[Owasp-leaders] OWASP Appsec Standard

abbas.naderi at owasp.org abbas.naderi at owasp.org
Wed Mar 25 21:27:48 UTC 2015


I have seen firms provide ASVS compliance certificates. As long as they do not claim its certified by OWASP its fine (they can say its based on OWASP ASVS).
-A
> On Mar 25, 2015, at 5:21 PM, Mohamed Alfateh <mohamed.alfateh at owasp.org> wrote:
> 
> To be certified with PCI/DSS, QSA will perform the audit, generate ROC (report on compliance) and then give you certificate, but you have to register with the PCI council and also to pay for certificate fees,  
> 
> ASAV is perfect, I used it several times, but the idea is how to say "My Application is ASAV compliant" similar to PA/DSS? how to perform "reliable" audit against ASAV? and also how to do that and avoid the certification vs open conflict :)
> 
> It is just thought :)
> 
> --
> Fateh
>   
> 
> On Wed, Mar 25, 2015 at 10:47 PM, McGovern, James <james.mcgovern at hp.com <mailto:james.mcgovern at hp.com>> wrote:
> We would need to “certify” the auditors (QSAs). I tried leading a people oriented certification program several years back but was challenged due to the conflict of certification vs open…
> 
>  
> 
> From: owasp-leaders-bounces at lists.owasp.org <mailto:owasp-leaders-bounces at lists.owasp.org> [mailto:owasp-leaders-bounces at lists.owasp.org <mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of Mohamed Alfateh
> Sent: Wednesday, March 25, 2015 4:24 PM
> To: Jim Manico
> Cc: OWASP Leaders
> Subject: Re: [Owasp-leaders] OWASP Appsec Standard
> 
>  
> 
> The idea is to give certificate upon compliance to standard requirement, 
> I don't think we need that extensive infrastructure, we may need to prepare details for the auditing criteria,  
> 
> For PCI, the council is responsible for releasing the standard and give the certificate of compliance, the auditing itself is done through other qualified entities,
> 
>  
> 
>  
> 
> On Wed, Mar 25, 2015 at 8:28 PM, Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
> 
> Certification? That requires extensive infrastructure and setup.
> 
> Standard? Check out the OWASP ASVS Standard....
> 
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> 
> 
> > On Mar 25, 2015, at 12:18 PM, Mohamed Alfateh <mohamed.alfateh at owasp.org <mailto:mohamed.alfateh at owasp.org>> wrote:
> >
> > Dear all,
> >
> > I had conversation with one of our chapter members regarding the application security standards,
> > He asked me: why don't we have OWASP Appsec standard and certification similar to PA/DSS,
> > I think OWASP is more trusted when it comes to application security. OWASP already have many projects include information better than PA/DSS. Also, this could be good revenue source for OWASP,
> >
> > What do you think about this ?  ,
> >
> > --
> > Fateh
> 
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>  
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150325/836cf544/attachment.html>


More information about the OWASP-Leaders mailing list