OWASP Application Security Assessment Standards Project/Roadmap

From OWASP
Jump to: navigation, search
  • Define the Application Security Assessment procedure into a Vulnerability Management procedure. Every step of the Application Security Assessment process should make some outputs related to Vulnerabilities/Risk related to the application.
  • Define how to prioritize WebApp Vulnerabilities working with CWE mapping and scoring systems as CWSS (referring to OWASP TOP 10)
  • Define a process of App Security Assessment that is Threat/Vulnerability Centric and that contains at least the following milestones:
    • Use OWASP ASVS in order to define the AS-IS of the application validation process using the following techniques:
      • Maturity Model (referring to OWASP SAMM Project)
      • Attack Surface of the Application (referring to OWASP Code Review Project)
      • Threat Modeling of the Application (referring to OWASP Code Review Project)
      • WAPT/Code Review/VA (referring to OWASP Testing/Code Review Projects)
    • Use OWASP ASVS in order to define the TO-BE of the application validation process.
    • For each level definable as TO-BE of the application validation process define how to implement
      • Processes:
        • SSDLC (Referring to OWASP Development Guide)
        • Code Review (referring to OWASP Code Review Project and OWASP SAMM)
        • WAPT (referring to OWASP Testing Guide and OWASP SAMM)
      • Technical Projects:
        • OWASP ESAPI
        • OWASP AppSensor
    • Practical Examples
      • Demo on how to implement ESAPI/AppSensor in a production project
      • Tips on how to implement an Application Security Assessment Process into a production environment


>>>>A diagram which describes at high level the idea of the Application Security Process from initial assessment to final mitigation and review.