Download - About Owasp Asvs
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 1/31
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASPProject
http://www.owasp.org
OWASP Application Security Verification Standard 2009
The ASVS Team
Web Application Standard
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 2/31
OWASP Project 2
The OWASP Foundationhttp://www.owasp.org
About ASVS
Project Status
Technical Details
Getting Started
Where to Go from Here
Questions
Agenda
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 3/31
OWASP Project
Challenges
There is a huge range in coverage and rigoravailable in the application security verificationmarket!
Consumers have no way to tell the differencebetween:
Someone running a grep tool, and
Someone doing painstaking code review and manual
testing!
3
There are differences in coverage and rigor between
types of tools, between tools and manual techniques, and
between types of manual techniques!
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 4/31
OWASP Project 4
Philosophy of ASVS
It is intended as a standard forhow to verify the security of webapplications
It should be application-
independent It should be development life-
cycle independent
It should define requirementsthat can be applied across webapplications without specialinterpretation
Any such standard also needs to be commercially-viable
and therefore not overly burdensome!
Design Goals:
The standard should defineincreasing levels of applicationsecurity verification
The difference in coverage andlevel of rigor between levelsshould be relatively linear
The standard should definefunctional verificationrequirements that take a white-list (i.e., positive) approach
The standard should also beverification tool and techniqueindependent!
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 5/31
OWASP Project 5
What Questions Does ASVS Answer?
What security features should bebuilt into the required set of security controls?
What are reasonable increases in
coverage and level of rigor whenverifying the security of a webapplication?
How can I compare verificationefforts?
How much trust can be placed in aweb application?
ASVS can answer these questions for applications
ranging from minimum risk applications, to critical
infrastructure applications.
A Success Story:
Application Security VerificationStandards are specificationsproduced by OWASP incooperation with secureapplications developers and
verifiers worldwide for thepurpose of accelerating thedeployment of secure webapplications. First published in2008 as a result of an OWASPSummer of Code grant andmeetings with a small group of early adopters, the ASVS
documents have become widelyreferenced and implemented.
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 6/31
OWASP Project 6
Agenda
The OWASP Foundationhttp://www.owasp.org
About ASVS
Project Status
Technical Details
Getting Started
Where to Go from Here
Questions
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 7/31
OWASP Project
What is the status of the ASVS asan OWASP standard?
Web Application Standard
It is the first OWASP standard
Current version is nowRelease quality, released June2009
Project Lead: Mike Boberski(Booz Allen)
Co-authors: Jeff Williams,Dave Wichers (Aspect Security)
Piloted by Booz Allen Hamilton ASVS assessments now being
offered by firms including Aspect Security and Booz Allen
7
Future ASVS Standards:
Web Services Standard next onthe roadmap
Translate to other languages(e.g. Spanish)
Additional architectures beingconsidered (perhaps client-server, Cloud computing forexample)
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 8/31
OWASP Project 8
Project Plan and Status
06/09 OWASP ASVS Release
12/08 OWASP ASVS Beta
10/08 OWASP ASVS Alpha
04/08 OWASP ASVS RFP
(OWASP Summer of Code 2008)
C heck out the ASVS project page for the latest news:
http://www.owasp.org/index.php/ ASVS
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 9/31
OWASP Project 9
Agenda
The OWASP Foundationhttp://www.owasp.org
About ASVS
Project Status
Technical Details
Getting Started
Where to Go from Here
Questions
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 10/31
OWASP Project 10
What are ASVS Verification Levels?
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 11/31
OWASP Project 11
Application Security VerificationTechniques
Find Vulnerabilities
Using the Running Application
Find Vulnerabilities
Using the Source Code
Automated Application Vulnerability Scanning
Automated StaticCode Analysis
Manual Application
Penetration Testing
Manual Security
Code Review
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 12/31
OWASP Project
Level Definitions
Level 1 Automated Verification Level 1A Dynamic Scan (Partial Automated Verification)
Level 1B Source Code Scan (Partial Automated Verification)
Level 2 Manual Verification Level 2A Penetration Test (Partial Manual Verification)
Level 2B Code Review (Partial Manual Verification)
Level 3 Design Verification
Level 4 Internal Verification
12
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 13/31
OWASP Project 13
Level 1 in more detail
Automatedverification of aweb application
treated as groupsof componentswithin singlemonolithic entity
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 14/31
OWASP Project
Level 1 Options
Level 1A
Dynamic Scan (Partial Automated
Verification)
Level 1B
Source Code Scan(Partial Automated
Verification)
14
N eed BOTH to achieve a full level 1«
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 15/31
OWASP Project 15
Tools At Best 45%
MITRE found that all applicationsecurity tool vendors claims put together cover only 45% of theknown vulnerability types (695)
They found very little overlapbetween tools, so to get 45%you need them all (assumingtheir claims are true)
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 16/31
OWASP Project 16
Level 2 in more detail
Manual verificationof a webapplication
organized into ahigh-levelarchitecture.
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 17/31
OWASP Project
Level 2 Options
Level 2A
Manual PenetrationTest
Level 2B
Manual Code Review
17
N eed BOTH to achieve a full level 2«
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 18/31
OWASP Project 18
Level 3 in more detail
Level 2 + Threat modelinginformation to
verify design
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 19/31
OWASP Project 19
Level 4 in more detail
Internalverification of aweb application
by searching formalicious code(not malware)and examining
how securitycontrols work.
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 20/31
OWASP Project 20
What are the ASVS VerificationRequirements?
Security architecture
verification requirementsSecurity control
verification requirements
S ecurity architecture information puts verification results
into context and helps testers and reviewers to determine
if the verification was accurate and complete.
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 21/31
OWASP Project
A positive approach
NegativeThe tester shall search for XSS holes
Positive Verify that all HTML output that includes user
supplied input is properly escaped
See: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
21
Technology and threats change over time! ASVS takes a
proactive a white-list approach.
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 22/31
OWASP Project
What are ASVS reportingrequirements?
R1 Report Introduction
R2 Application Description
R3 Application Architecture
R4 Verification Results
22
I s the report sufficiently detailed to make verification repeatable?
I s there enough information to determine if the verification was
accurate and complete?
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 23/31
OWASP Project 23
Agenda
The OWASP Foundationhttp://www.owasp.org
About ASVS
Project Status
Technical Details
Getting Started
Where to Go from Here
Questions
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 24/31
OWASP Project
How do I get started using ASVS?
Buyer and seller: agreehow technical securityrequirements will beverified by specifying a
level from 1 to 4Perform an initial
verification of theapplication
24
U sing ASVS requires planning and in that respect is just like any
other testing exercise!
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 25/31
OWASP Project
How do I get started using ASVS?(continued)
Develop and execute aremediation strategy,
Re-verify after fixes aremade (repeat asnecessary).
Develop a strategy to addverifications into theSDLC as regular activities.
25
Tip: don¶t scare people when you present your findings! Be
specific. Propose a specific fix or a workaround, if able.
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 26/31
OWASP Project 26
Integrating ASVS into your SDLC(Outsourcing not required)
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 27/31
OWASP Project 27
Agenda
The OWASP Foundationhttp://www.owasp.org
About ASVS
Project Status
Technical Details
Getting Started
Where to Go from Here
Questions
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 28/31
OWASP Project28
Where can I find help gettingstarted using ASVS?
Y ou can find information on the ASVSProject Page where there are articles at the bottom of the page
http://www.owasp.org/index.php/ASVS
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 29/31
OWASP Project29
Where can I get a copy of ASVS,and talk to people using ASVS?
Y ou can download a copy from the ASVSProject page:
http://www.owasp.org/index.php/ASVS
Y ou can send comments and suggestions for
improvement using the project mailing list:See Mailing List/Subscribe link on project web
page.
Tell us how your organization is using the OWASP ASVS. Include your name, organization's name, and
brief description of how you are using the ASVS
Tip: S ubscribe to the OW AS P ASVS mailing list!
Owasp- A pplication-S ecurity-V erification-S [email protected]
8/8/2019 About Owasp Asvs
http://slidepdf.com/reader/full/about-owasp-asvs 30/31
OWASP Project30
Agenda
The OWASP Foundationhttp://www.owasp.org
About ASVSProject Status
Technical Details
Getting Started
Where to Go from Here
Questions