1 / 12

OWASP Application Security Assessment Standards Project

OWASP Application Security Assessment Standards Project. Cliff Barlow Assessment Standards Project Lead Director Security Services, KoreLogic, Inc. cliff.barlow@korelogic.com 269.982.1707. Presentation Agenda. Impetus for Project Project Objectives Project Roadmap Progress To Date

callia
Download Presentation

OWASP Application Security Assessment Standards Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Application Security Assessment Standards Project Cliff Barlow Assessment Standards Project Lead Director Security Services, KoreLogic, Inc. cliff.barlow@korelogic.com 269.982.1707

  2. Presentation Agenda • Impetus for Project • Project Objectives • Project Roadmap • Progress To Date • The Guts • The Road Ahead • How You Can Help

  3. Project Impetus • Current lack of standardization over what constitutes an application security assessment • No single set of criteria being referenced • Lots of definitions, little consistency in what differing assessment techniques constitute • Build a standard that will be flexible in design to accommodate a range of security assurance levels • Keep standard from placing requirements on any party • Ensure standard makes recommendations about what should be done to be consistent with what the OWASP community believes is best practice • Who better than OWASP to create this standard? • If OWASP doesn’t, will someone else impose one on us?

  4. Project Objectives • Create standards defining baseline approach to conducting differing levels of application assessment • Establish common, consistent methods for application assessments that organizations can use as guidance on: • What tasks should be completed; • How the tasks should be completed; • Who should be involved; and, • What level is appropriate based on business requirements. • Will not define how to technically to conduct an assessment; instead meant to tie business practices to application security in order to establish a common, consistent guidance in conducting assessments • Adhering to standards increases consumer confidence that assessment meets industry agreed-upon approach

  5. Oct 2006 Nov 2006 Project Roadmap Phase I – Project Approach: Comment Period for Proposed Project Approach, Solicit Contributor Support Phase II – Application Assessment Definitions: Establish core definitions to ensure common base terminologyPhase III – Assessment Context: Establish assessment context, selection, qualification and process frameworks Sept 2006 Dec 2006 Jan 2007 Feb 2007 Mar 2007 Apr 2007 May 2007 Phase IV – Assessment Levels: Establish a common set of application assessment levels to be used as business guidance to ensure conducting assessments to appropriate level Schedule Can Only Be Meet With Volunteer Help! Phase V – OWASP Integration: Document integration and linkages with other OWASP projects

  6. Assessment Standards Project Status Phase I Develop Project Approach Define Common Business Application Types Define Assessment Techniques Phase II Define Standard Assessment Process Framework Establish Assessor Qualification CriteriaPer Level Define Assessment Scope Per Level 1 1 Phase III Define Business End Preparation For Assessment Establish Wherein SDLC AssessmentComponents Lie 1 – Can establish baseline now but will need further detail post Phase IV Phase IV [ Stub Started – Open to Comment And Edit ] [ Stub Needed – Open to Contribution ]

  7. The Path Forward • Phase IV – Assessment Levels: • Establish assessment level system decision criteria • Analysis and documentation of corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.) • Establish Assessment levels based on Phase II and III • Define assessment depth, testing components required and tools usage per level (not products) • Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed • Phase V – OWASP Integration: Document integration and linkages with other OWASP projects.

  8. Key Determinants To Assessment Levels • Business Criticality • Expected Security Assurance • Testing Requirements • Accredited/Certified App • Independent 3rd Party Required • Easily Understood By The Business Layman • ? • What Needed To Get There • Decision Criteria – How Do We Get To Agreement • Decision Criteria – How Does Layman Determine Which Level They Should Use

  9. The Guts of Project… Assessment LevelsSecurity Assessment Techniques – Relative Depth ? Manual Security Code Review (Specialist) Manual Penetration Testing (Specialist) Business Criticality (Impact of Loss) (Defined by Business) Auto Source Code Review (Tool) 0 1 2 3 4 5 External App Scan (Tool) Threat Analysis & Architecture Review (Analyst) 0 1 2 3 4 5 Expected Security Assurance (Assessment Depth – Expected Level of Security) (Defined by Corporate Security)

  10. The Guts of Project… Assessment LevelsOne Approach… Details to be developed • AL1: Architecture Review/Threat Analysis - Design level review to identify critical assets, sensitive data stores and business critical interconnections. In addition to architecture reviews is threat analysis to determine potential attack vectors, which could be used in testing. AL6 0 1 2 3 4 5 Business Criticality (Defined by Business) AL5 AL4 AL3 AL2 AL1 0 1 2 3 4 5 Expected Security Assurance (Defined by Corporate Security) • AL2: Quick Hit Application Security Check - Automated scans (either external vulnerability scan or code scan or both) with minimal interpretation and verification. • AL3: Basic Application Security Check – AL2 + verification and validation of scan results. Security areas not scanned (encryption, access control, etc.) must be lightly tested or code reviewed.

  11. The Guts of Project… Assessment LevelsOne Approach… Details to be developed AL6 0 1 2 3 4 5 Business Criticality (Defined by Business) AL5 AL4 AL3 AL2 AL1 0 1 2 3 4 5 Expected Security Assurance (Defined by Corporate Security) • AL4: Standard Application Security Verification – AL3 + verification of common security mechanisms and common vulnerabilities using either manual penetration testing or code review or both. Not all instances of problems found - Sampling allowed. • AL5: Enhanced Application Security Verification – AL1 + AL3 + verification of all security mechanisms and vulnerabilities based on threat analysis model using either manual penetration testing or code review or both. • AL6: Comprehensive Application Security Verification – AL1 + AL4 + search for malicious code. All code must be manually reviewed against a standard and all security mechanisms tested.

  12. Help… • We hope you find the OWASP Application Security Assessment Standards Project useful • Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org • To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page http://lists.owasp.org/mailman/listinfo/owasp-appsec-standards

More Related