[Owasp-webcert] OWASP Evaluation and Certification Criteria
jeff.williams at aspectsecurity.com
Wed Aug 1 12:41:14 EDT 2007
Did you mean that the different techniques are the same as the assurance
levels? Or that for each requirement, the standard will specify which
techniques are required to gain, say, high assurance?
We started something along these lines for discussion over a year ago at
. Here's the summary...
AL1: Partial Application Security Check
Automated scans (either external vulnerability scan or code scan or
both) with minimal interpretation and verification.
AL2: Basic Application Security Check
AL1 + verification of scan results using manual penetration testing and
code review. Security areas not scanned (encryption, access control,
etc...) must be lightly tested or code reviewed.
AL3: Standard Application Security Verification
AL2 + verification of common security mechanisms and common
vulnerabilities using either manual pentesting or code review or both.
Not all instances of problems found. Sampling allowed.
AL4: Enhanced Application Security Verification
AL3 + verification of all security mechanisms and vulnerabilities based
on high level threat model (part of assessment if not provided) using
either manual pentest or code review or both.
AL5: Comprehensive Application Security Verification
AL4 + search for malicious code. All code must be manually reviewed
against a standard and all security mechanisms tested.
I think a per-requirement specification of what techniques are required
to achieve a particular assurance level is a good idea.
From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Mark Curphey
Sent: Wednesday, August 01, 2007 11:48 AM
To: owasp-webcert at lists.owasp.org
Subject: [Owasp-webcert] OWASP Evaluation and Certification Criteria
Todays update. I have not been able to make as much progress as I wanted
yesterday and today. I know expect to finish the technology section
This does not yet have Andres comments included. Ignore all grammar at
Again to reiterate the concept here is to provide a core standard from
which organizations of all types can configure for their own use. That
maybe Bank A, Bank B or even a scheme such as the PayPal Users
Association. I will configure a reference implementation myself and we
can call it the OWASP Reference and add it to an Appendix. If we get
into the game of arguing if a strong password should be 6 or 16 chars
then well never get anywhere fast.
Also please remember this is a discussion document, proposing a better
way to do web evaluation and certification that is out there today. This
is not a build standard or a complete guide. Once I get this rev out of
the door we can all sit around a table face to face at the next OWASP
conference and work out the next steps to turn this into something real.
There are great opportunities to hook this into the testing guide for
issues and have them all dynamically update and keep current.
I am proposing for the Evaluation of the Technology section we simply it
4 broad methods that will equate to 4 levels of assurance. Without
sounding BS'ish I want to avoid boiling the ocean (there I used a phrase
1. Manual Code Inspection
2. Automated Code Inspection
3. Manual Penetration Testing
4. Automated Penetration Testing
Each technique would be specified for an assurance level for each
individual issue and not a blanket (manual review provides high
assurance for everything).
Andres points about wanting to test throughout the lifecycle will be
addressees by the Process part that will follow. In there we may have
different techniques such as Threat Modeling. This way people can also
just adopt the Technology part now and work towards the real deal later.
This is a gentler learning curve and will likely see faster adoption as
it will be less initial pain.
OK enough already. It's too damn hot here and I am off for a swim.
More information about the Owasp-webcert