English: PPTX PDF NDC {Oslo} 2018

Abstract

A need for comparing non-functional results arises for any application having a mature application lifecycle. Taking OWASP Application Security Verification Standard (ASVS) as a basis and getting maximum benefits from it, is considered in this talk.

The standard is defined by 189 controls organized in 16 categories. Depending on the criticality of processed information and influence on business processes web applications may achieve one of 3 levels. The more secure web application must be, the higher level is needed, and more controls are in scope. Unlike OWASP Top 10, OWASP ASVS defines specific, measurable and achievable requirements. This allows to detail, analyse and evaluate security tests by all stakeholders including product owners, architects and test analytics, providing maturity levels for the web application with guaranteed confidence. Since OWASP ASVS is government independent and well established, it can be seen as a universal approach to defining security levels for web applications in any industry.