This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

ESAPI Assurance

From OWASP

Revision as of 14:50, 11 December 2008 by SteveChristey (talk | contribs) (→‎Building an Assurance Case for ESAPI)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Building an Assurance Case for ESAPI

summary: make Claims, provide supporting Evidence, and make Arguments for how the evidence supports the claims

Highest level claim is "The system is Acceptably Secure" but how to break this down into sub-claims that map to the provided evidence? e.g. absence of specific vulns (as investigated by manual testing or tool scans)

"Software Facts Label"

 http://swaconsortium.org/projects/softwareFacts/softwareFacts.html

each language (Java, ASP, etc.) may need separate claims

list the third-party software

discuss coding practices that were followed, skill levels of developers, amount of independent review

publish scanning tool results

links to DHS web sites and documents

"Arguing Security - Creating Security Assurance Cases"

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/assurance/643-BSI.html

Coding Practices

was OWASP Top Ten followed?

how was performance and security balanced?

what is the level of training of the developers? amount of experience in web development?

were tools part of the whole process or run at the end?

how was code repository prevented from unauthorized alterations?

practices for code check-in and independent review - how is introduction of Trojans avoided?

Retrieved from "https://wiki.owasp.org/index.php?title=ESAPI_Assurance&oldid=48384"