Mike Boberski, project lead and co-author of OWASP's ASVS Project, says the main goal of the standard is to provide a commercial and workable open standard for application security verification. The standard is aimed at helping Web application developers with a "yardstick" to assess the degree of security of their apps, and to help security folks determine what to build into their apps security-wise, according to Boberski. And the standard also can be used in procurements for specifying security verification requirements, he says. This is OWASP's first-ever standard.
ASVS includes four levels of security verification, each with specific security requirements it must address. "It starts with Level 1, prescribing the use of automated tools augmented with manual verification," Boberski says. "It then progresses to Level 4, which includes searching for malicious code manually."
The standard, among other things, will help "differentiate between folks running tools and folks doing detailed design-based analysis" in their Web applications.
While Level 1 encompasses automated scanning, Level 2 includes manual penetration testing; Level 3 includes design verification; and Level 4, internal verification, which includes also ensuring the developers themselves are not malicious. "Level 4 includes, for example, a search for malicious code, to check for the handiwork of evil developers during development," Boberski says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message