[Owasp-legal] Proposed ASVS enhancements to the OWASP Secure Software Contract Annex

Boberski, Michael [USA] boberski_michael at bah.com
Thu Jan 22 14:07:14 EST 2009 

Done!

ASVS article "How to specify verification requirements in contracts"
updated.

HTML contract annex 3(e) updated.

Word contract annex 9(e) updated.

Mike B.
 

-----Original Message-----
From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: Thursday, January 22, 2009 1:53 PM
To: Boberski, Michael [USA]; owasp-legal at lists.owasp.org
Cc: owasp-application-security-verification-standard at lists.owasp.org
Subject: RE: [Owasp-legal] Proposed ASVS enhancements to the OWASP
Secure Software Contract Annex

Perfect. I think we should also link to the ASvS, like this...

... of an agreed upon standard (such as the OWASP ASVS)...

With a link.  Can you make the change?  Thanks,

--Jeff

-----Original Message-----
From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com]
Sent: Thursday, January 22, 2009 1:39 PM
To: jeff.williams at owasp.org; owasp-legal at lists.owasp.org
Cc: owasp-application-security-verification-standard at lists.owasp.org
Subject: RE: [Owasp-legal] Proposed ASVS enhancements to the OWASP
Secure Software Contract Annex

Jeff, to pick this thread back up again,
 
How about something a little more surgical as well as less prescriptive:
 
How about limiting the scope of the proposed updates to updating the
text of 9(e) to read:
 
"(e) Security Analysis and Testing. Developer will perform application
security analysis and testing (also called "verification") according to
the verification requirements of an agreed-upon standard. The Developer
shall document verification findings according to the reporting
requirements of the standard. The Developer shall provide the
verification findings to Client."
 
Mike B.
 
 

________________________________

From: Jeff Williams [mailto:jeff.williams at owasp.org]
Sent: Saturday, December 20, 2008 9:48 AM
To: Boberski, Michael [USA]; owasp-legal at lists.owasp.org
Cc: owasp-application-security-verification-standard at lists.owasp.org
Subject: RE: [Owasp-legal] Proposed ASVS enhancements to the OWASP
Secure Software Contract Annex



Hi Mike,

 

I think this is a good idea, but I'd like to make it less prescriptive.
I'd like to refer to the ASVS without requiring it.  Or perhaps it would
be good to have a longer section near the top that describes how the
ASVS can be used in an acquisition scenario.  Thanks,

 

--Jeff

 

Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 

work: 410-707-1487

main: 301-604-4882

 

From: owasp-legal-bounces at lists.owasp.org
[mailto:owasp-legal-bounces at lists.owasp.org] On Behalf Of Boberski,
Michael [USA]
Sent: Thursday, December 11, 2008 2:08 PM
To: owasp-legal at lists.owasp.org
Cc: owasp-application-security-verification-standard at lists.owasp.org
Subject: [Owasp-legal] Proposed ASVS enhancements to the OWASP Secure
Software Contract Annex

 

Hello,

 

I would like to propose changes to the OWASP Secure Software Contract
Annex, but I'm not sure of the best way to go about this. 

 

I propose updating it to make use of the newly-released OWASP ASVS.

 

Proposed change #1: 

 

I propose updating section 3 so that its contents read:

 

This agreement uses predefined levels that define ranges in coverage and
levels of rigor as defined in the the OWASP Application Security
Verification Standard (ASVS). The "level of rigor" for the agreement may
be selected by a software development organization by specifying an ASVS
level. The ASVS defines four levels of verification that increase in
both breadth and depth as one moves up the levels.  The breadth is
defined in each level by a set of security requirements that must be
addressed.  The depth of the verification is defined by the approach and
level of rigor required in verifying each security requirement. 

 

Proposed change #2:

 

I propose updating section 9, bullet (e) so that its contents read:

 

Security Analysis and Testing. Developer agrees to provide and follow a
security test plan that defines an approach for performing a level
<insert ASVS level here> verification according to OWASP Application
Security Verification Standard - Web Edition 2008 (Beta), December 2008.
The range in coverage and level of rigor of this activity are defined in
the referenced standard. Developer will execute the verification and
provide the test results to Client according to the reporting
requirements which are also defined in the referenced standard. 

 

Proposed change #3:

 

I propose updating section 10, first paragraph, so that its contents
read:

 

OWASP Application Security Verification Standard defines topic areas
that must be considered during the risk understanding and requirements
definition activities for the targeted verification level. This effort
should produce a set of specific, tailored, and testable requirements.
Both Developer and Client should be involved in this process and must
agree on the final set of requirements.

In addition, the requirements shall include a set of specific
vulnerabilities that shall not be found in the software. If not
otherwise specified, then the software shall not include any of the
flaws described in the current "OWASP Top Ten Most Critical Web
Application Vulnerabilities."

In addition as part of proposed change #3, I propose deleting section 10
bullets (a) - (j).

 

Proposed change #4:

 

I propose updating section 11, to add a bullet (d), so that its contents
read:

 

Verifier. Developer will be responsible for providing a person or team
to review the web application against the OWASP Application Security
Verification Standard requirements. 

 

Best regards,

 

Mike B.

More information about the Owasp-legal mailing list