This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Corporate Application Security Pledge"
From OWASP
(→The OWASP Corporate Application Security Pledge) |
|||
| Line 15: | Line 15: | ||
==The OWASP Corporate Application Security Pledge== | ==The OWASP Corporate Application Security Pledge== | ||
| − | To demonstrate our commitment to building applications that are trustworthy enough for our business and our customers, we hereby confirm that: | + | To demonstrate our commitment to acquiring, building, and operating applications that are trustworthy enough for our business and our customers, we hereby confirm that: |
; 1. We have established an ongoing application security awareness and training program. | ; 1. We have established an ongoing application security awareness and training program. | ||
: Our training program ensures that software developers, architects, and testers have been exposed to application security and understand how to find and prevent the common vulnerabilities. Leaders and managers are trained in how to lead projects and teams to produce secure applications. | : Our training program ensures that software developers, architects, and testers have been exposed to application security and understand how to find and prevent the common vulnerabilities. Leaders and managers are trained in how to lead projects and teams to produce secure applications. | ||
| − | ; 2. We review all applications for common vulnerabilities | + | ; 2. We review all applications for common vulnerabilities. |
: All of our applications, including internal applications) receive some level of scrutiny for common vulnerabilities before they are deployed. Our most critical applications receive a detailed code review and penetration test, while less critical applications receive at least an automated security scan. | : All of our applications, including internal applications) receive some level of scrutiny for common vulnerabilities before they are deployed. Our most critical applications receive a detailed code review and penetration test, while less critical applications receive at least an automated security scan. | ||
| − | ; 3. We have established a dedicated application security team | + | ; 3. We have established a dedicated application security team. |
| − | : Our application security team | + | : Our application security team provides support to development projects across the software development lifecycle. In particular, |
| − | ; 4. We perform security activities as a part of our software development lifecycle | + | ; 4. We perform security activities as a part of our software development lifecycle. |
| − | : | + | : Our software development lifecycle includes activities that help us understand the threat and make informed decisions about application security risks. These activities occur throughout the process from concept through operation and maintenance. In particular, every project has a set of security requirements and those requirements are tested. |
| − | ; 5. We have assigned responsibility for application security | + | ; 5. We have assigned responsibility for application security. |
| − | + | : Each of our software projects has an application security lead who is responsible for ensuring that the application is secure enough for the business and its customers. In addition, responsibility for application security is assigned up through the organization to the executive management level. | |
Revision as of 16:37, 29 November 2006
NB: This page is a rough draft of an idea we are working on and should not be used yet
Background
OWASP recognizes that many organizations are doing the hard work to become capable of repeatably producing secure applications. These organizations deserve a way to promote the fact that they are doing the right things.
We have created the "OWASP Corporate Application Security Pledge" to recognize these organizations and set a goal for other organizations to
There is much more that organizations can do, but we believe that these are the most critical steps that all organizations should have in place.
Participation
Use the LOGO - IF you register with us and confirm
The OWASP Corporate Application Security Pledge
To demonstrate our commitment to acquiring, building, and operating applications that are trustworthy enough for our business and our customers, we hereby confirm that:
- 1. We have established an ongoing application security awareness and training program.
- Our training program ensures that software developers, architects, and testers have been exposed to application security and understand how to find and prevent the common vulnerabilities. Leaders and managers are trained in how to lead projects and teams to produce secure applications.
- 2. We review all applications for common vulnerabilities.
- All of our applications, including internal applications) receive some level of scrutiny for common vulnerabilities before they are deployed. Our most critical applications receive a detailed code review and penetration test, while less critical applications receive at least an automated security scan.
- 3. We have established a dedicated application security team.
- Our application security team provides support to development projects across the software development lifecycle. In particular,
- 4. We perform security activities as a part of our software development lifecycle.
- Our software development lifecycle includes activities that help us understand the threat and make informed decisions about application security risks. These activities occur throughout the process from concept through operation and maintenance. In particular, every project has a set of security requirements and those requirements are tested.
- 5. We have assigned responsibility for application security.
- Each of our software projects has an application security lead who is responsible for ensuring that the application is secure enough for the business and its customers. In addition, responsibility for application security is assigned up through the organization to the executive management level.
