How to find a verification provider

THIS ARTICLE IS A DRAFT

Overview
One of the main objectives of the OWASP Application Security Verification Standard (ASVS) is to provide a basis for specifying web application security verification requirements in contracts. The OWASP Secure Software Contract Annex has in fact been updated to make use of the ASVS. Where can one go to find a business that you can call on to perform an OWASP ASVS verification? The answer is here, in this very article. This article contains a registry of businesses that perform application security verifications according to OWASP ASVS. These businesses are called “verification providers”.

Verification providers listed below have made a commitment to perform application security verifications according to OWASP ASVS requirements. Verification providers listed below are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. OWASP has also not made a determination as to the business’ quality or competency in performing services. Businesses are under no obligation to seek inclusion in the list below in order to perform application security verifications according to OWASP ASVS.

How to Add Your Company to the Verification Provider Registry
Verification providers listed below have made a commitment to make a good faith effort to resolve any consumer complaints that are specific to their use of the OWASP ASVS to perform application security verifications. This verification provider registry is made available to OWASP Organizational Supporters as an Organizational Supporter benefit.

To Add Your Company:

Contact: [mailto:boberski_michael@bah.com Mike Boberski]. Provide the following information:
 * Company name and web site URL
 * Company mailing address
 * Point of contact's name
 * Point of contact's phone number
 * Point of contact's email address
 * ASVS Levels that your company performs (Select one or more: 1A, 1B, 2A, 2B, 3, 4)
 * Markets served (Select one or both: Commercial, Government)

Verification providers listed below also have submitted to OWASP sample verification report templates. The outlines in the samples have been reviewed to ensure that all of the information required by OWASP ASVS reporting requirements is being included. Please see the article How to meet verification reporting requirements for more detail.

How to File a Complaint Against a Registered Verification Provider
If you are a customer of a verification provider listed below, and if a verification report provided to you does not include the required content according to OWASP ASVS reporting requirements, you can enlist the OWASP Foundation to forward a complaint on your behalf to the verification provider.

To File a Complaint:

Contact: [mailto:kate.hartman@owasp.org Kate Hartman]. Provide the following information:
 * Your name and phone number.
 * The name of the verification provider
 * The targeted OWASP ASVS Level
 * Which verification report section(s) are missing

In some cases, the OWASP may contact you for additional information about your complaint. OWASP will then forward the complaint to the company involved. Occasionally, OWASP may be unable to obtain any cooperation from the company. In extreme cases, OWASP may de-list the verification provider from the registry in this article. Please note that we only take complaints on companies that are OWASP Organizational Supporters.

Verification Provider Registry
Booz Allen Hamilton 8283 Greensboro Drive McLean, Virginia 22102-3828 POC: Mr. Mike Boberski Phone: (703) 377-0456 Email: [mailto:boberski_michael@bah.com Mike Boberski] ASVS Levels Available: 1A, 1B, 2A, 2B, 3 Markets Served: Government Sample Report: Sample Verification Report Template