1 / 8

OWASP ASVS Levels

Manual. Design and. Code Review. At higher levels in ASVS. ,. the. use of tools is encouraged. Manual Design. But to be effective. ,. the tools. Review. must be heavily tailored and. configured to the application. and framework in use. Manual Test. and Review. Tools.

halle
Download Presentation

OWASP ASVS Levels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Manual Design and Code Review At higher levels in ASVS , the use of tools is encouraged . Manual Design But to be effective , the tools Review must be heavily tailored and configured to the application and framework in use Manual Test and Review Tools OWASP ASVS Levels 1 2 3 4

  2. OWASP ASVS Levels 1 1 A 1 B OWASP ASVS Levels 1 2 2 A 2 B OWASP ASVS Levels 1 2 3 OWASP ASVS Levels 1 2 3 4

  3. High - Level Detailed Reporting Requirements Requirements Requirements Report A B A Introduction 1 1 2 l l l Level 1 e e e v v v e e e L L L Description Level 1 2 ... ü ü ü . Shall verify ... . Architecture . ü Shall verify ... Results Shall verify ... ü ü Shall verify ... Shall verify ... Pass / Fail

  4. Web Application that is the Target of Verification Frameworks Libraries Web Application End User calls Application Server Web Server Database Backend

  5. Web Application that is the Target of Verification Frameworks Libraries Web Application End User Controller Business Data Layer Functions Presentation Layer calls Application Server Web Server Database Backend

  6. Controller Business Data Layer Functions Presentation Layer calls Application Server Web Server Database Backend Attacker Administrator Web Application that is the Target of Verification $ $ $ Frameworks Libraries $ Web Application End User Attacker

  7. Web Application that is the Target of Verification Controller $ Business Data Layer Functions Presentation Layer $ $ calls Unexamined code Frameworks Libraries Application Server Web Server Database $ Web Application End User Backend Attacker Administrator Attacker

  8. Build your ESAPI by extending ESAPI controls , integrating Define your own your standard application risk controls , and Here is where you find levels mapped to Here is where you plan Fix implementing out if your application ASVS for security how you are going to needed custom vulnerabilities has vulnerabilities requirements meet all your selected controls . Use it to such as Cross - Site definition ASVS security protect your app . Scripting ( XSS ) , SQL requirements . injection , CSRF , etc . App A : Requirements Perform Initial Remediate Design for a Implementation Definition by Verification and Reverify Particular Risk Risk Level Level Use ESAPI as part of your Verify against your selected Design to ASVS level meet the ASVS req’ts Iterate App Enhancements

More Related