<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<title>Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria</title>
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Cambria;
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
h5
        {mso-style-priority:9;
        mso-style-link:"Heading 5 Char";
        margin-top:10.0pt;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:0in;
        margin-bottom:.0001pt;
        line-height:115%;
        page-break-after:avoid;
        font-size:11.0pt;
        font-family:"Cambria","serif";
        color:#243F60;
        font-weight:normal;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.Heading5Char
        {mso-style-name:"Heading 5 Char";
        mso-style-priority:9;
        mso-style-link:"Heading 5";
        font-family:"Cambria","serif";
        color:#243F60;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Brian,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>First off I plan to do the examples next so I think much of this
will become clearer. The more I think about this the more I like this approach
as it does allow us to be specific where specificity is needed (i.e. passwords
must be hashed) but generic enough to allow people to build their own standards
for unique cases. This seems to be a good balance of &#8220;both worlds&#8221;.
I will start working in the examples (which will be really quick to do) as soon
as I have this completed. <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I get your two points about the eBay auction scenario and about
the need for even stricter controls for specific applications. From my lens I
think the first is fairly straight forward in that we must define the scope of
the security of the application functionality and not the business functionality
i.e. we care that no one can modify bids by subverting the application logic
itself but can&#8217;t specify the business logic<a name="_MailEndCompose"> i.e.
business rules. I know business logic and application logic are often mixed up
but I think you see my point. I am totally open to the wisdom of crowds but I
have no idea how you would describe a control to specify generic business logic.
Totally open to suggestions. <o:p></o:p></a></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>As for the stricter controls for say a military app this is an
excellent point. I have always been working backwards i.e. derive from the
generic control, configure it with appropriate settings and have a human mechanism
in place for controls that just aren&#8217;t relevant. EG: Web app for sports
results may be fine with 5 char passwords so <o:p></o:p></span></p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<table class=MsoTableMediumShading1Accent1 border=1 cellspacing=0
 cellpadding=0 style='border-collapse:collapse;border:none'>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border:solid #7BA0CD 1.0pt;
  border-right:none;background:#4F81BD;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif";
  color:white'>Number</span></b><b><span style='font-size:11.0pt;font-family:
  "Calibri","sans-serif";color:white'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border:solid #7BA0CD 1.0pt;
  border-left:none;background:#4F81BD;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif";
  color:white'>USERMAN -005</span></b><b><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif";color:white'><o:p></o:p></span></b></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Name</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Password Strength<o:p></o:p></h5>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Description</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>A
  username is an identification token used to identify a user or process.</span><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Requirement</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>A strong
  password should be enforced composing of</span><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>5
  characters of any alpha numeric selection.</span><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Criteria
  Type</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Basic</span><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>High
  Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Manual
  Code Review</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Medium
  Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Manual Penetration
  Test</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Low
  Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Automated
  Code Review or Automated Penetration Test</span><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Very
  Low Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Design
  Inspection</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Evaluation
  Notes</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>&lt;To Be
  Completed By Inspector&gt;</span><span style='font-size:11.0pt;font-family:
  "Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Score</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>&lt;Pass
  or Fail : To Be Completed By Inspector&gt;</span><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>&#8230;.. or<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<table class=MsoTableMediumShading1Accent1 border=1 cellspacing=0
 cellpadding=0 style='border-collapse:collapse;border:none'>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border:solid #7BA0CD 1.0pt;
  border-right:none;background:#4F81BD;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif";
  color:white'>Number</span></b><b><span style='font-size:11.0pt;font-family:
  "Calibri","sans-serif";color:white'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border:solid #7BA0CD 1.0pt;
  border-left:none;background:#4F81BD;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif";
  color:white'>USERMAN -009</span></b><b><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif";color:white'><o:p></o:p></span></b></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Name</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <h5>Password Storage<o:p></o:p></h5>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Description</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Passwords
  should be stored in an encrypted form. </span><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Requirement</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Encrypted
  passwords be stored using the SHA-1 or MD-5 algorithms. Each hash must be computed
  with a 32 bit salt value. </span><span style='font-size:11.0pt;font-family:
  "Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Criteria
  Type</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Basic</span><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>High
  Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Manual
  Code review</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Medium
  Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Automated
  Code Review</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Low
  Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>Design Review</span><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Very
  Low Assurance</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>N/A</span><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Evaluation
  Notes</span></b><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  background:#D3DFEE;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>&lt;To Be
  Completed By Inspector&gt;</span><span style='font-size:11.0pt;font-family:
  "Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=160 valign=top style='width:119.7pt;border-top:none;border-left:
  solid #7BA0CD 1.0pt;border-bottom:solid #7BA0CD 1.0pt;border-right:none;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>Score</span></b><b><span
  style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></b></p>
  </td>
  <td width=479 valign=top style='width:359.1pt;border-top:none;border-left:
  none;border-bottom:solid #7BA0CD 1.0pt;border-right:solid #7BA0CD 1.0pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>&lt;Pass
  or Fail : To Be Completed By Inspector&gt;</span><span style='font-size:11.0pt;
  font-family:"Calibri","sans-serif"'><o:p></o:p></span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>** Please ignore the assurance levels, I know this is where
people will get passionate as they have &#8220;horses in the races&#8221; and
this will be very specific.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I think you are suggesting you can&#8217;t always configure
upwards (to a more secure web app) as the actual controls may not always be
there? &nbsp;&nbsp;If I am understanding correct could you give me some
examples?<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
owasp-webcert-bounces@lists.owasp.org [mailto:owasp-webcert-bounces@lists.owasp.org]
<b>On Behalf Of </b>Brian Chess<br>
<b>Sent:</b> Friday, August 10, 2007 5:10 PM<br>
<b>To:</b> owasp-webcert@lists.owasp.org<br>
<b>Subject:</b> Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.5pt;
font-family:"Verdana","sans-serif";color:#1E487C'>Curphey &gt; I certainly see
your point but isn&#8217;t there a separation between the security &nbsp;of the
application and the functionality of the business itself?<br>
</span><span style='font-size:9.0pt;font-family:"Verdana","sans-serif"'><br>
My point is that we cannot anticipate all of the properties an application
might need in order to meet reasonable security requirements. &nbsp;Above and
beyond the set that applies to many applications, additional requirements may
stem from the functionality of the application, the business the application
serves, or the technology the application is built upon.<br>
<br>
Brian</span><o:p></o:p></p>

</div>

</body>

</html>