[Owasp-testing] ASVS compliance
rasiak76 at live.co.uk
Wed Sep 22 11:49:18 EDT 2010
In recent times our organisations Web development team asked our Internal Audit and Risk Management department if there were any industry best practice standards they should be adhering to around web development, or anything that they can reference in web development guides, and work towards in developing web applications with security in mind.
At the time this was researched in great detail, and the only thing we could find and that was recommended that really ticked this box was OWASP ASVS. We agreed in principal that due to the type of applications we both develop and buy in, that they should all ideally be fully complaint with OWASP ASVS Level 2.
With this in mind, our Web development team accordingly updated the web development policy to adhere to OWASP ASVS. Main issue being, some web applications used by our organisation are not internally developed, and in many cases are purchased from 3rd parties, and hosted externally.
In a nutshell, we are having real issues with 3rd parties and trying to gauge their web applications compliance with OWASP ASVS. Many have never heard of OWASP ASVS, many claim “this OWASP ASVS is an excessive and ridiculous level of control, nobody can be expected to comply with all of this anywhere” etc etc, so I was wondering if anyone on the mailing lists has been in a similar position when dealing with these 3rd parties and how you deal with them, or whether you are only responsible for internal developments as opposed to handling negotiations for 3rd party application providers.
The main questions I wanted to run by the list was:
a) OWASP ASVS is basically a detailed code review and penetration test. Have you come across 3rd party penetration testing companies who provide OWASP ASVS compliance audits? If so can you provide some details? Is this a common service offered these days?
b) Do you reference OWASP ASVS is your organisations internal web development policies, or is there any other industry standard document that you have come across? I’ve yet to come across any other organisation that references OWASP ASVS in any web development or web security policy, so just knowing that we aren’t out on a whim asking for OWASP ASVS 2 compliance would be reassuring to say the least!
c) If you have any involvement in testing a 3rd parties compliance to OWASP ASVS for any 3rd party apps your sector/organisation buys in, how do you go about checking for OWASP ASVS compliance? I.e. do you request copies of independent penetration testing and then review the scope, or ask for documented evidence that issues found in the pen test have been remediated? Or do you have a different approach, i.e. ask for some documented compliance per OWASP ASVS control etc, and then manually verify a sample of these controls?
d) Do you know anyone organisations who reference OWASP ASVS in their own internal web development policies that you could give me a contact for? Maybe you are on this list?
Any response would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing