Category:OWASP WASS Project
Welcome to the WASS project
The WASS, or Web Application Security Standards project, aims at creating a proposed set of minimum requirements a web application must exhibit if it is to be considered "secure". There currently exists a similar set of standard requirements focused at the network level in the Cardholder Information Security Program . The most current version of the CISP does require "...web software and applications based on secure coding guidelines..." (requirement 6.5), and references the OWASP Top Ten, but no further guidance is available. This project however is not just about the CISP or other "security standards" - many companies and products claim OWASP Top Ten compliance without clearly showing what criteria it is measured upon.
The goal of this project therefore is to develop specific, testable criteria that can stand-alone, or could be integrated into existing security standards/policies/procedures, that is vendor and technology neutral. By testing against the WASS requirements, it should be possible to determine that minimal security procedures and adherence to best practices have been followed in the development of a web-based application.
Participating in this project
Please view the mailing list archives at http://lists.owasp.org/pipermail/owasp-standards/ to get up-to-speed on the current status of the project. To join in the discussion, add yourself to the list at http://lists.owasp.org/mailman/listinfo/owasp-standards. All comments are welcome. Other than the mailing list, you can add/change/edit the requirements linked from this project page.
So far thanks to the members of the mailing list we've picked over an initial strawman document and arrived at a draft set of requirements categorized by the Security Frame (same structure as the OWASP Guide). Obviously, there's still considerable work to do - we only have 13 main requirements, and some of the security frame is under represented - so contributions are more than welcome.
However, when editing or adding requirements please bear in mind that this project is to deliver the necessary best practices or techniques to provide minimum security to a web-based application. Therefore, even if you think that Acme Widget XYZ or programming technique BetaGamma is the best thing for security since the off-switch, unless it's a well known / well used technique, please don't add it to the project. Additionally, most of the requirements so far can be audited against in a "black box" nature. If the requirement you are adding needs source-level or machine-level access, please clearly note it in the requirement's introduction.
Mike Andrews, Vivek Chudgar
Thanks to the following people who provided significant contribution on the strawman document and arriving at the initial draft requirements.
Justin Derry, Lyal Collins, Ahmed Shahzad, Jean-Jacques Halans