This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Category:OWASP Application Security Verification Standard Project
About
|
OWASP Documentation Project Application Security Verification Standards (ASVS) Application Security Verification Standards are specifications produced by OWASP in cooperation with secure applications developers and verifiers worldwide for the purpose of accelerating the deployment of secure web applications. First published in 2008 as a result of an OWASP Summer of Code grant and meetings with a small group of early adopters, the ASVS documents have become widely referenced and implemented. Further development of ASVS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please contact us. Application Security Verification Standards
Application Security Verification Providers
How ASVS Works ASVS defines four levels of application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that are being used.
|
|
FAQ
More About OWASP ASVS
- Project Presentation (PowerPoint)
- Executive-Level Presentation (PowerPoint)
- Presentation Abstract (Word)
- One Page Datasheet (PDF, Word)
- Articles (More About ASVS and Using It)
Related projects
Web Application
Web Application Verification Standard
This document defines four levels of application security verification for web applications. Each level includes a set of requirements for verifying the effectiveness of security controls that protect applications.
Release Version
- Under development. Contact Mike Boberski for further details.
Beta Version
Alpha Version
|
This project has produced a book that can be downloaded or purchased. Feel free to browse the full catalog of available OWASP books. |
Web Service, Other Editions
Web Service Edition of ASVS - First release is under development
- Details will be filled in as work progresses. Volunteers wanted!
- Contact Mike Boberski for further details.
Cloud Computing Edition of ASVS - Under consideration
- Contact Mike Boberski for further details.
Client Server of ASVS - Under consideration
- Contact Mike Boberski for further details.
Providers
|
About Verification Providers One of the main objectives of the ASVS is to provide a basis for specifying web application security verification requirements in contracts. The OWASP Secure Software Contract Annex has in fact been updated to make use of the ASVS. Where can one go to find a business that you can call on to perform an OWASP ASVS verification? The answer is here. A registry of businesses that perform application security verifications according to OWASP ASVS is provided on this page. These businesses are called “verification providers”. Verification providers listed on this page have made a commitment to perform application security verifications according to OWASP ASVS requirements. Verification providers listed below are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. OWASP has also not made a determination as to the business’ quality or competency in performing services. Businesses are under no obligation to seek inclusion in the list below in order to perform application security verifications according to OWASP ASVS. How to Add Your Company to the Verification Provider Registry Verification providers listed on this page have made a commitment to make a good faith effort to resolve any consumer complaints that are specific to their use of the OWASP ASVS to perform application security verifications. This verification provider registry is made available to OWASP Organizational Supporters as an Organizational Supporter benefit. Contact: Mike Boberski. Provide the following information:
How to File a Complaint Against a Registered Verification Provider If you are a customer of a verification provider listed below, and if a verification report provided to you does not include the required content according to OWASP ASVS reporting requirements, you can enlist the OWASP Foundation to forward a complaint on your behalf to the verification provider. Contact: Kate Hartman. Provide the following information:
In some cases, the OWASP may contact you for additional information about your complaint. OWASP will then forward the complaint to the company involved. Occasionally, OWASP may be unable to obtain any cooperation from the company. In extreme cases, OWASP may de-list the verification provider from the registry in this article. Please note that we only take complaints on companies that are OWASP Organizational Supporters. |
Verification Providers Booz Allen Hamilton 8283 Greensboro Drive McLean, Virginia 22102-3828 POC: Mr. Mike Boberski Phone: (703) 377-0456 Email: Mike Boberski ASVS Levels Available: 1A, 1B, 2A, 2B |
News
Project News
- 04/09/2009 - OWASP ASVS is the subject of an opinion piece by Mike Boberski in SC Magazine on the need for a web app standard
- 04/08/2009 - OWASP ASVS users and adopters list updated to include ps_testware.
- 04/06/2009 - OWASP ASVS users and adopters list updated to include Federal Deposit Insurance Corporation (FDIC).
- 03/13/2009 - OWASP ASVS is presented by Dave Wichers at OWASP Software Assurance Day DC 2009 in conjunction with the Software Assurance Forum sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.
- 02/25/2009 – OWASP ASVS proposed updates based on pilots being considered.
- 01/22/2009 - OWASP ASVS has been integrated into the OWASP Secure Software Contract Annex in the OWASP Legal Project.
- 01/08/2009 - OWASP ASVS is presented by Mike Boberski at the OWASP Washington VA Local Chapter meeting.
- 12/29/2008 - OWASP ASVS is the subject of an article by DarkReading.
- 12/08/2008 - OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments.
- 12/05/2008 - OWASP ASVS exits the Summer of Code 2008! The Beta draft of the Web Application Edition is released! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.
- 11/03/2008 - OWASP ASVS is presented by Jeff Williams at OWASP EU Summit 2008.
- 10/03/2008 - OWASP ASVS Alpha draft is released! Mike Boberski is the primary author.
- 04/16/2008 - OWASP ASVS Summer of Code 2008 proposal submitted by Mike Boberski wins!
Contributors/Users
|
Project Leader Project Contributors |
Project Sponsorship
|
Users and Adopters Pilots are already underway at various companies and agencies around the globe. A broad range of companies and agencies around the globe are also using OWASP ASVS, including: Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached at [email protected] Thanks for supporting OWASP! |
This project licensed under the Creative Commons Attribution ShareAlike 3.0.
Articles Below - More About ASVS and Using It
Pages in category "OWASP Application Security Verification Standard Project"
The following 21 pages are in this category, out of 21 total.
H
- How to bootstrap the NIST risk management framework with verification activities
- How to bootstrap your SDLC with verification activities
- How to create verification project schedules
- How to perform a security architecture review at Level 1
- How to perform a security architecture review at Level 2
- How to specify verification requirements in contracts
- How to write verifier job requisitions
