[Owasp-alabama] old news, new news?

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Thu Feb 11 13:35:11 EST 2010


On Feb 11, 2010, at 12:16 PM, owasp-alabama at lists.owasp.org wrote:

> This actually brings up a good question. Currently, I'm used to doing milestone based code reviews, then a dynamic assessment at the end of a project before certifying it.
> How do you guys interpret ASVS integrating into it?

I think the ASVS is good from the perspective of 'someone else is saying this versus consultant company x trying to bill more hours', while giving more substance that breadth and depth are good for a complete review.

> Also, would ASVS be more or less time than what you do today?

I think from a consultant's perspective where this is directly billable time to a client, this dramatically increases the assessment effort while introducing less subjective measures for 'secure vs insecure' which is primary based on vulnerability classes discovered by the assessor. 

1) To answer your question it would introduce more time for clients who only want a quick assessment, I find most customers want a quick and dirty 5-7 day engagement versus an on going process. 

2) Some clients want an ongoing process. 

3) The clients that do want a more ongoing process are already asking the next questions of an assessment - How do i beef up my SDLC, how can I fuzz or test my own environment, how can i perform threat modeling in the design, and when can we do a code review next... , from these type of engagements/clients the framework offers a great value regardless of time considering they are pursuing security a bit more than the guy next to them. This process helps them with their goals as well as expectations to place on assessment firms.


:P Even though the grading is numeric I can see this easily being translated a grading system A-D, F failing which is nice for customers who want letters versus numbers. 


| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"













More information about the Owasp-alabama mailing list