- How to bootstrap your SDLC with verification activities
- How to create verification project schedules
- How to perform a security architecture review at Level 1
- How to perform a security architecture review at Level 2
- How to specify verification requirements in contracts
- How to write verifier job requisitions
