[Owasp-webcert] OWASP Evaluation and Certification Criteria

Mark Curphey mark at curphey.com
Thu Aug 16 08:26:25 EDT 2007


Hi Brian,

 

First off I plan to do the examples next so I think much of this will become
clearer. The more I think about this the more I like this approach as it
does allow us to be specific where specificity is needed (i.e. passwords
must be hashed) but generic enough to allow people to build their own
standards for unique cases. This seems to be a good balance of "both
worlds". I will start working in the examples (which will be really quick to
do) as soon as I have this completed. 

 

I get your two points about the eBay auction scenario and about the need for
even stricter controls for specific applications. From my lens I think the
first is fairly straight forward in that we must define the scope of the
security of the application functionality and not the business functionality
i.e. we care that no one can modify bids by subverting the application logic
itself but can't specify the business logic i.e. business rules. I know
business logic and application logic are often mixed up but I think you see
my point. I am totally open to the wisdom of crowds but I have no idea how
you would describe a control to specify generic business logic. Totally open
to suggestions. 

 

As for the stricter controls for say a military app this is an excellent
point. I have always been working backwards i.e. derive from the generic
control, configure it with appropriate settings and have a human mechanism
in place for controls that just aren't relevant. EG: Web app for sports
results may be fine with 5 char passwords so 

 


Number

USERMAN -005


Name


Password Strength


Description

A username is an identification token used to identify a user or process.


Requirement

A strong password should be enforced composing of

5 characters of any alpha numeric selection.


Criteria Type

Basic


High Assurance

Manual Code Review


Medium Assurance

Manual Penetration Test


Low Assurance

Automated Code Review or Automated Penetration Test


Very Low Assurance

Design Inspection


Evaluation Notes

<To Be Completed By Inspector>


Score

<Pass or Fail : To Be Completed By Inspector>

 

... or

 


Number

USERMAN -009


Name


Password Storage


Description

Passwords should be stored in an encrypted form. 


Requirement

Encrypted passwords be stored using the SHA-1 or MD-5 algorithms. Each hash
must be computed with a 32 bit salt value. 


Criteria Type

Basic


High Assurance

Manual Code review


Medium Assurance

Automated Code Review


Low Assurance

Design Review


Very Low Assurance

N/A


Evaluation Notes

<To Be Completed By Inspector>


Score

<Pass or Fail : To Be Completed By Inspector>

 

 

** Please ignore the assurance levels, I know this is where people will get
passionate as they have "horses in the races" and this will be very
specific.

 

I think you are suggesting you can't always configure upwards (to a more
secure web app) as the actual controls may not always be there?   If I am
understanding correct could you give me some examples?

 

From: owasp-webcert-bounces at lists.owasp.org
[mailto:owasp-webcert-bounces at lists.owasp.org] On Behalf Of Brian Chess
Sent: Friday, August 10, 2007 5:10 PM
To: owasp-webcert at lists.owasp.org
Subject: Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria

 

Curphey > I certainly see your point but isn't there a separation between
the security  of the application and the functionality of the business
itself?

My point is that we cannot anticipate all of the properties an application
might need in order to meet reasonable security requirements.  Above and
beyond the set that applies to many applications, additional requirements
may stem from the functionality of the application, the business the
application serves, or the technology the application is built upon.

Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070816/1dfdf077/attachment-0001.html 


More information about the Owasp-webcert mailing list