This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Definition for Security Assessment Levels

From OWASP
Revision as of 03:19, 15 September 2006 by Jeff Williams (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

This article’s focus is to define, where practical, nomenclature and definitions of the differing security Assessment Levels. These levels rely on the Assessment Techniques defined elsewhere within this project.

Techniques

Note this is a working draft for discussion purposes and should not be relied upon. There is no guarantee that these levels will be used or will be stable for any purpose

The goal is to advance the levels in two dimensions, breadth and depth. Breadth is the coverage of the review across the space of security mechanisms and security vulnerabilities. Depth is the level of rigor applied to the analysis of the application.

The following assessment levels are proposed:

  • AL1: Partial Application Security Check
  • AL2: Basic Application Security Check
  • AL3: Standard Application Security Verification
  • AL4: Enhanced Application Security Verification
  • AL5: Comprehensive Application Security Verification


AL1: Partial Application Security Check

Automated scans (either external vulnerability scan or code scan or both) with minimal interpretation and verification.

AL2: Basic Application Security Check

AL1 + verification of scan results using manual penetration testing and code review. Security areas not scanned (encryption, access control, etc...) must be lightly tested or code reviewed.

AL3: Standard Application Security Verification

AL2 + verification of common security mechanisms and common vulnerabilities using either manual pentesting or code review or both. Not all instances of problems found. Sampling allowed.

AL4: Enhanced Application Security Verification

AL3 + verification of all security mechanisms and vulnerabilities based on high level threat model (part of assessment if not provided) using either manual pentest or code review or both.

AL5: Comprehensive Application Security Verification

AL4 + search for malicious code. All code must be manually reviewed against a standard and all security mechanisms tested.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.