Web Application Security Benchmarking - Going the extra mile.
Posted by John Beale on Wed, Mar 23, 2011
What drives a company to perform a penetration test or web application security test? If you are a software company or a service provider, it is most likely that your clients and partners need to know that appropriate security controls are in place within your web applications and systems.
If you are a company or government organisation, your security tests may be driven by the need to meet regulatory compliance requirements, policy compliance or satisfy the needs of an internal or external auditor.
What both scenarios have in common is the need for security tests to go one step further and to provide evidence of the security of an environment. The security needs to be quantified, hence measured against a fixed point, or benchmark.
Large organisations may have specific internal security policies and standards in place, against which they measure their application security. Smaller organisations need external standards against which to measure.
Essential, then, to look to organisations such as OWASP - The Open Web Application Security Project. A non-profit global organisation committed to improving the security of web application software, their OWASP Top 10 represents a broad consensus of the most critical web application security flaws.
The Web Application Security Consortium (WASC) is another non-profit group comprising industry experts and practitioners who produce best practice security standards as well as facilitating an open forum for the exchange of ideas.
The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for performing security tests. It focuses on technical details and how to measure results.
The CWE / SANS Top 25 list of The Most Dangerous Software Errors is a collaboration between the SANS Institute, MITRE and top international software security experts, which documents widespread and critical programming errors.
The Plynt Certification Criteria combines all four global industry standards, whilst also focusing on the threat profile relating to specific web applications. This enables us to demonstrate that an application defends against threats that are specific to its business context. For example, a banking application needs to protect against the threat of funds being siphoned off, while a gaming application has to protect against the threat of the rules of the game being violated.
Through security benchmarking, we can clearly see any security gaps within our web applications and any deviance between our security posture and globally accepted good practice, we can then follow recommendations to quickly and effectively fill the gap.
By benchmarking against recognised global standards, software companies and service providers can demonstrate a proactive approach to information security to clients and prospective clients. Organisations driven by compliance and audit requirements can provide clear evidence of their security posture.
References.
OWASP - The Open Web Application Security Project
OSSTMM - The Open Source Security Testing Methodology Manual
WASC - Web Application Security Consortium
CWE / SANS Top25 list
SANS Institute
MITRE
Plynt Certification Criteria