This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Application Security Assessment Standards Project"

From OWASP
Jump to: navigation, search
(Initial population)
Line 1: Line 1:
The OWASP Application Assessment Standards project is...
+
Currently there is a lack of standardization over what constitutes an application security assessment.  With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment.  The standards should be flexible in design to accommodate a range of security assurance levels.  The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.
  
The [[OWASP Application Security Assessment Standards Project Roadmap]] details the mission, tasks, and schedule. You can join the project by...
+
== Objective ==
  
==Assessment Standards==
+
The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements.  The following are seen as key tasks in order to meet this objective:
  
Background information here, overview of standards, and links to the rest of the project's articles.
+
- Where practical, attempt to “standardize” nomenclature and definitions for common business application types.
 +
 
 +
- Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types.
 +
 
 +
- Define standard application assessment process in SWIM flow chart.
 +
 
 +
- Define standard assessment scope per application type.
 +
 
 +
- Define standard testing boundaries for application assessments.
 +
 
 +
- Define what is needed on business end to prepare for application assessment.
 +
 
 +
- Establish where in SDLC should assessment steps be defined/conducted.
 +
 
 +
- Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria.
 +
 
 +
- Establish a common set of application assessment levels:
 +
 
 +
  - Define degree of assessment depth per level
 +
  - Define testing components required per level
 +
  - Establish level of tool usage/type vs. hands on assessment per level
 +
  - Establish linkages between level results and security metrics derived
 +
  - Establish linkages between levels and Security Maturity Models
 +
 
 +
- Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.
 +
 
 +
- Document integration/linkages to other OWASP projects.
 +
 
 +
This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments. 
 +
 
 +
== Feedback and Participation ==
 +
 
 +
We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to [email protected].  To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page.
 +
 
 +
== Project Contributer ==
 +
 
 +
The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at [email protected].
 +
 
 +
Key contributors:
 +
- Bob Austin, KoreLogic Security
 +
- Jeff Williams, Aspect Security
  
 
[[Category:OWASP Project]]
 
[[Category:OWASP Project]]

Revision as of 10:28, 24 July 2006

Currently there is a lack of standardization over what constitutes an application security assessment. With no single set of criteria being referenced, it is suggested that OWASP establish a set of standards defining and establishing a baseline approach to conducting differing types/levels of application security assessment. The standards should be flexible in design to accommodate a range of security assurance levels. The standards should not be viewed as placing requirements on any party. Rather, the standards should make recommendations about what should be done to be consistent with what the OWASP community believes is best practice. Adhering to the standards should help increase end user organization confidence that assessments meet an industry agreed-upon approach.

Objective

The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements. The following are seen as key tasks in order to meet this objective:

- Where practical, attempt to “standardize” nomenclature and definitions for common business application types.

- Where practical, attempt to “standardize” nomenclature and definitions of the differing security assessment types.

- Define standard application assessment process in SWIM flow chart.

- Define standard assessment scope per application type.

- Define standard testing boundaries for application assessments.

- Define what is needed on business end to prepare for application assessment.

- Establish where in SDLC should assessment steps be defined/conducted.

- Where practical, attempt to “standardize” skills nomenclature and establish baseline assessor qualifications and evaluation criteria.

- Establish a common set of application assessment levels:

 - Define degree of assessment depth per level
 - Define testing components required per level
 - Establish level of tool usage/type vs. hands on assessment per level
 - Establish linkages between level results and security metrics derived
 - Establish linkages between levels and Security Maturity Models 

- Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed.

- Document integration/linkages to other OWASP projects.

This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments.

Feedback and Participation

We hope you find the OWASP Application Security Assessment Standards Project useful. Please contribute back to the project by sending your comments, questions, and suggestions to [email protected]. To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page.

Project Contributer

The Assessment Standards project lead is Cliff Barlow of KoreLogic Security. He can be reached at [email protected].

Key contributors: - Bob Austin, KoreLogic Security - Jeff Williams, Aspect Security