1. Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation OWASP AppSec Seattle Oct 2006 http://www.owasp.org/ OWASP Application Security Assessment Standards Project Cliff Barlow Assessment Standards Project Lead Director Security Services, KoreLogic, Inc. cliff.barlow@korelogic.com 269.982.1707

2. OWASP AppSec Seattle 2006 2 Presentation Agenda  Impetus for Project  Project Objectives  Project Roadmap  Progress To Date  The Guts  The Road Ahead  How You Can Help

3. OWASP AppSec Seattle 2006 3 Project Impetus  Current lack of standardization over what constitutes an application security assessment  No single set of criteria being referenced  Lots of definitions, little consistency in what differing assessment techniques constitute  Build a standard that will be flexible in design to accommodate a range of security assurance levels  Keep standard from placing requirements on any party  Ensure standard makes recommendations about what should be done to be consistent with what the OWASP community believes is best practice  Who better than OWASP to create this standard?  If OWASP doesn’t, will someone else impose one on us?

4. OWASP AppSec Seattle 2006 4 Project Objectives  Create standards defining baseline approach to conducting differing levels of application assessment  Establish common, consistent methods for application assessments that organizations can use as guidance on:  What tasks should be completed;  How the tasks should be completed;  Who should be involved; and,  What level is appropriate based on business requirements.  Will not define how to technically to conduct an assessment; instead meant to tie business practices to application security in order to establish a common, consistent guidance in conducting assessments  Adhering to standards increases consumer confidence that assessment meets industry agreed-upon approach

5. OWASP AppSec Seattle 2006 5 Project Roadmap Sept 2006Dec 2006Jan 2007Feb 2007Mar 2007Apr 2007 May 2007 Phase I – Project Approach: Comment Period for Proposed Project Approach, Solicit Contributor Support Phase V – OWASP Integration: Document integration and linkages with other OWASP projects Phase IV – Assessment Levels: Establish a common set of application assessment levels to be used as business guidance to ensure conducting assessments to appropriate level Phase II – Application Assessment Definitions: Establish core definitions to ensure common base terminology Phase III – Assessment Context: Establish assessment context, selection, qualification and process frameworks Schedule Can Only Be Meet With Volunteer Help! Oct 2006Nov 2006

6. OWASP AppSec Seattle 2006 6 Assessment Standards Project Status Define Common Business Application Types Develop Project Approach Phase I Phase II Define Assessment Techniques Define Assessment Techniques Phase III Define Assessment Scope Per Level Define Assessment Scope Per Level Establish Assessor Qualification Criteria Per Level Establish Assessor Qualification Criteria Per Level Define Business End Preparation For Assessment Establish Where in SDLC Assessment Components Lie Phase IV [ Stub Started – Open to Comment And Edit ] [ Stub Needed – Open to Contribution ] 1 1 – Can establish baseline now but will need further detail post Phase IV 1 Define Standard Assessment Process Framework Define Standard Assessment Process Framework

7. OWASP AppSec Seattle 2006 7 The Path Forward  Phase IV – Assessment Levels:  Establish assessment level system decision criteria  Analysis and documentation of corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.)  Establish Assessment levels based on Phase II and III  Define assessment depth, testing components required and tools usage per level (not products)  Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed  Phase V – OWASP Integration: Document integration and linkages with other OWASP projects.

8. OWASP AppSec Seattle 2006 8 Key Determinants To Assessment Levels  Business Criticality  Expected Security Assurance  Testing Requirements  Accredited/Certified App  Independent 3 rd Party Required  Easily Understood By The Business Layman  ?  What Needed To Get There  Decision Criteria – How Do We Get To Agreement  Decision Criteria – How Does Layman Determine Which Level They Should Use

9. OWASP AppSec Seattle 2006 9 0 1 2 3 4 5 Business Criticality (Impact of Loss) (Defined by Business) 0 1 2 3 4 5 Expected Security Assurance (Assessment Depth – Expected Level of Security) (Defined by Corporate Security) The Guts of Project… Assessment Levels Security Assessment Techniques – Relative Depth ? Threat Analysis & Architecture Review (Analyst) External App Scan (Tool) Auto Source Code Review (Tool) Manual Penetration Testing (Specialist) Manual Security Code Review (Specialist)

10. OWASP AppSec Seattle 2006 10 Business Criticality (Defined by Business) Expected Security Assurance (Defined by Corporate Security) The Guts of Project… Assessment Levels One Approach… 01 2 3 4 5 AL1 AL2 AL3 AL4 AL6 AL5  AL1: Architecture Review/Threat Analysis - Design level review to identify critical assets, sensitive data stores and business critical interconnections. In addition to architecture reviews is threat analysis to determine potential attack vectors, which could be used in testing. Details to be developed  AL3: Basic Application Security Check – AL2 + verification and validation of scan results. Security areas not scanned (encryption, access control, etc.) must be lightly tested or code reviewed.  AL2: Quick Hit Application Security Check - Automated scans (either external vulnerability scan or code scan or both) with minimal interpretation and verification.

11. OWASP AppSec Seattle 2006 11 The Guts of Project… Assessment Levels One Approach…  AL4: Standard Application Security Verification – AL3 + verification of common security mechanisms and common vulnerabilities using either manual penetration testing or code review or both. Not all instances of problems found - Sampling allowed. Details to be developed  AL5: Enhanced Application Security Verification – AL1 + AL3 + verification of all security mechanisms and vulnerabilities based on threat analysis model using either manual penetration testing or code review or both.  AL6: Comprehensive Application Security Verification – AL1 + AL4 + search for malicious code. All code must be manually reviewed against a standard and all security mechanisms tested. Business Criticality (Defined by Business) Expected Security Assurance (Defined by Corporate Security) 01 2 3 4 5 AL1 AL2 AL3 AL4 AL6 AL5

12. OWASP AppSec Seattle 2006 12 Help…  We hope you find the OWASP Application Security Assessment Standards Project useful  Please contribute back to the project by sending your comments, questions, and suggestions to owasp@owasp.org  To join the OWASP Assessment Standards mailing list or view the archives, please visit the subscription page http://lists.owasp.org/mailman/listinfo/owasp-appsec- standards http://lists.owasp.org/mailman/listinfo/owasp-appsec- standards