I’ve just finished a job where I used OWASP’s Application Security Verification Standard as a light weight security architecture template.
The good news is that it helped us decide a bunch of controls (using ESAPI of course) that will hopefully improve the security of the application. I’ll find out in a few months if any of it helped.
What worked: pretty much everything.
What didn’t work: Some controls are not relevant to some classes of application. Do your homework before you go into the meeting so you can skip over ASVS controls that simply can’t work.
We found that there are controls we discussed that aren’t in the ASVS. The ASVS is a 80%/20% (Pareto principle) standard as pretty much all apps come from such a low basis today, so any security improvement is a worthwhile improvement even if it’s not milspec. I wasn’t too fussed that we missed a few key items.
For those of you floundering around trying to figure out how to do Security Architecture reviews, ASVS can be your friend!
Is it possible to expand upon “controls we discussed that aren’t in the ASVS” please?
Sorry, no.
I’m under quite strict NDA and I think I’d rather have all my fingers as well as naming rights to my child left alone!
I will try in a future post to show where the ASVS has gaps with various standards like SP800-53 and others.
I did this back when I worked at Aspect, but unfortunately, all that work was left with Aspect as they paid for its development.
It’s not hard to do this sort of gap analysis, just time consuming to do over is all.
Pingback: Week 20 in Review – 2010 | Infosec Events