This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

ESAPI Assurance

From OWASP

Revision as of 05:37, 21 August 2011 by Kevin W. Wall (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Building an Assurance Case for ESAPI

Arguing Security - Creating Security Assurance Cases

summary: make Claims, provide supporting Evidence, and make Arguments for how the evidence supports the claims

Highest level claim is "The system is Acceptably Secure" but how to break this down into sub-claims that map to the provided evidence? e.g. absence of specific vulns (as investigated by manual testing or tool scans)

Hey! How about an explicit threat model??? Especially, what are our assumptions.

claims could be summarized using a Software Facts Label

each language (Java, ASP, etc.) may need separate claims

list the third-party software

discuss coding practices that were followed, skill levels of developers, amount of independent review

publish scanning tool results. "Tool X, using rule set R on date D, was run against ESAPI version Y using configuration Z, and found this set of results with this amount of code coverage."

Coding Practices

was OWASP Top Ten followed?

how was performance and security balanced?

what is the level of training of the developers? amount of experience in web development?

were tools part of the whole process or run at the end?

how was code repository prevented from unauthorized alterations?

practices for code check-in and independent review - how is introduction of Trojans avoided?

what threat level is being accounted for (e.g. will this only work against script kiddies)? was threat modeling used? (No; I wish!)

Retrieved from "https://wiki.owasp.org/index.php?title=ESAPI_Assurance&oldid=116049"