Slide 1

Download Report

Transcript Slide 1 

Manual
Design and
Code Review
At higher levels in ASVS, the
use of tools is encouraged.
But to be effective, the tools
must be heavily tailored and
configured to the application
and framework in use
Manual Design
Review
Manual Test
and Review
Tools
OWASP ASVS Levels
1
2
3
4
OWASP ASVS Levels
1
1A
1B
OWASP ASVS Levels
1
2
2A
OWASP ASVS Levels
OWASP ASVS Levels
2B
1
2
3
1
2
3
4
High-Level
Requirements
Detailed
Requirements
Reporting
Requirements
Level
1
Level 2A
1
Level 1B
Level
Level 1A
Report
Introduction
Description
2
...
Shall verify...

 
...
Architecture

Shall verify...
Results
Shall verify...
Shall verify...


Shall verify...
Pass/Fail
Web Application that is the
Target of Verification
calls
Frameworks
Libraries
Application Server
Web Server
Database
End User
Web Application
Backend
Web Application that is the
Target of Verification
Controller
Business
Functions
Data Layer
Presentation
Layer
calls
Frameworks
Libraries
Application Server
Web Server
Database
End User
Web Application
Backend
Web Application that is the
Target of Verification
Controller
$
Presentation
Layer
$
Business
Functions
Data Layer
$
calls
Frameworks
Libraries
Application Server
Web Server
Database
$
End User
Attacker
Web Application
Administrator
Backend
Attacker
Web Application that is the
Target of Verification
Controller
$
Presentation
Layer
$
Business
Functions
Data Layer
$
calls
Unexamined
code
Frameworks
Libraries
Application Server
Web Server
Database
$
End User
Attacker
Web Application
Administrator
Backend
Attacker
Define your own
application risk
levels mapped to
ASVS for security
requirements
definition
Requirements
Definition by
Risk Level
Here is where you plan
how you are going to
meet all your selected
ASVS security
requirements.
App A:
Design for a
Particular Risk
Level
Use ESAPI as
part of your
Design to
meet the
ASVS req’ts
Build your ESAPI by
extending ESAPI
controls, integrating
your standard
controls, and
implementing
needed custom
controls. Use it to
protect your app.
Implementation
Here is where you find
out if your application
has vulnerabilities
such as Cross-Site
Scripting (XSS), SQL
injection, CSRF, etc.
Perform Initial
Verification
Verify against
your selected
ASVS level
Iterate App Enhancements
Fix
vulnerabilities
Remediate
and Reverify