[Owasp-legal] Proposed ASVS enhancements to the OWASP Secure Software Contract Annex

Jeff Williams jeff.williams at owasp.org
Sat Dec 20 09:47:37 EST 2008


Hi Mike,

 

I think this is a good idea, but I'd like to make it less prescriptive.  I'd
like to refer to the ASVS without requiring it.  Or perhaps it would be good
to have a longer section near the top that describes how the ASVS can be
used in an acquisition scenario.  Thanks,

 

--Jeff

 

Jeff Williams, Chair

The OWASP Foundation <http://www.owasp.org/> 

work: 410-707-1487

main: 301-604-4882

 

From: owasp-legal-bounces at lists.owasp.org
[mailto:owasp-legal-bounces at lists.owasp.org] On Behalf Of Boberski, Michael
[USA]
Sent: Thursday, December 11, 2008 2:08 PM
To: owasp-legal at lists.owasp.org
Cc: owasp-application-security-verification-standard at lists.owasp.org
Subject: [Owasp-legal] Proposed ASVS enhancements to the OWASP Secure
Software Contract Annex

 

Hello,

 

I would like to propose changes to the OWASP Secure Software Contract Annex,
but I'm not sure of the best way to go about this. 

 

I propose updating it to make use of the newly-released OWASP ASVS.

 

Proposed change #1: 

 

I propose updating section 3 so that its contents read:

 

This agreement uses predefined levels that define ranges in coverage and
levels of rigor as defined in the the OWASP Application Security
Verification Standard (ASVS). The "level of rigor" for the agreement may be
selected by a software development organization by specifying an ASVS level.
The ASVS defines four levels of verification that increase in both breadth
and depth as one moves up the levels.  The breadth is defined in each level
by a set of security requirements that must be addressed.  The depth of the
verification is defined by the approach and level of rigor required in
verifying each security requirement. 

 

Proposed change #2:

 

I propose updating section 9, bullet (e) so that its contents read:

 

Security Analysis and Testing. Developer agrees to provide and follow a
security test plan that defines an approach for performing a level <insert
ASVS level here> verification according to OWASP Application Security
Verification Standard - Web Edition 2008 (Beta), December 2008. The range in
coverage and level of rigor of this activity are defined in the referenced
standard. Developer will execute the verification and provide the test
results to Client according to the reporting requirements which are also
defined in the referenced standard. 

 

Proposed change #3:

 

I propose updating section 10, first paragraph, so that its contents read:

 

OWASP Application Security Verification Standard defines topic areas that
must be considered during the risk understanding and requirements definition
activities for the targeted verification level. This effort should produce a
set of specific, tailored, and testable requirements. Both Developer and
Client should be involved in this process and must agree on the final set of
requirements.

In addition, the requirements shall include a set of specific
vulnerabilities that shall not be found in the software. If not otherwise
specified, then the software shall not include any of the flaws described in
the current "OWASP Top Ten Most Critical Web Application Vulnerabilities."

In addition as part of proposed change #3, I propose deleting section 10
bullets (a) - (j).

 

Proposed change #4:

 

I propose updating section 11, to add a bullet (d), so that its contents
read:

 

Verifier. Developer will be responsible for providing a person or team to
review the web application against the OWASP Application Security
Verification Standard requirements. 

 

Best regards,

 

Mike B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-legal/attachments/20081220/6c441899/attachment.html 


More information about the Owasp-legal mailing list