How to specify verification requirements in contracts

If you are specifying web application security verification requirements in contracts, you can use the OWASP Application Security Verification Standard (ASVS) to do so. One approach is to start with the OWASP Secure Software Contract Annex. The Annex helps software buyers and vendors discuss security and capture the important terms. Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations. The contract annex and this article have been place in the public domain to facilitate use in private contracts.

One of the best things you can do to facilitate communication between a software buyer and seller is to agree on the technical security requirements for the application and how they will be verified. The ASVS is a simple way to require all this simply by specifying a level from 1 to 4.

The OWASP Secure Software Contract Annex can be updated to make use of the OWASP Application Security Verification Standard as follows:


 * Update section 3 so that its contents read: This agreement uses predefined levels that define ranges in coverage and levels of rigor as defined in the the OWASP Application Security Verification Standard (ASVS). The “level of rigor” for the agreement may be selected by a software development organization by specifying an ASVS level. The ASVS defines four levels of verification that increase in both breadth and depth as one moves up the levels. The breadth is defined in each level by a set of security requirements that must be addressed.  The depth of the verification is defined by the approach and level of rigor required in verifying each security requirement.
 * Update section 9, bullet (e) so that its contents read: Security Analysis and Testing. Developer agrees to provide and follow a security test plan that defines an approach for performing a level  verification according to OWASP Application Security Verification Standard – Web Edition 2008 (Beta), December 2008. The range in coverage and level of rigor of this activity are defined in the referenced standard. Developer will execute the verification and provide the test results to Client according to the reporting requirements which are also defined in the referenced standard.


 * Update section 10, first paragraph, so that its contents read: OWASP Application Security Verification Standard defines topic areas that must be considered during the risk understanding and requirements definition activities for the targeted verification level. This effort should produce a set of specific, tailored, and testable requirements. Both Developer and Client should be involved in this process and must agree on the final set of requirements. In addition, the requirements shall include a set of specific vulnerabilities that shall not be found in the software. If not otherwise specified, then the software shall not include any of the flaws described in the current “OWASP Top Ten Most Critical Web Application Vulnerabilities.”

In addition as part of the above change, delete section 10 bullets (a) - (j).


 * Update section 11, to add a bullet (d), so that its contents read: Verifier. Developer will be responsible for providing a person or team to review the web application against the OWASP Application Security Verification Standard requirements.