SpoC 007 - The OWASP Web Security Certification Framework

Back to SpoC 007 Selection page

AoC Candidate: Mark Curphey

Project coordinator: Dinis Cruz

Project Progress: 45% Complete, Progress Page

Web site owners need a widely published and consensus driven set of criteria to design, develop, deploy and maintain secure web sites. This criteria and claims of compliance with it need to be able to be provided to a wide range of stakeholders including customers, regulators and business partners.

This document is a discussion document created by Mark Curphey. It was sponsored and produced as part of the OWASP Spring of Code, 2007 and proposes an evaluation and certification scheme for the security of web sites including recommendations for how the evaluation and certification process itself could work. This work is intended to be openly published for a reasonable period of time for public discussion, debate and feedback. After this period the OWASP Board will work with interested parties to determine any appropriate next steps. These may include adoption or integration into existing standards or the creation of something new. The evaluation and certification scheme proposed here takes into account the motivations and needs of a variety of stakeholders. Many people including the author have been highly critical of the Payment Card Industry Data Security Standard (PCI DSS). The OWASP Web Security Certification Criteria is not a proposal to replace the PCI DSS and is not officially related in anyway shape or form. PCI DSS has been taken into account however we have intentionally chosen not to build upon or build around key PCI issues that we consider ill-conceived. In short we have decided to build on solid foundations from the ground up.

It is very important to understand that in itself this document and the project that supports it is not an evaluation scheme or criteria, but a proposal for what an effective one may look like. In fact the scheme has been created in such as way as to provide a framework from which to derive domain specific evaluation schemes from (US financial services, UK Gov or Indian Insurance). This document itself comprises of two main parts;

Part 1 – Implementation Considerations. This section describes key processes and how they would work in order for the evaluation and certification scheme to be effective. Part 2 – Evaluation Criteria. This section describes the actual criteria being proposed. It adopts the recommendations from Part 1. You can send your feedback directly to mark@curphey.com or at the OWASP mailing list dedicated to this project (https://lists.owasp.org/mailman/listinfo/owasp-webcert). We hope this document provides value and provokes thought to all those identified in the stakeholders section.

Kind regards, 	Mark Curphey and the entire OWASP Project Team.