[Owasp-alabama] old news, new news?
owasp-alabama at lists.owasp.org
owasp-alabama at lists.owasp.org
Thu Feb 11 13:50:13 EST 2010
So as far as using the ASVS, I find it to be appropriate for more general
type documentation. The problem I run into is when more information is
necessary, for example:
V5.1 Verify that the runtime environment
is not susceptible to buffer
overflows, or that security controls
prevent buffer overflows.
When developing a standardized process, this simple isn't enough information
or detail. It leaves a number of things hanging out there:
1) Who's responsibility is this?
2) What methods were used to 'ensure' that this was truly mitigated
3) What methods were to test and validate they didn't exist in a live-fire
4) What about variations in risk dealing (accept, mitigate, transfer).
So what I'm getting at here is that I LOVE the ASVS, and I've work with MIke
(the guy who wrote it) quite a bit. Problem is, there isn't a link to
anything outside of to provide additional guidance. Hence: this:
This project is one I plan to lead, once it is off the ground. It's primary
goal is to link all available resources to each other, so ASVS 5.1 ==
OWASP-DV-004 (testing guide) or whatever.
CISSP, MCSE, C|EH, CIFI, CGSP
"Si vis pacem, para bellum"
On Thu, Feb 11, 2010 at 12:35 PM, <owasp-alabama at lists.owasp.org> wrote:
> On Feb 11, 2010, at 12:16 PM, owasp-alabama at lists.owasp.org wrote:
> > This actually brings up a good question. Currently, I'm used to doing
> milestone based code reviews, then a dynamic assessment at the end of a
> project before certifying it.
> > How do you guys interpret ASVS integrating into it?
> I think the ASVS is good from the perspective of 'someone else is saying
> this versus consultant company x trying to bill more hours', while giving
> more substance that breadth and depth are good for a complete review.
> > Also, would ASVS be more or less time than what you do today?
> I think from a consultant's perspective where this is directly billable
> time to a client, this dramatically increases the assessment effort while
> introducing less subjective measures for 'secure vs insecure' which is
> primary based on vulnerability classes discovered by the assessor.
> 1) To answer your question it would introduce more time for clients who
> only want a quick assessment, I find most customers want a quick and dirty
> 5-7 day engagement versus an on going process.
> 2) Some clients want an ongoing process.
> 3) The clients that do want a more ongoing process are already asking the
> next questions of an assessment - How do i beef up my SDLC, how can I fuzz
> or test my own environment, how can i perform threat modeling in the design,
> and when can we do a code review next... , from these type of
> engagements/clients the framework offers a great value regardless of time
> considering they are pursuing security a bit more than the guy next to them.
> This process helps them with their goals as well as expectations to place on
> assessment firms.
> :P Even though the grading is numeric I can see this easily being
> translated a grading system A-D, F failing which is nice for customers who
> want letters versus numbers.
> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850 | | o. 866.267.8851
> "Moments of sorrow are moments of sobriety"
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-alabama