This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

How to find a verification provider

From OWASP
Revision as of 04:12, 8 February 2009 by Deleted user (talk | contribs)

Jump to: navigation, search 
THIS ARTICLE IS A DRAFT

Overview

One of the main objectives of the OWASP Application Security Verification Standard (ASVS) is to provide a basis for specifying web application security verification requirements in contracts. The OWASP Secure Software Contract Annex has in fact been updated to make use of the ASVS. Where can one go to find a business that you can call on to perform an OWASP ASVS verification? The answer is here, in this very article. This article contains a registry of businesses that perform application security verifications according to OWASP ASVS. These businesses are called “verification providers”.


Verification providers listed below have made a commitment to perform application security verifications according to OWASP ASVS requirements. Verification providers listed below are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. OWASP has also not made a determination as to the business’ quality or competency in performing services. Businesses are under no obligation to seek inclusion in the list below in order to perform application security verifications according to OWASP ASVS.


How to Add Your Company to the Verification Provider Registry

Verification providers listed below have made a commitment to make a good faith effort to resolve any consumer complaints that are specific to their use of the OWASP ASVS to perform application security verifications. This verification provider registry is made available to OWASP Organizational Supporters as an Organizational Supporter benefit.


Verification providers listed below also have submitted to OWASP sample verification report templates. The outlines in the samples have been reviewed to ensure that all of the information required by OWASP ASVS reporting requirements is being included. Please see the article How to meet verification reporting requirements for more detail.


How to File a Complaint Against a Registered Verification Provider

If you are a customer of a verification provider listed below, and if a verification report provided to you does not include the required content according to OWASP ASVS reporting requirements, you can enlist the OWASP Foundation to forward a complaint on your behalf to the verification provider.


Contact: Kate Hartman.

  • Provide your name and phone number.
  • Identify the verification provider
  • Identify the OWASP ASVS Level
  • Identify the missing verification report section(s)


In some cases, the OWASP may contact you for additional information about your complaint. OWASP will then forward the complaint to the company involved. Occasionally, OWASP may be unable to obtain any cooperation from the company. In extreme cases, OWASP may de-list the verification provider from the registry in this article. Please note that we only take complaints on companies that are OWASP Organizational Supporters.


Verification Provider Registry

Booz Allen Hamilton
8283 Greensboro Drive
McLean, Virginia  22102-3828
POC: Mr. Mike Boberski
Phone: (703) 377-0456
Email: Mike Boberski
ASVS Levels Available: 1A, 1B, 2A, 2B, 3
Markets Served: Government
Sample Report: <link to uploaded template here>
Retrieved from "https://wiki.owasp.org/index.php?title=How_to_find_a_verification_provider&oldid=53311"