about owasp asvs

8/8/2019 About Owasp Asvs

http://slidepdf.com/reader/full/about-owasp-asvs 1/31

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASPProject

http://www.owasp.org

OWASP Application Security Verification Standard 2009

The ASVS Team

Web Application Standard



OWASP Project 2

The OWASP Foundationhttp://www.owasp.org

About ASVS

Project Status

Technical Details

Getting Started

Where to Go from Here

Questions

Agenda



OWASP Project

Challenges

There is a huge range in coverage and rigoravailable in the application security verificationmarket!

Consumers have no way to tell the differencebetween:

Someone running a grep tool, and

Someone doing painstaking code review and manual

testing!

3

There are differences in coverage and rigor between

types of tools, between tools and manual techniques, and

between types of manual techniques!



OWASP Project 4

Philosophy of ASVS

It is intended as a standard forhow to verify the security of webapplications

It should be application-

independent It should be development life-

cycle independent

It should define requirementsthat can be applied across webapplications without specialinterpretation

Any such standard also needs to be commercially-viable

and therefore not overly burdensome!

Design Goals:

The standard should defineincreasing levels of applicationsecurity verification

The difference in coverage andlevel of rigor between levelsshould be relatively linear

The standard should definefunctional verificationrequirements that take a white-list (i.e., positive) approach

The standard should also beverification tool and techniqueindependent!



OWASP Project 5

What Questions Does ASVS Answer?

What security features should bebuilt into the required set of security controls?

What are reasonable increases in

coverage and level of rigor whenverifying the security of a webapplication?

How can I compare verificationefforts?

How much trust can be placed in aweb application?

ASVS can answer these questions for applications

ranging from minimum risk applications, to critical

infrastructure applications.

A Success Story:

Application Security VerificationStandards are specificationsproduced by OWASP incooperation with secureapplications developers and

verifiers worldwide for thepurpose of accelerating thedeployment of secure webapplications. First published in2008 as a result of an OWASPSummer of Code grant andmeetings with a small group of early adopters, the ASVS

documents have become widelyreferenced and implemented.



OWASP Project 6

Agenda


About ASVS

Project Status

Technical Details

Getting Started


Questions



OWASP Project

What is the status of the ASVS asan OWASP standard?

Web Application Standard

It is the first OWASP standard

Current version is nowRelease quality, released June2009

Project Lead: Mike Boberski(Booz Allen)

Co-authors: Jeff Williams,Dave Wichers (Aspect Security)

Piloted by Booz Allen Hamilton ASVS assessments now being

offered by firms including Aspect Security and Booz Allen

7

Future ASVS Standards:

Web Services Standard next onthe roadmap

Translate to other languages(e.g. Spanish)

Additional architectures beingconsidered (perhaps client-server, Cloud computing forexample)



OWASP Project 8

Project Plan and Status

06/09 OWASP ASVS Release

12/08 OWASP ASVS Beta

10/08 OWASP ASVS Alpha

04/08 OWASP ASVS RFP

(OWASP Summer of Code 2008)

C heck out the ASVS project page for the latest news:

http://www.owasp.org/index.php/ ASVS



OWASP Project 9

Agenda


About ASVS

Project Status

Technical Details

Getting Started


Questions



OWASP Project 10

What are ASVS Verification Levels?



OWASP Project 11

Application Security VerificationTechniques

Find Vulnerabilities

Using the Running Application

Find Vulnerabilities

Using the Source Code

Automated Application Vulnerability Scanning

Automated StaticCode Analysis

Manual Application

Penetration Testing

Manual Security

Code Review



OWASP Project

Level Definitions

Level 1 Automated Verification Level 1A Dynamic Scan (Partial Automated Verification)

Level 1B Source Code Scan (Partial Automated Verification)

Level 2 Manual Verification Level 2A Penetration Test (Partial Manual Verification)

Level 2B Code Review (Partial Manual Verification)

Level 3 Design Verification

Level 4 Internal Verification

12



OWASP Project 13

Level 1 in more detail

Automatedverification of aweb application

treated as groupsof componentswithin singlemonolithic entity



OWASP Project

Level 1 Options

Level 1A

Dynamic Scan (Partial Automated

Verification)

Level 1B

Source Code Scan(Partial Automated

Verification)

14

N eed BOTH to achieve a full level 1«



OWASP Project 15

Tools At Best 45%

MITRE found that all applicationsecurity tool vendors claims put together cover only 45% of theknown vulnerability types (695)

They found very little overlapbetween tools, so to get 45%you need them all (assumingtheir claims are true)



OWASP Project 16


Manual verificationof a webapplication

organized into ahigh-levelarchitecture.



OWASP Project

Level 2 Options

Level 2A

Manual PenetrationTest

Level 2B

Manual Code Review

17

N eed BOTH to achieve a full level 2«



OWASP Project 18


Level 2 + Threat modelinginformation to

verify design



OWASP Project 19


Internalverification of aweb application

by searching formalicious code(not malware)and examining

how securitycontrols work.



OWASP Project 20

What are the ASVS VerificationRequirements?

Security architecture

verification requirementsSecurity control

verification requirements

S ecurity architecture information puts verification results

into context and helps testers and reviewers to determine

if the verification was accurate and complete.



OWASP Project

A positive approach

NegativeThe tester shall search for XSS holes

Positive Verify that all HTML output that includes user

supplied input is properly escaped

See: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

21

Technology and threats change over time! ASVS takes a

proactive a white-list approach.



OWASP Project

What are ASVS reportingrequirements?

R1 Report Introduction

R2 Application Description

R3 Application Architecture

R4 Verification Results

22

I s the report sufficiently detailed to make verification repeatable?

I s there enough information to determine if the verification was

accurate and complete?



OWASP Project 23

Agenda


About ASVS

Project Status

Technical Details

Getting Started


Questions



OWASP Project

How do I get started using ASVS?

Buyer and seller: agreehow technical securityrequirements will beverified by specifying a

level from 1 to 4Perform an initial

verification of theapplication

24

U sing ASVS requires planning and in that respect is just like any

other testing exercise!



OWASP Project

How do I get started using ASVS?(continued)

Develop and execute aremediation strategy,

Re-verify after fixes aremade (repeat asnecessary).

Develop a strategy to addverifications into theSDLC as regular activities.

25

Tip: don¶t scare people when you present your findings! Be

specific. Propose a specific fix or a workaround, if able.



OWASP Project 26

Integrating ASVS into your SDLC(Outsourcing not required)



OWASP Project 27

Agenda


About ASVS

Project Status

Technical Details

Getting Started


Questions



OWASP Project28

Where can I find help gettingstarted using ASVS?

Y ou can find information on the ASVSProject Page where there are articles at the bottom of the page

http://www.owasp.org/index.php/ASVS



OWASP Project29

Where can I get a copy of ASVS,and talk to people using ASVS?

Y ou can download a copy from the ASVSProject page:

http://www.owasp.org/index.php/ASVS

Y ou can send comments and suggestions for

improvement using the project mailing list:See Mailing List/Subscribe link on project web

page.

Tell us how your organization is using the OWASP ASVS. Include your name, organization's name, and

brief description of how you are using the ASVS

Tip: S ubscribe to the OW AS P ASVS mailing list!

Owasp- A pplication-S ecurity-V erification-S [email protected]



OWASP Project30

Agenda


About ASVSProject Status

Technical Details

Getting Started


Questions



OWASP Project31

Questions?

about owasp asvs

Documents