This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Category:OWASP Application Security Verification Standard Project

From OWASP

Revision as of 00:28, 2 January 2010 by Deleted user (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Home


Start Here 1. About ASVS Video presentation (YouTube) Project presentation (PowerPoint) Data sheet (PDF, Word) 2. Get ASVS ASVS in English ASVS in French (Draft) ASVS in XML format (can generate requirements for each level, can open using Excel to create checklists) 3. Learn ASVS ASVS Article: Getting Started Using ASVS (PDF) ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY (Wiki) ASVS Article: Agile Software Development: Don't Forget EVIL User Stories (Wiki) ASVS Article: Man vs. Code (Wiki) ASVS Article: Getting started designing for a level of assurance (PDF) ASVS Template: Sample verification fee schedule template (Excel) ASVS Template: Sample verification report template (Word) ASVS Training: An ASVS training presentation (PowerPoint) ASVS Presentation: Executive-Level Presentation (PowerPoint) ASVS Presentation: Presentation Abstract (Word) Articles (More About ASVS and Using It) Got Translation Cycles? The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. Translation Onboarding Instructions.	Let's Talk Here ASVS Communities Further development of ASVS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please contact us. owasp-application-security-verification-standard mailing list (this is the main list) Glossary ASVS Terminology Access Control – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. Application Component – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. Application Security – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. Application Security Verification – The technical assessment of an application against the OWASP ASVS. Application Security Verification Report – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. Application Security Verification Standard (ASVS) – An OWASP standard that defines four levels of application security verification for applications. Authentication – The verification of the claimed identity of an application user. Automated Verification – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. Back Doors – A type of malicious code that allows unauthorized access to an application. Blacklist – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. Common Criteria (CC) – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. Communication Security – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. Design Verification – The technical assessment of the security architecture of an application. Internal Verification – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. Cryptographic module – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. Denial of Service (DOS) Attacks – The flooding of an application with more requests than it can handle. Dynamic Verification – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. Easter Eggs – A type of malicious code that does not run until a specific user input event occurs. External Systems – A server-side application or service that is not part of the application. FIPS 140-2 – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules Input Validation – The canonicalization and validation of untrusted user input. Malicious Code – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! Malware – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. Open Web Application Security Project (OWASP) – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ Output Validation – The canonicalization and validation of application output to Web browsers and to external systems. OWASP Enterprise Security API (ESAPI) – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI OWASP Risk Rating Methodology – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk OWASP Testing Guide – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Top Ten – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 Positive – See whitelist. Salami Attack – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. Security Architecture – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. Security Control – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). Security Configuration – The runtime configuration of an application that affects how security controls are used. Static Verification – The use of automated tools that use vulnerability signatures to find problems in application source code. Target of Verification (TOV) – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the “Target of Verification” or simply the TOV. Threat Modeling - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. Time Bomb – A type of malicious code that does not run until a preconfigured time or date elapses. Verifier - The person or team that is reviewing an application against the OWASP ASVS requirements. Whitelist – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.	Related Resources OWASP Top Ten OWASP Legal Project OWASP ESAPI Mike's List of Verification Providers

Start Here

1. About ASVS

Video presentation (YouTube)
Project presentation (PowerPoint)
Data sheet (PDF, Word)

2. Get ASVS

3. Learn ASVS

ASVS Article: Getting Started Using ASVS (PDF)
ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY (Wiki)
ASVS Article: Agile Software Development: Don't Forget EVIL User Stories (Wiki)
ASVS Article: Man vs. Code (Wiki)
ASVS Article: Getting started designing for a level of assurance (PDF)
ASVS Template: Sample verification fee schedule template (Excel)
ASVS Template: Sample verification report template (Word)
ASVS Training: An ASVS training presentation (PowerPoint)
ASVS Presentation: Executive-Level Presentation (PowerPoint)
ASVS Presentation: Presentation Abstract (Word)
Articles (More About ASVS and Using It)

Got Translation Cycles?

The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language.

Translation Onboarding Instructions.

Let's Talk Here

ASVS Communities

Further development of ASVS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please contact us.

owasp-application-security-verification-standard mailing list (this is the main list)

Glossary

ASVS Terminology

Access Control – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong.
Application Component – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application.
Application Security – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.
Application Security Verification – The technical assessment of an application against the OWASP ASVS.
Application Security Verification Report – A report that documents the overall results and supporting analysis produced by the verifier for a particular application.
Application Security Verification Standard (ASVS) – An OWASP standard that defines four levels of application security verification for applications.
Authentication – The verification of the claimed identity of an application user.
Automated Verification – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems.
Back Doors – A type of malicious code that allows unauthorized access to an application.
Blacklist – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input.
Common Criteria (CC) – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products.
Communication Security – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application.
Design Verification – The technical assessment of the security architecture of an application.
Internal Verification – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS.
Cryptographic module – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys.
Denial of Service (DOS) Attacks – The flooding of an application with more requests than it can handle.
Dynamic Verification – The use of automated tools that use vulnerability signatures to find problems during the execution of an application.
Easter Eggs – A type of malicious code that does not run until a specific user input event occurs.
External Systems – A server-side application or service that is not part of the application.
FIPS 140-2 – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules
Input Validation – The canonicalization and validation of untrusted user input.
Malicious Code – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm!
Malware – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.
Open Web Application Security Project (OWASP) – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/
Output Validation – The canonicalization and validation of application output to Web browsers and to external systems.
OWASP Enterprise Security API (ESAPI) – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI
OWASP Risk Rating Methodology – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk
OWASP Testing Guide – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project
OWASP Top Ten – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10
Positive – See whitelist.
Salami Attack – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions.
Security Architecture – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.
Security Control – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record).
Security Configuration – The runtime configuration of an application that affects how security controls are used.
Static Verification – The use of automated tools that use vulnerability signatures to find problems in application source code.
Target of Verification (TOV) – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the “Target of Verification” or simply the TOV.
Threat Modeling - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.
Time Bomb – A type of malicious code that does not run until a preconfigured time or date elapses.
Verifier - The person or team that is reviewing an application against the OWASP ASVS requirements.
Whitelist – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.

Related Resources

Download

Web Application Standard

Download ASVS now, for free, here.

Other Versions

There is a wikified version here.
Please see the ASVS Google Code repository here for other versions, including translations and other formats (Word, XML, etc.)

This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.

Precedents/Interpretations

PI-0001: Are there levels between the levels?

Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"?
Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged.
References: ASVS section "Application Security Verification Levels"

PI-0002: Is use of a master key simply another level of indirection?

Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection?
Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection.
References: ASVS verification requirement V2.14

PI-0003: What is a "TOV" or "Target of Verification"?

Issue: New terminology
Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the “Target of Verification” or simply the TOV. The TOV should be identified in verification documentation as follows:
- TOV Identification – <name and version of the application> or <Application name>, <application version>, dynamic testing was performed in a staging environment, not the production environment
- TOV Developer – <insert name of the developer or verification customer>
References: ASVS section "Approach"

News

Project News

07/06/2009 - OWASP ASVS users list updated to include Minded Security

07/02/2009 - OWASP ASVS and "Man vs. Code" ASVS article mentioned in Toorcamp 2009 presentation

07/01/2009 - OWASP ASVS users list updated to include CETEC/CTCSE - Divisão Processos de Segurança no Desenvolvimento SERPRO - Serviço Federal de Processamento de Dados / Sede - Brasília-DF (CETEC / CTCSE - Division of Security in Development Processes SERPRO - Federal Service of Data Processing / Headquarters - Brasília-DF)

06/22/2009 - OWASP ASVS rulesets are added to Casaba Security's security testing tool Watcher version 1.2.0. First tool vendor to do so!

06/09/2009 - OWASP ASVS users list updated to include CGI Federal

06/03/2009 - OWASP ASVS Release Version published! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.

05/15/2009 - OWASP ASVS users list updated to include Denim Group

05/13/2009 - OWASP ASVS is presented by Dave Wichers at OWASP AppSec Europe 2009 - Poland.

05/04/2009 - OWASP ASVS users list updated to include Casaba Security

05/09/2009 - OWASP ASVS is discussed in the Department of Defense (DoD) Information Assurance Technology Analysis Center (IATAC) State-of-the-Art-Report (SOAR) on "Measuring Cyber Security and Information Assurance".

04/09/2009 - OWASP ASVS is the subject of an opinion piece by Mike Boberski in SC Magazine on the need for a web app standard

04/08/2009 - OWASP ASVS users list updated to include ps_testware.

04/06/2009 - OWASP ASVS users list updated to include Federal Deposit Insurance Corporation (FDIC).

03/13/2009 - OWASP ASVS is presented by Dave Wichers at OWASP Software Assurance Day DC 2009 in conjunction with the Software Assurance Forum sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.

02/25/2009 – OWASP ASVS proposed updates based on pilots being considered.

01/22/2009 - OWASP ASVS has been integrated into the OWASP Secure Software Contract Annex in the OWASP Legal Project.

01/08/2009 - OWASP ASVS is presented by Mike Boberski at the OWASP Washington VA Local Chapter meeting.

12/29/2008 - OWASP ASVS is the subject of an article by DarkReading.

12/08/2008 - OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments.

12/05/2008 - OWASP ASVS exits the Summer of Code 2008! The Beta draft of the Web Application Edition is released! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.

11/03/2008 - OWASP ASVS is presented by Jeff Williams at OWASP EU Summit 2008.

10/03/2008 - OWASP ASVS Alpha draft is released! Mike Boberski is the primary author.

04/16/2008 - OWASP ASVS Summer of Code 2008 proposal submitted by Mike Boberski wins!

Weekly Status

2009-11-27

Users/Contributors


Project Leader Mike Boberski Project Contributors Jeff Williams Dave Wichers	Project Sponsorship	Users A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including: Aspect Security Booz Allen Hamilton Casaba Security CGI Federal Denim Group Federal Deposit Insurance Corporation (FDIC) Minded Security Nixu ps_testware Quince Associates Limited (SeeMyData) Serviço Federal de Processamento de Dados (SERPRO) Organizations listed above are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached here.

Project Leader

Mike Boberski

Project Contributors

Project Sponsorship

Users

A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including:

Organizations listed above are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard.

Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached here.

This project licensed under the Creative Commons Attribution ShareAlike 3.0.

Articles Below - More About ASVS and Using It

Pages in category "OWASP Application Security Verification Standard Project"

The following 21 pages are in this category, out of 21 total.

A

C

Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY

H

M

Man vs. Code

O

P

S

Some Guidance on the Verification Process

W

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&oldid=75622"

Category:

OWASP Books

Category:OWASP Application Security Verification Standard Project

Home

Start Here

Got Translation Cycles?

Let's Talk Here

Glossary

Related Resources

Download

Precedents/Interpretations

News

Users/Contributors

Articles Below - More About ASVS and Using It

Pages in category "OWASP Application Security Verification Standard Project"

A

C

H

M

O

P

S

W

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools