This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:OWASP Application Security Assessment Standards Project"
(→Current Project Status:) |
|||
(22 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
+ | {| | ||
+ | |- | ||
+ | ! width="700" align="center" | <br> | ||
+ | ! width="500" align="center" | <br> | ||
+ | |- | ||
+ | | align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] | ||
+ | | align="right" | | ||
+ | |||
+ | |} | ||
+ | ==== Main ==== | ||
+ | |||
+ | The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed and what level of assessment is appropriate based on business requirement. | ||
+ | |||
+ | == Project Roadmap == | ||
+ | |||
+ | {{:OWASP Application Security Assessment Standards Project/Roadmap | Project Roadmap}} | ||
+ | |||
+ | == Project Contributors == | ||
+ | |||
+ | The Application Security Assessment Standards project leader is [[:User:Matteo_Michelini|Matteo Michelini]] of Lutech SpA. | ||
+ | |||
+ | ==== Project About ==== | ||
+ | |||
+ | {{:Projects/OWASP Application Security Assessment Standards Project | Project About}} | ||
+ | |||
+ | ==== OLD_PAGE ==== | ||
+ | |||
Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach. | Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach. | ||
Line 36: | Line 63: | ||
== Current Project Status: == | == Current Project Status: == | ||
+ | '''OWASP Organization Backing''' | ||
+ | |||
+ | * Minimal feedback - Need Leadership Backing. | ||
'''Phase I – Project Approach:''' | '''Phase I – Project Approach:''' | ||
Line 43: | Line 73: | ||
'''Phase II - Definitions:''' | '''Phase II - Definitions:''' | ||
− | * Define Common Business Application Types – | + | * Define Common Business Application Types – '''Need Input.''' |
− | * Define Security Assessment Types – | + | * Define Security Assessment Types – '''Need Input.''' |
'''Phase III – Assessment Context:''' | '''Phase III – Assessment Context:''' | ||
− | * Define Standard Application Assessment Process – Need | + | * Define Standard Application Assessment Process – '''Stub Started - Need Input.''' |
* Define Standard Assessment Scope Per Application Type – Need Stub | * Define Standard Assessment Scope Per Application Type – Need Stub | ||
* Define Standard Testing Boundaries For Application Assessments – Need Stub | * Define Standard Testing Boundaries For Application Assessments – Need Stub | ||
* Define Business End Preparation For Application Assessment – Need Stub | * Define Business End Preparation For Application Assessment – Need Stub | ||
* Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub | * Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub | ||
− | * Establish Baseline Assessor Qualifications And Evaluation Criteria – Need | + | * Establish Baseline Assessor Qualifications And Evaluation Criteria – '''Stub Started - Need Input.''' |
+ | |||
+ | '''Phase IV – Assessment Levels:''' | ||
+ | |||
+ | ''[ Suggest Establishment of Definitions and Context prior to commencement ]'' | ||
+ | |||
+ | * Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.). | ||
+ | * Create assessment levels based on previous Phase II and III objectives. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level. | ||
+ | * Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective. | ||
+ | * Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed. | ||
Also refer to project Roadmap. | Also refer to project Roadmap. | ||
Line 59: | Line 98: | ||
== Feedback and Participation == | == Feedback and Participation == | ||
− | We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to [email protected]. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page. | + | We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to [email protected]. To join the OWASP Assessment Standards mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-appsec-standards subscription page.] |
== Project Contributers == | == Project Contributers == | ||
Line 73: | Line 112: | ||
* Vinay Bansal, Cisco Systems | * Vinay Bansal, Cisco Systems | ||
− | + | * Imre Kertesz, KoreLogic Security | |
− | |||
− | |||
+ | __NOTOC__ <headertabs /> | ||
− | [[Category:OWASP Project]] | + | [[Category:OWASP Project|Application Security Assessment Standards Project]] |
+ | [[Category:OWASP_Document]] | ||
+ | [[Category:OWASP_Alpha_Quality_Document]] |
Latest revision as of 02:30, 29 July 2014
|
|
---|---|
Main
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed and what level of assessment is appropriate based on business requirement.
Project Roadmap
- Define the Application Security Assessment procedure into a Vulnerability Management procedure. Every step of the Application Security Assessment process should make some outputs related to Vulnerabilities/Risk related to the application.
- Define how to prioritize WebApp Vulnerabilities working with CWE mapping and scoring systems as CWSS (referring to OWASP TOP 10)
- Define a process of App Security Assessment that is Threat/Vulnerability Centric and that contains at least the following milestones:
- Use OWASP ASVS in order to define the AS-IS of the application validation process using the following techniques:
- Maturity Model (referring to OWASP SAMM Project)
- Attack Surface of the Application (referring to OWASP Code Review Project)
- Threat Modeling of the Application (referring to OWASP Code Review Project)
- WAPT/Code Review/VA (referring to OWASP Testing/Code Review Projects)
- Use OWASP ASVS in order to define the TO-BE of the application validation process.
- For each level definable as TO-BE of the application validation process define how to implement
- Processes:
- SSDLC (Referring to OWASP Development Guide)
- Code Review (referring to OWASP Code Review Project and OWASP SAMM)
- WAPT (referring to OWASP Testing Guide and OWASP SAMM)
- Technical Projects:
- OWASP ESAPI
- OWASP AppSensor
- Processes:
- Practical Examples
- Demo on how to implement ESAPI/AppSensor in a production project
- Tips on how to implement an Application Security Assessment Process into a production environment
- Use OWASP ASVS in order to define the AS-IS of the application validation process using the following techniques:
Project Contributors
The Application Security Assessment Standards project leader is Matteo Michelini of Lutech SpA.
Project About
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
OLD_PAGE
Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.
Objective
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:
- Where practical, attempt to “standardize” nomenclature and definitions for common business application types.
- Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types.
- Define standard application assessment process in SWIM flow chart.
- Define standard assessment scope per application type.
- Define standard testing boundaries for application assessments.
- Define what is needed on business end to prepare for application assessment.
- Establish where in SDLC should assessment steps be defined/conducted.
- Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria.
- Establish a common set of application assessment levels:
- Define degree of assessment depth per level
- Define testing components required per level
- Establish level of tool usage/type vs. hands on assessment per level
- Establish linkages between level results and security metrics derived
- Establish linkages between levels and Security Maturity Models
- Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.
- Document integration/linkages to other OWASP projects.
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments.
Current Project Status:
OWASP Organization Backing
- Minimal feedback - Need Leadership Backing.
Phase I – Project Approach:
- Minimal feedback obtained. Contributors jumped in.
Phase II - Definitions:
- Define Common Business Application Types – Need Input.
- Define Security Assessment Types – Need Input.
Phase III – Assessment Context:
- Define Standard Application Assessment Process – Stub Started - Need Input.
- Define Standard Assessment Scope Per Application Type – Need Stub
- Define Standard Testing Boundaries For Application Assessments – Need Stub
- Define Business End Preparation For Application Assessment – Need Stub
- Establish Where In SDLC Should Assessment Steps Be Defined/Conducted – Need Stub
- Establish Baseline Assessor Qualifications And Evaluation Criteria – Stub Started - Need Input.
Phase IV – Assessment Levels:
[ Suggest Establishment of Definitions and Context prior to commencement ]
- Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.).
- Create assessment levels based on previous Phase II and III objectives. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.
- Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.
- Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.
Also refer to project Roadmap.
Feedback and Participation
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to [email protected]. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page.
Project Contributers
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at [email protected].
Key contributors:
- Bob Austin, KoreLogic Security
- Jeff Williams, Aspect Security
- Vinay Bansal, Cisco Systems
- Imre Kertesz, KoreLogic Security
Pages in category "OWASP Application Security Assessment Standards Project"
The following 6 pages are in this category, out of 6 total.