About OWASP ASVS - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

About OWASP ASVS

Description:

... found that all application security tool vendors' claims put together cover ... for malicious code (not malware) and examining how security controls work. ... – PowerPoint PPT presentation

Number of Views:594
Avg rating:3.0/5.0
Slides: 26
Provided by: owasp
Category:

less

Transcript and Presenter's Notes

Title: About OWASP ASVS


1

About the
2
What questions does ASVS answer?
?
  • How do I know how much trust can be placed in a
    web application or web service?
  • How do I know what features to build into
    security controls used by a web application or
    web service?
  • How do I acquire a web application or web service
    that is verified to have a certain range in
    coverage and level of rigor?

?
?
3
How is the ASVS intended to be used?
  • It can be used to provide a yardstick with which
    to assess the degree of trust that can be placed
    in their web applications and services,
  • It can be used to provide guidance to security
    control developers as to what to build into their
    commercial products in order to satisfy web
    application and service security requirements,
    and
  • It can be used to provide a basis for specifying
    web application and web service security
    requirements in contracts.

?
?
?
4
What is the status of the ASVS as an OWASP
standard?
  • OWASP SoC 08 RFP March, 2008
  • ASVS proposal accepted April, 2008
  • ASVS Alpha draft released October, 2008

5
What does the ASVS look like?
  • Verification Levels section
  • Detailed Verification Requirements section
  • Verification Reporting Requirements section

6
What are ASVS verification levels?
7
Earning a level
8
Levels in more detail
  • Level 1 Automated Verification
  • Level 1A Dynamic Scans (Partial Automated
    Verification)
  • Level 1B Source Code Scans (Partial Automated
    Verification)
  • Level 2 Manual Verification
  • Level 2A Manual Pentesting (Partial Manual
    Verification)
  • Level 2B Manual Source Code Review (Partial
    Manual Verification)
  • Level 3 Design Verification
  • Level 4 Internal Verification

9
Coverage
Depth Level of Rigor
?
Breadth Number of Requirements
?
?
?
10
Level 1 in more detail
  • Automated verification of a web application or
    web service treated as groups of components
    within single monolithic entity.

11
Application Security Verification Techniques
Find Vulnerabilities Using the Running
Application
Find Vulnerabilities Using the Source Code
Manual ApplicationPenetration Testing
Manual SecurityCode Review
Automated Application Vulnerability Scanning
Automated Static Code Analysis
12
Tools At Best 45
  • MITRE found that all application security tool
    vendors claims put together cover only 45 of
    the known vulnerability types (695)
  • They found very little overlap between tools, so
    to get 45 you need them all (assuming their
    claims are true)

13
Level 2 Options
  • Level 2AManual Penetration Test
  • Level 2BManual Code Review
  • Need BOTH to achieve a full level 2
  • But requirements can be filled by either

14
Level 2 in more detail
  • Manual verification of a web application or web
    service organized into a high-level architecture.

15
Level 2 Options
  • Level 2AManual Penetration Test
  • Level 2BManual Code Review
  • Need BOTH to achieve a full level 2
  • But requirements can be filled by either

16
Level 3 in more detail
  • Design verification of a web application or web
    service organized into a high-level architecture.

17
Level 4 in more detail
  • Internal verification by searching for malicious
    code (not malware) and examining how security
    controls work.

18
What are ASVS verification requirements?
  • Security architecture verification requirements
  • Security control verification requirements

Security architecture information puts
verification results into context and helps
testers and reviewers to determine if the
verification was accurate and complete?
?
19
What are ASVS verification requirements?
  • Verification requirements
  • V1 Security Architecture Verification
    Requirements
  • V2 Access Control Verification Requirements
  • V3 Authentication Verification Requirements
  • V4 Session Management Verification Requirements
  • V5 Input Validation Verification Requirements
  • V6 Output Encoding/Escaping Verification
    Requirements
  • V7 Cryptography Verification Requirements
  • V8 Error Handling and Logging Verification
    Requirements
  • V9 Data Protection Verification Requirements
  • V10 Communication Security Verification
    Requirements
  • V11 HTTP Verification Requirements
  • V12 Security Configuration Verification
    Requirements
  • V13 Malicious Code Search Verification
    Requirements
  • V14 Internal Security Verification Requirements

20
A positive approach
  • Negative
  • The tester shall search for XSS holes
  • Positive
  • The tester shall verify that the application
    performs input validation and output encoding on
    all user input

21
Requirement Summary
22
What are ASVS reporting requirements?
  • R1 Report Introduction
  • R2 Application/Service Description
  • R3 Application/Service Security Architecture
  • R4 Verification Results

?
Is the report sufficiently detailed to make
verification repeatable? Does the report have
sufficient types of information to allow a
reviewer to determine if the verification was
accurate and complete?
?
23
Where do I go from here?
  • You can download a copy from the project web
    page
  • http//www.owasp.org/index.php/ASVS
  • You can send comments and suggestions for
    improvement using the project mailing list
  • See Mailing List/Subscribe link on project web
    page.

24
(No Transcript)
25
Write a Comment
User Comments (0)
About PowerShow.com