OWASP in Action: Tools for the DISA ASD STIG
The presentationOWASP Software Assurance Day at the | 13th Annual Software Assurance Forum.
Jason Li is a Principal Consultant for Aspect Security where he has performed numerous ASD STIG validation tests of a variety of applications. In addition, he performs application security assessments and architecture reviews, as well as application security training, to a wide variety of financial and government customers. Jason is an active OWASP leader, contributing to several OWASP projects and serving as Co-Chair of the OWASP Global Projects Committee. He holds a Post-Masters certificate in Computer Science and concentration in Information Security from Johns Hopkins University and a Masters degree in Computer Science from Cornell University.
Defense Information Systems Agency (DISA) provides Security Implementation Technical Guides (STIGs) to cover the gamut of systems dev elopement. The Application Security and Development (ASD) STIG first issued in 2006 and the most recent issuance came out in April 2010. This STIG applies to all DOD developed, architected, and administered applications. There are a 157 different STIG rules, some are very broad, others very specific, and some are complex. It is easy to get lost in the weeds. Some are harder to test than others. There are procedural, configuration, and standards requirements. OWASP is explicitly called out as a resource in the ASD STIG checklist; see the OWASP documentation projects and they are free. The OWASP Top Ten Project lines up well with the ASP STIG; there are 33 Category One STIG flaws most of which in the top 10.
Li reviewed the STIG requirements and related OWASP tools and methods. There is no “gold disk” for the ASD STIG. However, the OWASP Live CD Education Project could be used if some one were to contribute a mapping of the tools with the STIG. Some of the requirements Jason reviewed include: OWASP DirBuster can in part address APP3620 Information Disclosure. APP5080 Code Review is covered by the OWASP Application Security Verification Standard (ASVS). APP6130 Systems Monitoring would be met by the OWASP AppSensor Project. APP5100 Fuzz Testing can be met by the OWASP JBroFuzz Project and the OWASP WSFuzzer Project.
--Walter Houser 22:19, 5 October 2010 (UTC)