This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Application Security Assessment Standards Project Roadmap"

From OWASP
Jump to: navigation, search
(Per Phase Project Objectives)
Line 6: Line 6:
  
 
'''Phase I – Project Approach''':  Comment Period for Proposed Project Approach, Solicit Contributor Support
 
'''Phase I – Project Approach''':  Comment Period for Proposed Project Approach, Solicit Contributor Support
'''
+
 
Phase II – Application Assessment Definitions:'''  Establish core assessment definitions to ensure common base terminology.
+
'''Phase II – Application Assessment Definitions:'''  Establish core assessment definitions to ensure common base terminology.
'''
+
 
Phase III – Assessment Context:'''  Establish standard assessment context, selection, qualification and process frameworks.
+
'''Phase III – Assessment Context:'''  Establish standard assessment context, selection, qualification and process frameworks.
'''
+
 
Phase IV – Assessment Levels:'''  Establish a common set of application assessment levels to be used as business guidance to ensure conducting appropriate level based on business-application-security requirements.
+
'''Phase IV – Assessment Levels:'''  Establish a common set of application assessment levels to be used as business guidance to ensure conducting appropriate level based on business-application-security requirements.
  
 
'''Phase V – OWASP Integration:'''  Document integration components and linkages with existing and underway OWASP projects.
 
'''Phase V – OWASP Integration:'''  Document integration components and linkages with existing and underway OWASP projects.
  
 +
== Per Phase Project Objectives ==
  
== Per Phase Project Objectives ==
+
'''Phase I – Project Approach and Objectives'''
'''
+
Project Objective: Solicit Contributor feedback to ensure the most effective and widely supported approach.
Phase I – Project Approach and Objectives'''
+
Target Time Frame: August, 2006
Project Objective: Solicit Contributor feedback to ensure the most effective and widely supported approach.
+
Current Status: Call for Volunteers
Target Time Frame: August, 2006
+
Contributors:
Current Status: Call for Volunteers  
 
Contributors:
 
 
Reviewers:
 
Reviewers:
 
  
 
'''Phase II – Application Assessment Definitions'''
 
'''Phase II – Application Assessment Definitions'''
Project Objective: Establish common business application and security assessment type’s definitions.
+
Project Objective: Establish common business application and security assessment type’s definitions.  
Target Time Frame: September, 2006
+
Target Time Frame: September, 2006
 
Current Status: Call for Volunteers  
 
Current Status: Call for Volunteers  
 
Contributors:
 
Contributors:
 
Reviewers:
 
Reviewers:
  
'''
+
'''Phase III – Assessment Context'''
Phase III – Assessment Context'''
 
 
Project Objective: Define standard application assessment process in SWIM flow chart.
 
Project Objective: Define standard application assessment process in SWIM flow chart.
 
Target Time Frame: October, 2006
 
Target Time Frame: October, 2006
 
Current Status: Call for Volunteers
 
Current Status: Call for Volunteers
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
'''
+
'''Phase III – Assessment Context'''
Phase III – Assessment Context'''
 
 
Project Objective: Define standard assessment scope of work per application type.  Includes standard testing boundaries and requirements/needs placed upon end user requesting assessment.
 
Project Objective: Define standard assessment scope of work per application type.  Includes standard testing boundaries and requirements/needs placed upon end user requesting assessment.
 
Target Time Frame: October, 2006
 
Target Time Frame: October, 2006
 
Current Status: Call for Volunteers
 
Current Status: Call for Volunteers
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
'''
+
'''Phase III – Assessment Context'''
Phase III – Assessment Context'''
 
 
Project Objective: Plot where within standard System Development Lifecycle (SDLC) application security assessment steps should be defined and conducted.
 
Project Objective: Plot where within standard System Development Lifecycle (SDLC) application security assessment steps should be defined and conducted.
 
Target Time Frame: October, 2006
 
Target Time Frame: October, 2006
 
Current Status: Call for Volunteers
 
Current Status: Call for Volunteers
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
'''
+
'''Phase III – Assessment Context'''
Phase III – Assessment Context'''
 
 
Project Objective: Establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type.
 
Project Objective: Establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type.
 
Target Time Frame: October, 2006
 
Target Time Frame: October, 2006
 
Current Status: Call for Volunteers
 
Current Status: Call for Volunteers
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
 
'''Phase IV – Assessment Levels'''
 
'''Phase IV – Assessment Levels'''
Line 70: Line 64:
 
Current Status: In hold based on outcome of Phase I and II.  Calling for future volunteers.
 
Current Status: In hold based on outcome of Phase I and II.  Calling for future volunteers.
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
'''
+
'''Phase IV – Assessment Levels'''
Phase IV – Assessment Levels'''
 
 
Project Objective: Create assessment levels based on previous Phase III objective.  Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.
 
Project Objective: Create assessment levels based on previous Phase III objective.  Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level.
 
Target Time Frame: March, 2007
 
Target Time Frame: March, 2007
 
Current Status: In hold based on outcome of Phase I and II.  Calling for future volunteers.
 
Current Status: In hold based on outcome of Phase I and II.  Calling for future volunteers.
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
'''
+
'''Phase IV – Assessment Levels'''
Phase IV – Assessment Levels'''
 
 
Project Objective: Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.
 
Project Objective: Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective.
 
Target Time Frame: May, 2007
 
Target Time Frame: May, 2007
 
Current Status: In hold based on outcome of Phase I and II.
 
Current Status: In hold based on outcome of Phase I and II.
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
 
'''Phase IV – Assessment Levels'''
 
'''Phase IV – Assessment Levels'''
Line 93: Line 85:
 
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.
 
Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers.
 
Contributors:
 
Contributors:
Reviewers:
+
Reviewers:
  
'''Phase V – OWASP Integration: '''  
+
'''Phase V – OWASP Integration:'''
 
Project Objective: Document integration components and linkages with existing and underway OWASP projects.
 
Project Objective: Document integration components and linkages with existing and underway OWASP projects.
 
Target Time Frame: July, 2007
 
Target Time Frame: July, 2007

Revision as of 10:20, 24 July 2006

The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements.

This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments.

Overall Roadmap Phases

Phase I – Project Approach: Comment Period for Proposed Project Approach, Solicit Contributor Support

Phase II – Application Assessment Definitions: Establish core assessment definitions to ensure common base terminology.

Phase III – Assessment Context: Establish standard assessment context, selection, qualification and process frameworks.

Phase IV – Assessment Levels: Establish a common set of application assessment levels to be used as business guidance to ensure conducting appropriate level based on business-application-security requirements.

Phase V – OWASP Integration: Document integration components and linkages with existing and underway OWASP projects.

Per Phase Project Objectives

Phase I – Project Approach and Objectives Project Objective: Solicit Contributor feedback to ensure the most effective and widely supported approach. Target Time Frame: August, 2006 Current Status: Call for Volunteers Contributors: Reviewers:

Phase II – Application Assessment Definitions Project Objective: Establish common business application and security assessment type’s definitions. Target Time Frame: September, 2006 Current Status: Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective: Define standard application assessment process in SWIM flow chart. Target Time Frame: October, 2006 Current Status: Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective: Define standard assessment scope of work per application type. Includes standard testing boundaries and requirements/needs placed upon end user requesting assessment. Target Time Frame: October, 2006 Current Status: Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective: Plot where within standard System Development Lifecycle (SDLC) application security assessment steps should be defined and conducted. Target Time Frame: October, 2006 Current Status: Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective: Establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type. Target Time Frame: October, 2006 Current Status: Call for Volunteers Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective: Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.). Target Time Frame: December, 2006 Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers. Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective: Create assessment levels based on previous Phase III objective. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level. Target Time Frame: March, 2007 Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers. Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective: Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective. Target Time Frame: May, 2007 Current Status: In hold based on outcome of Phase I and II. Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective: Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed. Target Time Frame: May, 2007 Current Status: In hold based on outcome of Phase I and II. Calling for future volunteers. Contributors: Reviewers:

Phase V – OWASP Integration: Project Objective: Document integration components and linkages with existing and underway OWASP projects. Target Time Frame: July, 2007 Current Status: In hold based on outcome of Phases I through III. Contributors: Reviewers: