News Application Security

New Open Standard Arrives For Gauging Security of Web Apps, Services

OWASP releases Application Security Verification Standard for developers, security pros, and buyers

Kelly Jackson Higgins December 29, 2008

Now there's an open industry standard for Web application and Web service security: The Open Web Application Security Project (OWASP) Foundation has released the Application Security Verification Standard (ASVS).

Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial and workable open standard for application security verification. The standard is aimed at helping Web application developers with a "yardstick" to assess the degree of security of their apps, and to help security folks determine what to build into their apps security-wise, according to Boberski. And the standard also can be used in procurements for specifying security verification requirements, he says. This is OWASP's first-ever standard.

More Security Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>

ASVS includes four levels of security verification, each with specific security requirements it must address. "It starts with Level 1, prescribing the use of automated tools augmented with manual verification," Boberski says. "It then progresses to Level 4, which includes searching for malicious code manually."

The standard, among other things, will help "differentiate between folks running tools and folks doing detailed design-based analysis" in their Web applications.

While Level 1 encompasses automated scanning, Level 2 includes manual penetration testing; Level 3 includes design verification; and Level 4, internal verification, which includes also ensuring the developers themselves are not malicious. "Level 4 includes, for example, a search for malicious code, to check for the handiwork of evil developers during development," Boberski says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Dark Reading Discussions

Start the Discussion

To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.

Follow Dark Reading

Dark Reading Reports

Strategies for Improving Web Application Security

Web applications are fraught with risk, but for most companies, not having them is not an option. They're just too important to customers and to the business. In this Dark Reading report, we recommend some best practices for balancing the needs of the business with security requirements. It doesn't take special certification or a million dollars, but it does take planning, time, and a smart combination of tools and best practices.
Tools and Strategies for File-Level Data Protection

There is nothing in the enterprise that warrants protection more than data, but security pros all too often focus more on perimeter security. This may be because it can be more challenging to secure data, but once data is locked down, any compromises to the networks and servers that transport and house it almost don't matter. In this Dark Reading report we recommend several ways that security pros can effectively ensure that data is kept from prying eyes.
Insecurity with Java

In the wake of a zero-day vulnerability being exploited by multiple active attacks, IT teams wait for Oracle to respond. Again. Here's how to keep your systems safe, but meanwhile, start considering: Does Java's popularity as an attack vector vs. its diminishing functionality make permanently disabling plug-ins a smart idea?

Related Content

Sponsored by

Detecting and Blocking Site Scraping Attacks

Site scraping attacks range from harmless data collection for personal research to calculated, repeated data harvesting used to undercut competitor's prices or to illicitly publish valuable information. Site scraping can undermine victims' revenues and profits by siphoning off customers and reducing competitiveness. This paper investigates various types of scraping attacks, site scraping tools, and effective techniques to detect and stop future attacks.
How SEEK Prevents Competitors from Scraping Website Content with Imperva

SEEK, Australia's number one job site, prevents competitors from scraping Website content with Imperva SecureSphere. This video case study shows how Imperva's SecureSphere Web Application Firewall safeguards SEEK's Website from site scraping and Web application attacks.
Cutting the Cost of Application Security: An ROI White Paper

Web application attacks can result in devastating data breaches and application downtime, costing companies millions of dollars in fines, brand damage, and customer turnover. This white paper illustrates how Imperva's SecureSphere Web Application Firewall provides a Return on Security Investment of 2090% by preventing data breaches and Website downtime.
Botnets at the Gate: Stopping Botnets and Distributed Denial of Service Attacks

Botnets have infiltrated millions of users' computers and wrecked incalculable damage. This white paper lifts the veil on botnets and on the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack.
Hacker Intelligence Summary Report: The Anatomy of a Hacktivist Attack

Imperva witnessed a recent hacktivist attack that lasted for 25 days. Our observations give insight into hacktivist attack methods and an examination of how social media enables recruitment and attack coordination. Understanding how hacktivists operate will help organizations prepare for a future attack.

Free Research and Reports

What's this?From the Editors of DarkReading

More >>

Box Icon

Whitepapers

What's this?

More >>

Box Icon

Dark Reading Digital Magazine

Back Issues

In This Issue

Endpoint Security: End user security requires layers of tools and training as employees use more devices and apps.
Security Isn't A Piece Of Cake: It's time we rethink the conventional wisdom about security layering.
BYOD Is Here To Stay: Trying to keep employees' devices off the network is futile.

Download Now

First Name*:
Last Name*:
Email Address*:
Job Title:
Company/Organization/Gov't Dept.:
*Required field
Privacy Statement

Security

Protect The Business - Enable Access

News Application Security

New Open Standard Arrives For Gauging Security of Web Apps, Services

OWASP releases Application Security Verification Standard for developers, security pros, and buyers

More Security Insights

White Papers

Reports

Webcasts

Related Reading

Dark Reading Discussions

Start the Discussion

Follow Dark Reading

Dark Reading Reports

Strategies for Improving Web Application Security

Tools and Strategies for File-Level Data Protection

Insecurity with Java

Sign up for the Dark Reading Daily email newsletter

Free Research and Reports

Whitepapers

Upcoming Events

Dark Reading Digital Magazine

In This Issue

News Application Security

New Open Standard Arrives For Gauging Security of Web Apps, Services

OWASP releases Application Security Verification Standard for developers, security pros, and buyers

More Security Insights

White Papers

Reports

Webcasts

Related Reading

Dark Reading Discussions

Start the Discussion

Follow Dark Reading

Dark Reading Reports

Related Content

Dark Reading Newsletter

Sign up for the Dark Reading Daily email newsletter

Free Research and Reports

Whitepapers

Upcoming Events

Dark Reading Digital Magazine

In This Issue