Difference between revisions of "Definition for Security Assessment Levels"

From OWASP
Jump to: navigation, search
 
 
Line 3: Line 3:
 
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Levels'''.  These levels rely on the '''Assessment Techniques''' defined elsewhere within this project.
 
This article’s focus is to define, where practical, nomenclature and definitions of the differing security '''Assessment Levels'''.  These levels rely on the '''Assessment Techniques''' defined elsewhere within this project.
  
==Techniques==
+
==Levels==
  
 
'''Note this is a working draft for discussion purposes and should not be relied upon. There is no guarantee that these levels will be used or will be stable for any purpose'''
 
'''Note this is a working draft for discussion purposes and should not be relied upon. There is no guarantee that these levels will be used or will be stable for any purpose'''

Latest revision as of 13:05, 15 September 2006

Contents

Overview

This article’s focus is to define, where practical, nomenclature and definitions of the differing security Assessment Levels. These levels rely on the Assessment Techniques defined elsewhere within this project.

Levels

Note this is a working draft for discussion purposes and should not be relied upon. There is no guarantee that these levels will be used or will be stable for any purpose

The goal is to advance the levels in two dimensions, breadth and depth. Breadth is the coverage of the review across the space of security mechanisms and security vulnerabilities. Depth is the level of rigor applied to the analysis of the application.

The following assessment levels are proposed:

  • AL1: Partial Application Security Check
  • AL2: Basic Application Security Check
  • AL3: Standard Application Security Verification
  • AL4: Enhanced Application Security Verification
  • AL5: Comprehensive Application Security Verification


AL1: Partial Application Security Check

Automated scans (either external vulnerability scan or code scan or both) with minimal interpretation and verification.

AL2: Basic Application Security Check

AL1 + verification of scan results using manual penetration testing and code review. Security areas not scanned (encryption, access control, etc...) must be lightly tested or code reviewed.

AL3: Standard Application Security Verification

AL2 + verification of common security mechanisms and common vulnerabilities using either manual pentesting or code review or both. Not all instances of problems found. Sampling allowed.

AL4: Enhanced Application Security Verification

AL3 + verification of all security mechanisms and vulnerabilities based on high level threat model (part of assessment if not provided) using either manual pentest or code review or both.

AL5: Comprehensive Application Security Verification

AL4 + search for malicious code. All code must be manually reviewed against a standard and all security mechanisms tested.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.