How to find a verification provider

THIS ARTICLE IS A DRAFT

Overview
One of the main objectives of the OWASP Application Security Verification Standard (ASVS) is to provide a basis for specifying web application security verification requirements in contracts. The OWASP Secure Software Contract Annex has in fact been updated to make use of the ASVS. Where can one go to find a business that you can call on to perform an OWASP ASVS verification? The answer is here, in this very article. This article contains a registry of businesses that perform application security verifications according to OWASP ASVS. These businesses are called “verification providers”.

Verification providers listed below have made a commitment to perform application security verifications according to OWASP ASVS requirements. Verification providers listed below are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. OWASP has also not made a determination as to the business’ quality or competency in performing services. Businesses are under no obligation to seek inclusion in the list below in order to perform application security verifications according to OWASP ASVS.

How to Add Your Company to the Verification Provider Registry
Verification providers listed below have made a commitment to make a good faith effort to resolve any consumer complaints that are specific to their use of the OWASP ASVS to perform application security verifications. This verification provider registry is made available to OWASP Organizational Supporters as an Organizational Supporter benefit, although an additional fee is paid for monitoring and for support of OWASP listing services to the public.

Verification providers listed below also have submitted to OWASP sample verification reports that have been reviewed to ensure that all of the information required by OWASP ASVS reporting requirements is being included in a given provider’s reports. Buyers should not necessarily expect verification reports to be provided in the sample however as the required content may be added to an existing or alternate report structure than the sample. Please see the article How to meet verification reporting requirements for more detail.

How to File a Complaint Against a Registered Verification Provider
If you are a customer of a verification provider listed below, and if a verification report provided to you does not include the required content according to OWASP ASVS reporting requirements, you can enlist the OWASP Foundation to forward a complaint on your behalf to the verification provider. In some cases, the OWASP may contact you for additional information about your complaint. OWASP will then forward the complaint to the company involved. Occasionally, OWASP may be unable to obtain any cooperation from the company. In extreme cases, OWASP may de-list the verification provider from the registry in this article. Please note that we only take complaints on companies that are OWASP Organizational Supporters.

Verification Provider Registry
Booz Allen Hamilton 8283 Greensboro Drive McLean, Virginia 22102-3828 POC: Mr. Mike Boberski Phone: (703) 377-0456 Email: [mailto:boberski_michael@bah.com Mike Boberski] ASVS Levels Available: 1A, 1B, 2A, 2B, 3 Markets Served: Government