Académique Documents
Professionnel Documents
Culture Documents
Assessment Standards
Project
Cliff Barlow
Assessment Standards Project Lead
Director Security Services, KoreLogic,
Inc.
OWAS cliff.barlow@korelogic.com
P 269.982.1707
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Presentation Agenda
Impetus for Project
Project Objectives
Project Roadmap
Progress To Date
The Guts
The Road Ahead
How You Can Help
0 1 2 3 4 5
Expected Security Assurance
(Assessment Depth – Expected Level of Security)
(Defined by Corporate Security)
OWASP AppSec Seattle 2006 9
The Guts of Project… Assessment
Levels
5
One Approach…
Details to be
developed
4
Business Criticality
(Defined by Business)
AL6
3
AL5
AL4
2
AL3
1
AL2
AL1
0
0 1 2 3 4 5
Expected Security Assurance
(Defined by Corporate Security)
AL1: Architecture Review/Threat Analysis - Design level review to identify critical assets,
sensitive data stores and business critical interconnections. In addition to architecture reviews
is threat analysis to determine potential attack vectors, which could be used in testing.
AL2: Quick Hit Application Security Check - Automated scans (either external
vulnerability scan or code scan or both) with minimal interpretation and verification.
AL3: Basic Application Security Check – AL2 + verification and validation of scan results. Security areas not
scanned (encryption, access control, etc.) must be lightly tested or code reviewed.
5
One Approach…
Details to be
developed
4
Business Criticality
(Defined by Business)
AL6
3
AL5
AL4
2
AL3
1
AL2
AL1
0
0 1 2 3 4 5
Expected Security Assurance
(Defined by Corporate Security)
AL4: Standard Application Security Verification – AL3 + verification of common security mechanisms
and common vulnerabilities using either manual penetration testing or code review or both. Not all
instances of problems found - Sampling allowed.