This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:OWASP Application Security Verification Standard Project"
Deleted user (talk | contribs) |
Deleted user (talk | contribs) |
||
| Line 81: | Line 81: | ||
<br> | <br> | ||
[[Image:Beta_cover.JPG|thumb|90px|left|Beta Release]] | [[Image:Beta_cover.JPG|thumb|90px|left|Beta Release]] | ||
| − | Download free | + | Download free: |
| − | OWASP ASVS | + | '''OWASP ASVS - Beta (This is the current official release version)''' |
| − | * [[:Image:OWASP ASVS Web Edition 2008 Beta.pdf|PDF]] | + | * Web Application Edition ([[:Image:OWASP ASVS Web Edition 2008 Beta.pdf|PDF]], [[:Image:OWASP ASVS Web Edition 2008 Beta.doc|Word]]) |
| − | |||
| Line 100: | Line 99: | ||
<br> | <br> | ||
[[Image:Alpha_cover.JPG|thumb|90px|left|Alpha Release]] | [[Image:Alpha_cover.JPG|thumb|90px|left|Alpha Release]] | ||
| − | Download free | + | Download free: |
| − | OWASP ASVS | + | '''OWASP ASVS - Alpha''' |
| − | * [[:Image:OWASP ASVS Web Edition 2008 Alpha.pdf|PDF]] | + | * Web Application Edition ([[:Image:OWASP ASVS Web Edition 2008 Alpha.pdf|PDF]], [[:Image:OWASP ASVS Web Edition 2008 Alpha.doc|Word]]) |
| − | |||
| Line 119: | Line 117: | ||
<br> | <br> | ||
[[Image:Asvs_ppt.JPG|thumb|110px|left|Project Presentation]] | [[Image:Asvs_ppt.JPG|thumb|110px|left|Project Presentation]] | ||
| − | Download free | + | Download free: |
| − | About OWASP ASVS | + | '''About OWASP ASVS''' |
| − | * [http://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt | + | * Project Presentation ([http://www.owasp.org/images/5/52/About_OWASP_ASVS_Web_Edition.ppt PowerPoint]) |
| − | * [http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt | + | * Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) |
| − | * [http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc | + | * Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) |
| − | * [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc | + | * One Page Conference Handout ([http://www.owasp.org/index.php/Image:ASVS_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc Word]) |
Revision as of 18:20, 3 March 2009
|
This project has produced a book that can be downloaded or purchased. Feel free to browse the full catalog of available OWASP books. |
| PROJECT INFORMATION | |||||||
|---|---|---|---|---|---|---|---|
| Project Name | OWASP Application Security Verification Standard (ASVS) Project | ||||||
| Short Project Description |
| ||||||
| Key Project Information | Project Leader Mike Boberski |
Project Contributors Jeff Williams Dave Wichers |
Mailing List Subscribe here Use here |
Licensed under Creative Commons Attribution ShareAlike 3.0 |
Project Type Documentation |
Sponsors Aspect Security Booz Allen Hamilton OWASP SoC 08 | |
| Release Status | Main Links | Related Projects | |||||
|---|---|---|---|---|---|---|---|
| Web Application Edition release version: Beta Please see here for complete information. |
About OWASP ASVS: Powerpoint. |
OWASP Top Ten OWASP Legal Project OWASP Enterprise Security API (ESAPI) | |||||
| Latest Project News |
| ||||||
Overview
What is ASVS?
Whereas the OWASP Top Ten Project is a tool that provides web application security awareness, the OWASP "Application Security Verification Standard" (also known as "ASVS") is a commercially-workable open standard that defines ranges in coverage and levels of rigor that can be used to perform application security verifications. It is the very first standard that OWASP has published! There are currently versions in English.
What can ASVS be used for?
What becomes quickly apparent during procurement when attempting to capture contractual terms and conditions related to the security of web applications and web services is that specifying security analysis and testing requirements is very hard. It also becomes quickly apparent when reviewing web application and web service security verification reports that there is no way to tell the difference between someone running a grep tool, and someone doing painstaking code review and manual testing.
Both of these problems have a single root cause: the lack of a standard for performing application-level security verification that is web application and web service independent, Software Development Life Cycle (SDLC) independent, and that can be used for any application without special interpretation. The OWASP ASVS was designed to normalize the range in coverage and level of rigor available in the market when it comes to performing application security verification.
Where did ASVS come from?
The OWASP ASVS project is led by Mike Boberski (Booz Allen Hamilton). The primary authors are Mike Boberski, Jeff Williams (Aspect Security), and Dave Wichers (Aspect Security). The ASVS is the result of the collection and consolidation of decades of collective subject matter expertise in application security. If you’d like to volunteer to help on the project, you can contact Mike Boberski.
More information about the ASVS can be found here.
Announcements
- 01/22/2009 - OWASP ASVS has been integrated into the OWASP Secure Software Contract Annex in the OWASP Legal Project.
- 01/08/2009 - OWASP ASVS is presented by Mike Boberski at the OWASP Washington VA Local Chapter meeting.
- 12/29/2008 - OWASP ASVS is the subject of an article by DarkReading.
- 12/08/2008 - OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments.
- 12/05/2008 - OWASP ASVS exits the Summer of Code 2008! The Beta draft of the Web Application Edition is released! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.
- 11/03/2008 - OWASP ASVS is presented by Jeff Williams at OWASP EU Summit 2008.
- 10/03/2008 - OWASP ASVS Alpha draft is released! Mike Boberski is the primary author.
- 04/16/2008 - OWASP ASVS Summer of Code 2008 proposal submitted by Mike Boberski wins!
Methodology
How does ASVS work?
OWASP ASVS defines verification and documentation requirements that are grouped on the basis of related coverage and level of rigor. Web application security verification is performed from a logical point of view by following (or attempting to follow) paths into and out of the application and performing analysis along those paths. The Standard defines four hierarchical levels (e.g., Level 2 requires more coverage and rigor than Level 1) as depicted in the figure below.
ASVS further defines constituent components for Levels 1 and 2 (e.g., verification at Level 1 requires meeting both Level 1A and 1B requirements). Applications may claim compliance to either Level 1A or 1B instead of Level 1, but making such claims is weaker than claiming Level 1. Similarly, applications may claim compliance to either Level 2A or 2B instead of Level 2, but making such claims is weaker than claiming Level 2.
ASVS uses the terms the "verifier" and "verification". A "verifier" is the person or team that is reviewing the application against these requirements. A "verification" is an application security assessment that is performed according to ASVS requirements.
It is a verifier’s responsibility to determine if an application meets all of the requirements at the level targeted by a review. If the application meets all the requirements for that level, then it can be considered an OWASP ASVS Level N application, where N is the verification level that application complied with.
If the application does not meet all the requirements for a particular level, but does meet all the requirements for a lower level of this standard, then it can be considered to have passed that level of verification.
OWASP ASVS Beta Downloads
Download free:
OWASP ASVS - Beta (This is the current official release version)
OWASP ASVS Alpha Downloads
Download free:
OWASP ASVS - Alpha
OWASP ASVS Presentation Downloads
Download free:
About OWASP ASVS
- Project Presentation (PowerPoint)
- Executive-Level Presentation (PowerPoint)
- Presentation Abstract (Word)
- One Page Conference Handout (PDF, Word)
Feedback
Please let us know how your organization is using the OWASP ASVS. Include your name, organization's name, and brief description of how you are using the ASVS. Thanks for supporting OWASP!
We hope you find the information in the OWASP ASVS useful. Please contribute back to the project by sending your comments, questions, and suggestions to owasp-application-security-verification-standard(at)lists.owasp.org. Thanks!
To join the OWASP ASVS mailing list or view the archives, please visit the subscription page.
Project Sponsors
The OWASP ASVS project is co-sponsored by:
  
|
Click here to see this project's full SoC 2008 status.
Articles - More About ASVS and Using ASVS
Pages in category "OWASP Application Security Verification Standard Project"
The following 21 pages are in this category, out of 21 total.
H
- How to bootstrap the NIST risk management framework with verification activities
- How to bootstrap your SDLC with verification activities
- How to create verification project schedules
- How to perform a security architecture review at Level 1
- How to perform a security architecture review at Level 2
- How to specify verification requirements in contracts
- How to write verifier job requisitions
