OWASP Application Security Verification Standard 2013
Quien se mueve por el mundo de la seguridad web, conoce sobradamente Owasp. Organización que se dedica a divulgar y realizar estándar alrededor de la seguridad. Son famosos por su TOP TEN. En el que mediante un estudio que sacan el TOP 10 de las vulnerabilidades.
Aquí tenemos una imagen de la evolución del top ten de Owasp al cabo de los años.
Pues el artículo de hoy trata sobre el OWASP Application Security Verification Standard 2013 en el que han hecho ahora realease de la BETA.
¿De que trata el proyecto?
Básicamente ayudar a la organización de desarrollar y mantener aplicaciones seguras, y para permitir el servicio de seguridad / herramientas de los proveedores y los consumidores.
Caso de ejemplo1:
Para entender como sería un caso de uso, he extraído uno de la documentación.
Use Case 1: Certification of Applications
ACME Bank has developed a new Internet Banking portal, which is due to be deployed into their UAT environment. The application has followed the bank’s SDLC process and should be in a secure state. The Internal security team at ACME Bank has been tasked to ensure that once deployed into the UAT environment, it does not pose a risk to other applications, due to it being hosted on a shared platform and database. After an internal threat modeling exercise was performed, it was agreed that the application had a high-risk associated with it and the data stored within it.
The team makes use of a well-known web application scanning tool and start the process of mapping out the application in preparation for the automated scanning phase. Once complete, the automated scanning tool is started and left to complete. Once the report has been generated, the security analyst tests for false positives (such as SQL injection, or XSS) and amends the report as necessary. Any findings discovered are reported back to the system owners and development team, in order to be rectified. Once this has been completed, the re-test of the application is resumed to ensure they have been resolved in a suitable manner.
In this example, using the ASVS could allow the internal team to test for common application flaws as well as verify that it had been developed in accordance to the banks security standard.
El Owasp ASVS define el estándar en 4 capas:
Por ejemplo, el nivel 0 es:
An application achieves Level 1 (or Opportunistic) certification if it adequately defends against application security vulnerabilities that are easy to discover.
Para descargar u obtener información sobre el proyecto: