This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ESAPI Assurance"
From OWASP
(New page: == Building an Assurance Case for ESAPI == * consider adopting software facts label * identify third-party software * discuss coding practices that were followed, skill levels of develo...) |
(→Building an Assurance Case for ESAPI) |
||
| Line 2: | Line 2: | ||
* consider adopting software facts label | * consider adopting software facts label | ||
| + | http://swaconsortium.org/projects/softwareFacts/softwareFacts.html | ||
* identify third-party software | * identify third-party software | ||
| Line 10: | Line 11: | ||
* links to DHS web sites and documents | * links to DHS web sites and documents | ||
| + | |||
| + | == Coding Practices == | ||
| + | |||
| + | * was OWASP Top Ten followed? | ||
| + | |||
| + | * how was performance and security balanced? | ||
| + | |||
| + | * what is the level of training of the developers? amount of experience in web development? | ||
| + | |||
| + | * were tools part of the whole process or run at the end? | ||
| + | |||
| + | * how was code repository prevented from unauthorized alterations? | ||
| + | |||
| + | * practices for code check-in and independent review - how is introduction of Trojans avoided? | ||
Revision as of 14:42, 11 December 2008
Building an Assurance Case for ESAPI
- consider adopting software facts label
http://swaconsortium.org/projects/softwareFacts/softwareFacts.html
- identify third-party software
- discuss coding practices that were followed, skill levels of developers, amount of independent review
- publish scanning tool results
- links to DHS web sites and documents
Coding Practices
- was OWASP Top Ten followed?
- how was performance and security balanced?
- what is the level of training of the developers? amount of experience in web development?
- were tools part of the whole process or run at the end?
- how was code repository prevented from unauthorized alterations?
- practices for code check-in and independent review - how is introduction of Trojans avoided?
