This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ESAPI Assurance"
From OWASP
(→Building an Assurance Case for ESAPI) |
(→Building an Assurance Case for ESAPI) |
||
| Line 19: | Line 19: | ||
* "Arguing Security - Creating Security Assurance Cases" | * "Arguing Security - Creating Security Assurance Cases" | ||
| − | https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/assurance/643-BSI.html | + | https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/assurance/643-BSI.html |
== Coding Practices == | == Coding Practices == | ||
Revision as of 14:52, 11 December 2008
Building an Assurance Case for ESAPI
- summary: make Claims, provide supporting Evidence, and make Arguments for how the evidence supports the claims
- Highest level claim is "The system is Acceptably Secure" but how to break this down into sub-claims that map to the provided evidence? e.g. absence of specific vulns (as investigated by manual testing or tool scans)
- "Software Facts Label"
http://swaconsortium.org/projects/softwareFacts/softwareFacts.html
- each language (Java, ASP, etc.) may need separate claims
- list the third-party software
- discuss coding practices that were followed, skill levels of developers, amount of independent review
- publish scanning tool results
- links to DHS web sites and documents
- "Arguing Security - Creating Security Assurance Cases"
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/assurance/643-BSI.html
Coding Practices
- was OWASP Top Ten followed?
- how was performance and security balanced?
- what is the level of training of the developers? amount of experience in web development?
- were tools part of the whole process or run at the end?
- how was code repository prevented from unauthorized alterations?
- practices for code check-in and independent review - how is introduction of Trojans avoided?
