OWASP Corporate Application Security Rating Guide

Revision as of 23:59, 31 January 2007 by Jeff Williams (talk | contribs) (Commercial Companies)

Jump to: navigation, search

OWASP is building a directory of public application security claims from a variety of organizations. All the information referenced must be on the company's public website or some other reputable source of information, such as a public interview of the company's CSO.

Note this is a survey of what companies are claiming not what they actually do. The purpose is to gain insight into how the software market is changing. In addition, we hope that this effort will encourage organizations to disclose their application security practices.


Organizations have been rated on the following five characteristics:

1. The organization has established an ongoing application security awareness and training program.
The training program must ensure that software developers, architects, and testers have been exposed to application security and understand how to find and prevent the common vulnerabilities. Leaders and managers must also be trained in how to lead projects and teams to produce secure applications.
2. The organization defines security requirements for each application.
The organization must define application security requirements for each application based on understanding of the threat model for the business. These requirements are used to drive security through the software development process and are verified as part of the testing and acceptance processes.
3. The organization verifies the security of all applications.
All of the company's applications (including internal applications) receive some level of scrutiny to verify security and check for common vulnerabilities before they are deployed and at least yearly thereafter. The most critical applications must receive a detailed code review and penetration test, while less critical applications must receive at least an automated security scan.
4. The organization has established a dedicated application security team.
The organization has an application security team that provides expert application security support to development projects across the software development lifecycle. In particular, the team helps with security requirements, threat modeling, architecture reviews, code reviews, and penetration testing.
5. The organization has established a clear process for responding to security issues.
The organization will provide a working point of contact for all application security issues. The organization must have a defined process for handling issues through their conclusion, and they must follow the process.


Each organization has been rated according to the following scheme:

Full (2 points)
All parts of the characteristic are specifically mentioned in the public materials.
Partial (1 point)
Some of parts of the characteristic are mentioned in the public materials.
None (0 points)
The public materials have been thoroughly researched and do not demonstrate that characteristic
Unknown (0 points)
The claims on this subject have not yet been investigated


Here is a template for a new entry

| [http://www.foobar.com FooBar]
| [http://www.foobar.com/asfasf Full]
| [http://www.foobar.com/asfasf Partial]
| None
| [http://www.foobar.com/asfasf Partial]
| [http://www.foobar.com/asfasf Full]
| 6

Software Vendors

This table should be used for companies selling software products.

Organization 1. Awareness 2. Requirements 3. Verification 4. AppSec Team 5. Response Score
Microsoft Full Full Full Full Full 10
Oracle Full None Partial None Full 5
Foobar Full Full Full Full Full  ?

Commercial Companies

This table is for companies that do not sell software, but develop custom software for internal and external web applications, web services, and other software.

Organization 1. Awareness 2. Verification 3. AppSec Team 4. SDLC 5. Responsibility Score
Nationwide Partial Unknown Unknown Unknown Unknown 1