This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Definition for Security Assessment Levels"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 +
{{taggedDocument
 +
| type=historical
 +
| link=:Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
 +
}}
 
==Overview==
 
==Overview==
  

Latest revision as of 21:52, 30 July 2016

This historical page is now part of the OWASP archive.
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
Please use the newer Edition(s) like Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013

Overview

This article’s focus is to define, where practical, nomenclature and definitions of the differing security Assessment Levels. These levels rely on the Assessment Techniques defined elsewhere within this project.

Levels

Note this is a working draft for discussion purposes and should not be relied upon. There is no guarantee that these levels will be used or will be stable for any purpose

The goal is to advance the levels in two dimensions, breadth and depth. Breadth is the coverage of the review across the space of security mechanisms and security vulnerabilities. Depth is the level of rigor applied to the analysis of the application.

The following assessment levels are proposed:

  • AL1: Partial Application Security Check
  • AL2: Basic Application Security Check
  • AL3: Standard Application Security Verification
  • AL4: Enhanced Application Security Verification
  • AL5: Comprehensive Application Security Verification


AL1: Partial Application Security Check

Automated scans (either external vulnerability scan or code scan or both) with minimal interpretation and verification.

AL2: Basic Application Security Check

AL1 + verification of scan results using manual penetration testing and code review. Security areas not scanned (encryption, access control, etc...) must be lightly tested or code reviewed.

AL3: Standard Application Security Verification

AL2 + verification of common security mechanisms and common vulnerabilities using either manual pentesting or code review or both. Not all instances of problems found. Sampling allowed.

AL4: Enhanced Application Security Verification

AL3 + verification of all security mechanisms and vulnerabilities based on high level threat model (part of assessment if not provided) using either manual pentest or code review or both.

AL5: Comprehensive Application Security Verification

AL4 + search for malicious code. All code must be manually reviewed against a standard and all security mechanisms tested.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.