This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Application Security Verification Standard Project"

From OWASP
Jump to: navigation, search
m (Reverted edits by Frank Alexander (talk) to last revision by Paulo Coimbra)
Line 1: Line 1:
== Modelo de Auditoría de sistemas:  ==
+
==== Home ====
  
Éste es un modelo universal para securizar en un alto grado de seguridad al sistema operativo.
+
{| width="100%"
 
 
#Sistema de cifrado congelado: Mantiene en secreto la ubicación del archivo del sistema, previniendo ataques de tipo monitoreo de redes.
 
#OpenVAS: Línea de comandos para cifrar- descifrar el protocolo TCP/Ip
 
#Filtro Web: Previene intrusiones a través de puertos inseguros
 
#Clam Antivirus: Previene, detecta y corrige virus informático
 
 
 
<br>
 
 
 
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
 
|-
 
| Clam Antivirus
 
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
 
|-
 
| Filtro Web
 
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
 
|-
 
| OpenVAS
 
{| border="1" cellspacing="1" cellpadding="1" width="200" align="center"
 
 
|-
 
|-
| Sistema de Cifrado Congelado
+
! width="66%" |  
|}
+
! width="33%" |  
 +
|- valign="top"
 +
|
 +
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:
  
|}
+
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
 +
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
 +
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.
 +
|  
 +
[[Image:Esapi-sponsors.PNG]]
  
 
|}
 
|}
  
|}
+
{| width="100%"
 +
|-
 +
! width="33%" |
 +
! width="33%" |
 +
! width="33%" |
 +
|- valign="top"
 +
|
 +
== Let's talk here  ==
  
== Descripción softwares de auditoría  ==
+
[[Image:Asvs-bulb.jpg]]'''ASVS Communities'''
  
*El sistema de cifrado http://truecrypt.org cifra el núcleo del sistema operativo y los discos lógicos impidiendo ataques espía.
+
Further development of ASVS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please [mailto:dave.wichers@owasp.org contact us].  
  
*Los comandos shell http://openvas.org sirven para analizar protocolos de red, detección de virus y cifrado del protocolo IpV4-6
+
*[https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard owasp-application-security-verification-standard mailing list (this is the main list)]
  
*El filtro web http://freenetproject.org es una técnica que reemplaza al Firewall, discriminando puertos inseguros, ahorrando tiempo de procesamiento en el núcleo del sistema.
+
|
 +
== Got translation cycles?  ==
  
*Clamwin.com es un software de código abierto, no usa computación en la nube y tiene una GUI que detecta virus en línea http://sourceforge.net/projects/clamsentinel
+
[[Image:Asvs-writing.JPG]]'''ASVS Translation'''
  
== Macroinformática  ==
+
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language.
  
La macroinformática comprende eficiencia, seguridad y naturaleza. La eficacia de un sistema operativo se mide por la interacción hombre-máquina, sintetizando aplicaciones minimalistas y ejecutándolas nuestro sistema operativo procesará los datos eficientemente, ejemplos:
+
*[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions].
  
*Transmisión cifrada: Cliente e-mail con GnuPG
+
|
 +
== Related resources ==
  
http://fellowship.fsfe.org
+
[[Image:Asvs-satellite.jpg]]'''OWASP Resources'''
  
*Sistema de cifrado: Cifra y descifra texto plano, imágenes, etc..
+
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten]
 +
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide]
 +
*[http://www.owasp.org/index.php/Category:OWASP_Legal_Project OWASP Legal Project]
 +
*[http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API OWASP ESAPI]
 +
*[http://www.owasp.org/index.php/Common_OWASP_Numbering OWASP Common Numbering]
 +
*[http://www.owasp.org/index.php/Category:OWASP_Newsletter#tab=Press_releases OWASP Press Releases]
 +
|}
 +
== Did you know...  ==
 +
[[Image:Asvs-handshake.JPG]]'''ASVS Users'''
  
#ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.11.exe
+
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://www.fdic.gov Federal Deposit Insurance Corporation (FDIC)], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:dave.wichers@owasp.org here].
#http://cryptophane.googlecode.com/files/cryptophane-0.7.0.exe
+
<br><br>
 +
==== Downloads ====
  
*Ruby: Lenguaje de programación experimental
+
{| width="100%"
 +
|-
 +
! width="33%" |
 +
! width="33%" |
 +
! width="33%" |
 +
|- valign="top"
 +
|
 +
[[Image:Asvs-step1.jpg]]'''1. About ASVS'''
  
http://ruby-lang.org  
+
*Video presentation in English [http://www.youtube.com/watch?v=1DBW1RbQnY4 (YouTube)]
 +
*Project presentation in English ([http://www.owasp.org/images/7/71/About_OWASP_ASVS.ppt PowerPoint])
 +
*Project presentation in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-presentation-fr.ppt PowerPoint])
 +
*Project presentation in French (Microsoft TechDays) ([http://www.microsoft.com/france/vision/mstechdays10/Webcast.aspx?EID=413f809d-abbc-467d-a930-5e2d7da27fef Webcast])
 +
*Data sheet in English ([http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf PDF], [http://www.owasp.org/images/6/60/ASVS_One_Page_Handout.doc Word])
 +
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]
  
*J2re1.3.1_20: Ejecutable de objetos interactivos o applets
+
|
 +
[[Image:Asvs-step2.jpg]]'''2. Get ASVS'''
  
http://java.sun.com/products/archive/j2se/1.3.1_20/index.html
+
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)
 +
*ASVS in Chinese(Currently under development!)
 +
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML])
 +
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice])
 +
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])
 +
*ASVS in Hungarian (Currently under development!)
 +
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word])
 +
*ASVS in Persian (Farsi) (Currently under development!)
 +
*ASVS in Polish (Currently under development!)
 +
*ASVS in Spanish (Currently under development!)
 +
*ASVS in Thai (Currently under development!)
  
*Escritorio: Gestor de ventanas X11
+
|
 +
[[Image:Asvs-step3.jpg]]'''3. Learn ASVS'''
  
http://windowmaker.info
+
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF])
 +
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)]
 +
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki])
 +
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki])
 +
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF])
 +
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel])
 +
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word])
 +
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint])
 +
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint])
 +
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word])
 +
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]
  
*Gnuzilla: Navegador seguro y de uso libre
+
|}
 
 
http://code.google.com/p/iceweaselwindows/downloads/list
 
 
 
*Gnupdf: Visor de formato de texto universal pdf
 
 
 
http://blog.kowalczyk.info/software/sumatrapdf
 
 
 
*Gnuflash: Jugador alternativo a flash player
 
 
 
http://gnu.org/software/gnash
 
 
 
*Zinf: Reproductor de audio
 
 
 
http://zinf.org
 
 
 
*Informática forense: Análisis de datos ocultos en el disco duro
 
 
 
http://sleuthkit.org
 
 
 
*Compresor: Comprime datos sobreescribiendo bytes repetidos
 
 
 
http://peazip.sourceforge.net
 
 
 
*Ftp: Gestor de descarga de archivos
 
 
 
http://dfast.sourceforge.net
 
 
 
*AntiKeylogger: Neutraliza el seguimiento de escritorios remotos (Monitoring)
 
 
 
http://psmantikeyloger.sourceforge.net
 
 
 
*Password manager: Gestión de contraseñas
 
 
 
http://passwordsafe.sourceforge.net
 
 
 
*Limpiador de disco: Borra archivos innecesrios del sistema
 
 
 
http://bleachbit.sourceforge.net
 
 
 
*Desfragmentador: Reordena los archivos del disco duro, generando espacio virtual
 
 
 
http://kessels.com/jkdefrag
 
 
 
*X11: Gestor de ventanas, reemplazo de escritorio Xwindow's
 
 
 
http://bb4win.org
 
 
 
*Open Hardware: Hardware construído por la comunidad Linux
 
 
 
http://open-pc.com
 
 
 
*Open WRT: Firmware libre para configurar transmisión de Internet
 
  
http://openwrt.org
+
<br>
  
*Gnu- Linux: Sistema operativo universal
+
==== Glossary ====
  
http://gnewsense.org
+
[[Image:Asvs-letters.jpg]]'''ASVS Terminology'''
  
== Biocriptoseguridad ==: Es la unión de la biología, criptografía y hacking ético para formar una defensa stándar contra virus complejos.  
+
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong.
 +
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application.
 +
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.
 +
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS.
 +
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application.
 +
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications.
 +
*'''Authentication''' – The verification of the claimed identity of an application user.
 +
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems.
 +
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application.
 +
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input.
 +
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products.
 +
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application.
 +
*'''Design Verification''' – The technical assessment of the security architecture of an application.
 +
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS.
 +
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys.
 +
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle.
 +
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application.
 +
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs.
 +
*'''External Systems''' – A server-side application or service that is not part of the application.
 +
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules
 +
*'''Input Validation''' – The canonicalization and validation of untrusted user input.
 +
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm!
 +
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.
 +
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/
 +
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems.
 +
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI
 +
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk
 +
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project
 +
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10
 +
*'''Positive''' – See whitelist.
 +
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions.
 +
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.
 +
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record).
 +
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used.
 +
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code.
 +
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV.
 +
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.
 +
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses.
 +
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements.
 +
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.
  
Implementación de la biocriptoseguridad informática:
+
<br>
  
#Amplificar la banda ancha
+
==== Precedents/Interpretations ====
#Optimizar (limpiar- modificar) el sistema operativo
 
#Desfragmentar los discos lógicos
 
#Ocultar el sistema operativo
 
#Configurar antivirus
 
#Limpiar y desfragmentar
 
#Congelar
 
  
*Sistema inmune._ Defensa biológica natural contra infecciones como virus http://immunet.com
+
'''PI-0001: Are there levels between the levels?'''
  
*Criptografía._ Método de escritura oculta por caractes, números y letras:—{H}/gJa¢K¡Ng÷752%\*)A>¡#(W|a— http://diskcryptor.net
+
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"?
 +
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged.
 +
*References: ASVS section "Application Security Verification Levels"
  
*Hacking ético._ Auditoría de sistemas informáticos que preserva la integridad de los datos.
+
'''PI-0002: Is use of a master key simply another level of indirection?'''
  
Congelador: Mantiene el equilibrio en la integridad de los datos, el sistema operativo, red , memoria ram, ciclos de CPU, espacio en disco duro e incidencias de malware
+
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection?
 +
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection.
 +
*References: ASVS verification requirement V2.14
  
*http://code.google.com/p/hzr312001/downloads/detail?name=Deep%20systemze%20Standard%20Version%206.51.020.2725.rar&amp;can=2&amp;q= (para Window's)
+
'''PI-0003: What is a "TOV" or "Target of Verification"?'''
*http://sourceforge.net/projects/lethe (para GNU/Linux)
 
  
<br>Auditoría de virus cifrado._ Un criptovirus se oculta tras un algoritmo de criptografía, generalmente es híbrido simétrico-asimétrico con una extensión de 1700bit's, burla los escáneres antivirus con la aleatoriedad de cifrado, facilitando la expansión de las botnet's. La solución es crear un sistema operativo transparente, anonimizarlo y usar herramientas de cifrado stándar de uso libre:  
+
*Issue: New terminology
 +
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows:
 +
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment
 +
**TOV Developer – &lt;insert name of the developer or verification customer&gt;
 +
*References: ASVS section "Approach"
  
*Gnupg: Sirve para cifrar mensajes de correo electrónico http://gpg4win.org/download.html
+
<br>
  
*Open Secure Shell: Ofuscador TcpIp, protege el túnel de comunicación digital cifrando la Ip. http://openvas.org
+
<!--- ==== Project Details  ====
 +
{{:GPC_Project_Details/OWASP_Application_Security_Verification_Standard_Project | OWASP Project Identification Tab}} --->
  
*Red protegida: DNS libre http://namespace.org/switch
+
==== Project About  ====
 +
{{:Projects/OWASP Application Security Verification Standard Project| Project About}}
  
*Criptosistema simétrico: Encapsula el disco duro, incluyendo el sistema operativo,usando algoritmo Twofish http://truecrypt.org/downloads.php
+
__NOTOC__ <headertabs /> <br>
  
*Proxy cifrado: Autenticación de usuario anónimo http://torproject.org
+
= Articles Below - More About ASVS and Using It =
  
Energías renovables._ Son energías adquiridas por medios naturales: hidrógeno, aire, sol que disminuyen la toxicidad de las emisiones de Co2 en el medio ambiente, impulsando políticas ecologistas contribuímos a preservar el ecosistema. Ejm: Usando paneles solares fotovoltaicos.
+
[[Category:OWASP_Project|Application Security Verification Standard Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]

Revision as of 23:05, 7 February 2011

Home

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:

  • Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
  • Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
  • Use during procurement - Provide a basis for specifying application security verification requirements in contracts.

Esapi-sponsors.PNG

Let's talk here

Asvs-bulb.jpgASVS Communities

Further development of ASVS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please contact us.

Got translation cycles?

Asvs-writing.JPGASVS Translation

The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language.

Related resources

Asvs-satellite.jpgOWASP Resources

Did you know...

Asvs-handshake.JPGASVS Users

A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including Aspect Security, Astyran, Booz Allen Hamilton, Casaba Security, CGI Federal, Denim Group, Federal Deposit Insurance Corporation (FDIC), Minded Security, Nixu, ps_testware, Proactive Risk, Quince Associates Limited (SeeMyData), Serviço Federal de Processamento de Dados (SERPRO), Universidad Distrital Francisco José de Caldas Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached here.

Downloads

Asvs-step1.jpg1. About ASVS

  • Video presentation in English (YouTube)
  • Project presentation in English (PowerPoint)
  • Project presentation in French (PowerPoint)
  • Project presentation in French (Microsoft TechDays) (Webcast)
  • Data sheet in English (PDF, Word)
  • ASVS vs. WASC et al (Wiki)

Asvs-step2.jpg2. Get ASVS

  • ASVS in Bahasa Malaysia (Malay) (Currently under development!)
  • ASVS in Chinese(Currently under development!)
  • ASVS in English (PDF, Word, Online, XML)
  • ASVS in French (PDF, OpenOffice)
  • ASVS in German (PDF, Word)
  • ASVS in Hungarian (Currently under development!)
  • ASVS in Japanese (PDF, Word)
  • ASVS in Persian (Farsi) (Currently under development!)
  • ASVS in Polish (Currently under development!)
  • ASVS in Spanish (Currently under development!)
  • ASVS in Thai (Currently under development!)

Asvs-step3.jpg3. Learn ASVS

  • ASVS Article: Getting Started Using ASVS (PDF)
  • ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY (Wiki)
  • ASVS Article: Agile Software Development: Don't Forget EVIL User Stories (Wiki)
  • ASVS Article: Man vs. Code (Wiki)
  • ASVS Article: Getting started designing for a level of assurance (PDF)
  • ASVS Template: Sample verification fee schedule template (Excel)
  • ASVS Template: Sample verification report template (Word)
  • ASVS Training: An ASVS training presentation (PowerPoint)
  • ASVS Presentation: Executive-Level Presentation (PowerPoint)
  • ASVS Presentation: Presentation Abstract (Word)
  • Articles (More About ASVS and Using It)


Glossary

Asvs-letters.jpgASVS Terminology

  • Access Control – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong.
  • Application Component – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application.
  • Application Security – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.
  • Application Security Verification – The technical assessment of an application against the OWASP ASVS.
  • Application Security Verification Report – A report that documents the overall results and supporting analysis produced by the verifier for a particular application.
  • Application Security Verification Standard (ASVS) – An OWASP standard that defines four levels of application security verification for applications.
  • Authentication – The verification of the claimed identity of an application user.
  • Automated Verification – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems.
  • Back Doors – A type of malicious code that allows unauthorized access to an application.
  • Blacklist – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input.
  • Common Criteria (CC) – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products.
  • Communication Security – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application.
  • Design Verification – The technical assessment of the security architecture of an application.
  • Internal Verification – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS.
  • Cryptographic module – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys.
  • Denial of Service (DOS) Attacks – The flooding of an application with more requests than it can handle.
  • Dynamic Verification – The use of automated tools that use vulnerability signatures to find problems during the execution of an application.
  • Easter Eggs – A type of malicious code that does not run until a specific user input event occurs.
  • External Systems – A server-side application or service that is not part of the application.
  • FIPS 140-2 – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules
  • Input Validation – The canonicalization and validation of untrusted user input.
  • Malicious Code – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm!
  • Malware – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.
  • Open Web Application Security Project (OWASP) – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/
  • Output Validation – The canonicalization and validation of application output to Web browsers and to external systems.
  • OWASP Enterprise Security API (ESAPI) – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI
  • OWASP Risk Rating Methodology – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk
  • OWASP Testing Guide – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project
  • OWASP Top Ten – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10
  • Positive – See whitelist.
  • Salami Attack – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions.
  • Security Architecture – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.
  • Security Control – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record).
  • Security Configuration – The runtime configuration of an application that affects how security controls are used.
  • Static Verification – The use of automated tools that use vulnerability signatures to find problems in application source code.
  • Target of Verification (TOV) – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV.
  • Threat Modeling - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.
  • Time Bomb – A type of malicious code that does not run until a preconfigured time or date elapses.
  • Verifier - The person or team that is reviewing an application against the OWASP ASVS requirements.
  • Whitelist – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.


Precedents/Interpretations

PI-0001: Are there levels between the levels?

  • Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"?
  • Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged.
  • References: ASVS section "Application Security Verification Levels"

PI-0002: Is use of a master key simply another level of indirection?

  • Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection?
  • Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection.
  • References: ASVS verification requirement V2.14

PI-0003: What is a "TOV" or "Target of Verification"?

  • Issue: New terminology
  • Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows:
    • TOV Identification – <name and version of the application> or <Application name>, <application version>, dynamic testing was performed in a staging environment, not the production environment
    • TOV Developer – <insert name of the developer or verification customer>
  • References: ASVS section "Approach"



Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Application Security Verification Standard Project (home page)
Purpose: The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:
  • Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
  • Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
  • Use during procurement - Provide a basis for specifying application security verification requirements in contracts.
License: Creative Commons Attribution ShareAlike 3.0
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: View
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: Not Yet Created
Main links:
Key Contacts
current release
ASVS - 2009 Edition - 2009 - (download)
Release description: N/A
Rating: Greenlight.pngGreenlight.pngGreenlight.png Stable Release - Assessment Details
last reviewed release
ASVS - SoC 2008 Edition - 2008 - (download)
Release description: Beta Release
Rating: Greenlight.pngGreenlight.png Beta Release - Assessment Details


other releases

Articles Below - More About ASVS and Using It