OWASP RFP-Criteria

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP RFP Criteria
The purpose of this project is to simply provide an objective list of important set of questions companies should utilize when they issue a Request For Proposal for Web Application Security Projects.

Audience
The project is written to raise visibility for software security related questions that buyers of services should consider when issuing a request for quote as example or in procurement process. Supply chain management as noted by DHS referring this project DHS SWA

Licensing
The OWASP RFP Criteria Project and project components is licensed under https://creativecommons.org/licenses/by-nc-sa/3.0/, the Creative Commons Attribution-NonCommercial-ShareAlike license. This implies that you must give appropriate credit, provide a link to the license and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. Also note that the material cannot be used for commercial purpose and if you transform or build on the material, you are required to distribute your contributions under the same license as the original.

Project Sponsor
OWASP RFP Criteria project is sponsored by ProactiveRISK Inc..




 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

In Print
See below

Version 1.0 .PDF

Presentation
Coming soon...

Project Leader
Tom Brennan @brennantom

Version 2.0
Want to help out and make this project BETTER? Add your comments here Version 2.0 GoogleDocs - Add Comments

Related Projects
OWASP Top 10

OWASP Cheat Sheets

OWASP Mod_Security CRS

Web Hacking Incident Database


 * valign="top" style="padding-left:25px;width:200px;" |

News and Events

 * Release date 1/27/2015 NJ Chapter Meeting

Classifications

 * }

= Acknowledgements =

Volunteers
Incident Response Project is developed by a worldwide team of volunteers. The primary contributors to date have been:


 * Tom Brennan, ProactiveRISK
 * Jason Jolaoso, ProactiveRISK
 * Jeff Williams
 * Mike Esposito

Want to help? Get in touch with us

Others

 * OWASP NYC Metro Chapter

= Road Map and Getting Involved = Involvement in the development and promotion of OWASP Incident Response Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:


 * Proof Reading
 * Graphic Design
 * Conduct Industry Survey
 * Educate local communities
 * list of open-source IR tools

Project Details
http://www.owasp.org/images/7/71/Proactiverisk.jpg

Main
RFPs and Application Security Verification. A Request For Proposal, (RFP) is a call made by an organization soliciting for bids by service providers or vendors to meet a need. It is often done by documents. The information provided in RFP's are important and when you create an RFP for an Application Security Verification project, emphasis should be on providing clear information about the scope of verification activities and evaluation criteria so prospective service providers and vendors can submit proposal that are comparable. We outline in subsequent sections key information that should be provided for each application subject to verification.

=APPLICATION SECURITY VERIFICATION=

RECOMMENDED INFORMATION THE CLIENT (YOUR ORGANIZATION) SHOULD PROVIDE TO SERVICE PROVIDERS/VENDORS.
1. Lines of code. Lines of Code (LOC) or sometimes referred to as Source Lines of Code (SLOC) is a prerequisite for any verification task that involves the review of source code. This software metric (LOC) provides information about the scale of the program under review. There are software packages on the public domain such as LocMetrics on http://locmetrics.com or CLOC on http://cloc.sourceforge.net/ which can be used to count the number of lines of code. Additional information about LOC such as if the count included commented source code or not is also beneficial

2.Number of dynamic pages. Information about the number of dynamic pages is advisable as it provides insights about the scale of the application under assessment. It is important for verification efforts that involved manual penetration testing. When estimating the amount of dynamic pages, pay attention to pages with unique functionality or purpose. If you have urls like: i. /display_results.php?rs=1 , ii. /display_results.php?rs=2 , iii./display_results.php?rs=3 ,

you need to ensure that you confirm if they refer to a single unique dynamic page or not

3. An Inventory of user roles and role descriptions. The catalog of user roles is endorsed for all verification efforts  as it  furnishes  business context for  vulnerabilities  (if any) established.

4. Brief Application Summary application and Application architecture. This is mission critical for applications with non-standard architectures such as those using thick clients, web services or integration with legacy systems but not so paramount for applications with a standard web application architecture (web server, application server, database server setup).

5.Degree of verification expected .  To manage or prevent suppliers providing erratic bids  that vary in figures or timelines ,There is a need to provide definitive guidance on the level of verification desired. This should include requirements for or on: a. Dynamic vulnerability scanning. b. Manual code review. c. Manual penetration testing. d. Static analysis. e. Security architecture review. f. Malicious code analysis. g. Threat modeling.

6. The frequency or duration for performing verification. It is important to indicate if you want a   single verification exercise or would you want several  many verification exercises executed within a specified timeframe.

1. Company Background
a. Summarize the product(s) or service(s) provided by your company.

b. How long has your company been providing products or services relevant to this project? Please provide any relevant information about major milestones such as significant acquisitions, mergers or the introduction or elimination of relevant lines of business.

c. Please provide succinct information your past experience with applications of a similar scope, complexity, and vertical as the applications to be verified in this project.

d. Outline your familiarity and experience with the frameworks, libraries,languages and other relevant technologies that comprise the applications to be verified.

e. Are you involved with organizations or stakeholders in the application security community, such as the Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC)? if yes, what roles do you play ?

f. Provide other helpful background information about your organization and your qualification to supply the required product/service.

2. Application Security Verification Methodology
a. Outline, in clear details your proposed methodology for all the verification techniques to be utilized: i. Dynamic vulnerability scanning. ii. Malicious code analysis. iii. Manual code review. iv. Manual penetration testing. v. Security architecture review. vi. Static analysis. vii. Threat modeling. b. What would you require from the client to prepare for and successfully execute an application verification exercise ?

c. Would you be using multiple techniques for this project ? If yes how will you combine these in the verification exercise?

d. Describe your proposed level of communication/ interaction with software development teams, security experts, and business process owners during the verification process.

3.Security Coverage.
a. Explain the vulnerability and security control coverage that is  provided by your verification efforts. Where relevant, supply references to the OWASP ASVS,WASC 24 Broad Classes of Attacks, and the OWASP Top 10

b. Provide the different levels of efforts that you will provider for the verification effort. What are the differences in security coverage between these levels?

c. Presently, are you able to test (precisely) for Cross-Site Request Forgery (CSRF) and HTTP Response Splitting?

d. What are potential gaps in coverage for the current proposal and what steps would you  take to mitigate the gaps?

e. Does your solution meet current PCI 6.6 standards?

4. Application Coverage
a. How effectively does your product/service baseline an application?

b. How do you adjust your product/service to verify an application most effectively?

c. What methods or techniques do you use to ensure coverage of the entire application?

d. How do you corroborate with a customer that you are providing accurate coverage of the targeted application?

e. What potential gaps (if any) exists between your proposed solution and the platform and architecture of the application under verification? A case in point - if the target application contains both web pages and web services and your testing does not cover web services this would indicate a gap.

5. Risk Evaluation
a. Outline your risk evaluation process for establishing the probable vulnerabilities you might discover and it’s business impact.

b. What is your procedure for managing the reporting of false positives?

c. Outline your procedures for categorizing similar risks for easy absorption and rectification.

6. Differentiators
a. What aspect of the verification process do you find most challenging ( if any )?

b. Tell us why your approach towards this project is exceptional or singular. How and why is this important to the client?

7. Scope
a. What are the time estimates for implement your product/service in a similar verification exercise?

b. How does the proposed solution scale for multiple websites?

c. What are the advised steps for curtailing the impact of testing on the performance of applications during the testing process?

d Indicate if your product or service provisions for on-demand / ad hoc testing.

e. What is the lead time required to initiate testing?

8. Security
1. Describe exactly how you will protect our information, including all information about our application and any risks discovered, while it is in your custody. Please describe your network security, information storage security, and need-to-know processes.

2. Please provide information on the trustworthiness of individuals who will have access to our information as part of the verification.

3. Please describe how information necessary for the verification will be exchanged securely.

4. Please describe how our information will be purged from your systems when the verification is complete.

5. Please describe how our information is kept separate from the risk information of other customers.

6. Please provide evidence that your systems are protected against attack.

Burden
1. Describe any personnel requirements from our organization. How many personnel are needed? What are their skill sets and experience levels?

2. Describe exactly what materials we will be expected to provide to support the verification efforts.

Reporting Interface
1. Describe exactly how risks will be written up, including:

a) title b) location (URL and/or line of code) c) specific vulnerability description d) risk likelihood, business impact, and severity e) code snippets f) specific remediation recommendations

2. Describe the risk model you use as well as how it can be customized for our corporate standard.

3. Describe your reporting interface using criteria such as ease of use, clarity, comprehensiveness, how reporting components are organized, etc.

4. How does your product or service provide timely updates on any new web application risks identified? Are alerts delivered to authorized personnel? If so, how are they delivered and under what conditions?

5. Do you provide historical trending reports that track open/closed risks and the ongoing remediation process?

6. Can assessment reports be generated to reflect the risk status of individual web applications, as well as the security health of all web applications?

7. Can your reports be tailored and adapted for viewing by various levels of management, internal/external auditors, security specialists, etc.?

8. Does your solution provide an API so that risks can be exported into other applications, such as CRM apps, bug tracking systems, SIEMs? Are there any canned scripts or standard integrations that exist? With which applications?

9. Do your reports contain specific recommendations for application developers, tailored for the exact problem in the code?

10. How do you provide timely and reliable reporting of risks for ongoing visibility, measurement, and management?

11. How frequently do you provide enhancements to your reporting interface? What is the process?

12. How do developers know if they have successfully remediated a risk?

Innovation
1. Describe any recent innovations your company has introduced to lower costs or improve service for your customers.

2. How do you identify new classes of vulnerabilities and test for them?

3. How are you able to uncover and test for new attack techniques that can be used to exploit known classes of risks?

4. How do you test new technologies (e.g. new versions of Flash) for risks?

Integration
1. What standard data formats will your product/service export or provide?

2. What other technologies (for example, Web Application Firewalls) does your product/service integrate with? What benefits do these integrations provide? How do the integrations work?

Benefits
1. How do you make the remediation process more efficient?

2. Describe the balance of internal and external resources in an ideal application security program.

3. Can you deliver accurate results and diminish/eliminate false positives, thus making the verification process more efficient?

4. Are you able to demonstrate a positive ROI and increased benefits to management? How?

5. Are you able to influence secure coding techniques / reduce time spent debugging? How?

6. Explain why we would realize a competitive advantage by doing business with your company?

Supporting Services
1. Describe any training or eLearning options available associated with the verification effort.

2. Do you offer remediation support to software development groups?

3. Is strategic consulting support available to support our application security program.

Customer Support
1. Can you describe the process in place whereby customers interact with your internal service and support? What are the escalation procedures?

2. Do you provide tracking of all trouble tickets that have been opened and are they tracked through resolution?

3. Do you offer any kind of Service Level Agreement?

Pricing/Licensing Options
1. Explain your pricing model. 2. What are the terms associated with your product or service? Please include a sample Software License Agreement or Master Services Agreement template.

3. Are there other costs we should be made aware of? If consulting or training costs are involved, how do you charge for these services?