OWASP Corporate Application Security Rating Guide

From OWASP
Revision as of 08:21, 29 June 2008 by Pauloc (Talk | contribs)

Jump to: navigation, search

Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.

PROJECT IDENTIFICATION
Project Name OWASP Corporate Application Security Rating Guide Project
Short Project Description This project will help to organize and structure publicly available data that large companies will share of the lessons learned about how to organize an application security initiative, best practices for training and testing, and more. Analysis of publicly available data such as interviews, presentations, briefings for details. The project will link to all source material used in creating the rating. The rating will involve application security and awareness training; defining security requirements and verification for each application; establishing a dedicated application team and process for responding to security issues and allocating points to each issues.
Email Contacts SoC's Project Leader
Parvathy Iyer
Project Contributors
(if applicable)
Name&Email
Mailing List/Subscribe
Mailing List/Use
First Reviewer
Neal Kirschner
Second Reviewer
Omar Sherin
OWASP Board Member
Name&Email
PROJECT MAIN LINKS
  • (If appropriate, links to be added)
RELATED PROJECTS
SPONSORS & GUIDELINES
Sponsor - OWASP Summer of Code 2008 Sponsored Project/Guidelines/Roadmap
ASSESSMENT AND REVIEW PROCESS
Review/Reviewer Author's Self Evaluation
(applicable for Alpha Quality & further)
First Reviewer
(applicable for Alpha Quality & further)
Second Reviewer
(applicable for Beta Quality & further)
OWASP Board Member
(applicable just for Release Quality)
50% Review Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit:50% Review/Self-Evaluation (A)
Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit: 50% Review/1st Reviewer (C)
Objectives & Deliveries reached?
Yes/No (To update)
---------
See&Edit: 50%Review/2nd Reviewer (E)
X
Final Review Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/SelfEvaluation (B)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/1st Reviewer (D)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See&Edit: Final Review/2nd Reviewer (F)
Objectives & Deliveries reached?
Yes/No (To update)
---------
Which status has been reached?
Season of Code - (To update)
---------
See/Edit: Final Review/Board Member (G)


OWASP is building a directory of public application security claims from a variety of organizations. All the information referenced must be on the company's public website or some other reputable source of information, such as a public interview of the company's CSO.

Note this is a survey of what companies are claiming not what they actually do. The purpose is to gain insight into how the software market is changing. In addition, we hope that this effort will encourage organizations to disclose their application security practices.


Characteristics

Organizations have been rated on the following five characteristics:

1. The organization has established an ongoing application security awareness and training program.
The training program must ensure that software developers, architects, and testers have been exposed to application security and understand how to find and prevent the common vulnerabilities. Leaders and managers must also be trained in how to lead projects and teams to produce secure applications.
2. The organization defines security requirements for each application.
The organization must define application security requirements for each application based on understanding of the threat model for the business. These requirements are used to drive security through the software development process and are verified as part of the testing and acceptance processes.
3. The organization verifies the security of all applications.
All of the company's applications (including internal applications) receive some level of scrutiny to verify security and check for common vulnerabilities before they are deployed and at least yearly thereafter. The most critical applications must receive a detailed code review and penetration test, while less critical applications must receive at least an automated security scan.
4. The organization has established a dedicated application security team.
The organization has an application security team that provides expert application security support to development projects across the software development lifecycle. In particular, the team helps with security requirements, threat modeling, architecture reviews, code reviews, and penetration testing.
5. The organization has established a clear process for responding to security issues.
The organization will provide a working point of contact for all application security issues. The organization must have a defined process for handling issues through their conclusion, and they must follow the process.


Scoring

Each organization has been rated according to the following scheme:

Full (2 points)
All parts of the characteristic are specifically mentioned in the public materials.
Partial (1 point)
Some of parts of the characteristic are mentioned in the public materials.
None (0 points)
The public materials have been thoroughly researched and do not demonstrate that characteristic
Unknown (0 points)
The claims on this subject have not yet been investigated


Template

Here is a template for a new entry

|- 
| [http://www.foobar.com FooBar]
| [http://www.foobar.com/asfasf Full]
| [http://www.foobar.com/asfasf Partial]
| None
| [http://www.foobar.com/asfasf Partial]
| [http://www.foobar.com/asfasf Full]
| 6


Software Vendors

This table should be used for companies selling software products.

Organization 1. Awareness 2. Requirements 3. Verification 4. AppSec Team 5. Response Score
Microsoft Full Full Full Full Full 10
Oracle Full None Partial None Full 5
Foobar Full Full Full Full Full  ?


Commercial Companies

This table is for companies that do not sell software, but develop custom software for internal and external web applications, web services, and other software.

Organization 1. Awareness 2. Verification 3. AppSec Team 4. SDLC 5. Responsibility Score
Nationwide Partial Unknown Unknown Unknown Unknown 1