[Owasp-legal] Proposed ASVS enhancements to the OWASP Secure Software Contract Annex

Boberski, Michael [USA] boberski_michael at bah.com
Thu Dec 11 14:07:30 EST 2008


Hello,
 
I would like to propose changes to the OWASP Secure Software Contract
Annex, but I'm not sure of the best way to go about this. 
 
I propose updating it to make use of the newly-released OWASP ASVS.
 
Proposed change #1: 
 
I propose updating section 3 so that its contents read:
 
This agreement uses predefined levels that define ranges in coverage and
levels of rigor as defined in the the OWASP Application Security
Verification Standard (ASVS). The "level of rigor" for the agreement may
be selected by a software development organization by specifying an ASVS
level. The ASVS defines four levels of verification that increase in
both breadth and depth as one moves up the levels.  The breadth is
defined in each level by a set of security requirements that must be
addressed.  The depth of the verification is defined by the approach and
level of rigor required in verifying each security requirement. 
 
Proposed change #2:
 
I propose updating section 9, bullet (e) so that its contents read:
 
Security Analysis and Testing. Developer agrees to provide and follow a
security test plan that defines an approach for performing a level
<insert ASVS level here> verification according to OWASP Application
Security Verification Standard - Web Edition 2008 (Beta), December 2008.
The range in coverage and level of rigor of this activity are defined in
the referenced standard. Developer will execute the verification and
provide the test results to Client according to the reporting
requirements which are also defined in the referenced standard. 
 
Proposed change #3:
 
I propose updating section 10, first paragraph, so that its contents
read:
 
OWASP Application Security Verification Standard defines topic areas
that must be considered during the risk understanding and requirements
definition activities for the targeted verification level. This effort
should produce a set of specific, tailored, and testable requirements.
Both Developer and Client should be involved in this process and must
agree on the final set of requirements.

In addition, the requirements shall include a set of specific
vulnerabilities that shall not be found in the software. If not
otherwise specified, then the software shall not include any of the
flaws described in the current "OWASP Top Ten Most Critical Web
Application Vulnerabilities."

In addition as part of proposed change #3, I propose deleting section 10
bullets (a) - (j).
 
Proposed change #4:
 
I propose updating section 11, to add a bullet (d), so that its contents
read:
 
Verifier. Developer will be responsible for providing a person or team
to review the web application against the OWASP Application Security
Verification Standard requirements. 
 
Best regards,
 
Mike B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-legal/attachments/20081211/27702027/attachment.html 


More information about the Owasp-legal mailing list