This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP Application Security Verification Standard Project

From OWASP
Revision as of 16:23, 1 December 2009 by Deleted user (talk | contribs)

Jump to: navigation, search

About

OWASP Documentation Project

Application Security Verification Standards (ASVS)

The ASVS defines four levels of application-level security verification for Web applications. Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. Each level described in this document includes a set of requirements for verifying the effectiveness of security controls that protect Web applications. For more information, please contact us. You can download it here.


Asvs-scale.gif



Latest News


FAQ

More About OWASP ASVS

  • ASVS Datasheet: (PDF, Word)
  • ASVS Article: Getting Started Using ASVS (PDF)
  • ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY (Wiki)
  • ASVS Article: Agile Software Development: Don't Forget EVIL User Stories (Wiki)
  • ASVS Article: Man vs. Code (Wiki)
  • ASVS Article: Getting started designing for a level of assurance (PDF)
  • ASVS Template: Sample verification fee schedule template (Excel)
  • ASVS Template: Sample verification report template (Word)
  • ASVS Presentation: Project Presentation (PowerPoint)
  • ASVS Training: An ASVS training presentation (PowerPoint)
  • ASVS Presentation: Executive-Level Presentation (PowerPoint)
  • ASVS Presentation: Presentation Abstract (Word)
  • Articles (More About ASVS and Using It)
  • Interested in translating ASVS into another language? We'd like to hear from you! Read more, here. Also in Word format here.

Related projects

Did You Know...

  • Businesses are under no obligation to seek inclusion in any sort of a registry or a program in order to perform application security verifications according to OWASP ASVS. Download the latest version and start using ASVS today!
  • More complex applications typically take more time to analyze resulting in longer and more costly verifications. Lines of code are not the only factors that determine the complexity of an application – different technologies will typically require different amounts of analysis. Simple applications may include for example libraries and frameworks. Applications of moderate complexity may include simple Web 1.0 applications. Complex applications may include Web 2.0 applications and new/unique Web technologies.
  • One way to introduce verification as an activity into your SDLC is depicted in the figure below.
ASVS-SDLC.JPG

Download

Web Application Standard

Download ASVS now, for free, here.

Other Versions

  • Please see the ASVS Google Code repository here for other versions, including translations and other formats (Word, XML, etc.)



OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.

Precedents/Interpretations

PI-0001: Are there levels between the levels?

  • Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"?
  • Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged.
  • References: ASVS section "Application Security Verification Levels"

PI-0002: Is use of a master key simply another level of indirection?

  • Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection?
  • Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection.
  • References: ASVS verification requirement V2.14

PI-0003: What is a "TOV" or "Target of Verification"?

  • Issue: New terminology
  • Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the “Target of Verification” or simply the TOV. The TOV should be identified in verification documentation as follows:
    • TOV Identification – <name and version of the application> or <Application name>, <application version>, dynamic testing was performed in a staging environment, not the production environment
    • TOV Developer – <insert name of the developer or verification customer>
  • References: ASVS section "Approach"

News

Project News

  • 06/22/2009 - OWASP ASVS rulesets are added to Casaba Security's security testing tool Watcher version 1.2.0. First tool vendor to do so!
  • 06/09/2009 - OWASP ASVS users list updated to include CGI Federal
  • 05/15/2009 - OWASP ASVS users list updated to include Denim Group
  • 04/08/2009 - OWASP ASVS users list updated to include ps_testware.
  • 03/13/2009 - OWASP ASVS is presented by Dave Wichers at OWASP Software Assurance Day DC 2009 in conjunction with the Software Assurance Forum sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.
  • 02/25/2009 – OWASP ASVS proposed updates based on pilots being considered.
  • 12/08/2008 - OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments.
  • 10/03/2008 - OWASP ASVS Alpha draft is released! Mike Boberski is the primary author.

Weekly Status


Users/Contributors

Project Leader

Project Contributors

Project Sponsorship

Aspect logo.jpg

Bah-bw.JPG

SoC 08 Logo Mike Project.jpg

Users

A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including:

Organizations listed above are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard.

Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached here.


This project licensed under the Creative Commons Attribution ShareAlike 3.0.

Articles Below - More About ASVS and Using It

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&oldid=74563"