[Owasp-webcert] OWASP Evaluation and Certification Criteria

Mark Curphey mark at curphey.com
Wed Aug 1 11:47:47 EDT 2007

Todays update. I have not been able to make as much progress as I wanted
yesterday and today. I know expect to finish the technology section

This does not yet have Andres comments included. Ignore all grammar at this

Again to reiterate the concept here is to provide a core standard from which
organizations of all types can configure for their own use. That maybe Bank
A, Bank B or even a scheme such as the PayPal Users Association. I will
configure a reference implementation myself and we can call it the OWASP
Reference and add it to an Appendix. If we get into the game of arguing if a
strong password should be 6 or 16 chars then well never get anywhere fast.

Also please remember this is a discussion document, proposing a better way
to do web evaluation and certification that is out there today. This is not
a build standard or a complete guide. Once I get this rev out of the door we
can all sit around a table face to face at the next OWASP conference and
work out the next steps to turn this into something real. There are great
opportunities to hook this into the testing guide for issues and have them
all dynamically update and keep current. 

Assurance Levels

I am proposing for the Evaluation of the Technology section we simply it to
4 broad methods that will equate to 4 levels of assurance. Without sounding
BS'ish I want to avoid boiling the ocean (there I used a phrase I hate).

1. Manual Code Inspection
2. Automated Code Inspection
3. Manual Penetration Testing
4. Automated Penetration Testing

Each technique would be specified for an assurance level for each individual
issue and not a blanket (manual review provides high assurance for

Andres points about wanting to test throughout the lifecycle will be
addressees by the Process part that will follow. In there we may have
different techniques such as Threat Modeling. This way people can also just
adopt the Technology part now and work towards the real deal later. This is
a gentler learning curve and will likely see faster adoption as it will be
less initial pain.

OK enough already.  It's too damn hot here and I am off for a swim.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Evaluation and Certification Criteria.doc
Type: application/msword
Size: 453120 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070801/57c02fa7/attachment-0001.doc 

More information about the Owasp-webcert mailing list