tag:blogger.com,1999:blog-456496077409731969.post3267639802340195386..comments2024-03-26T11:46:50.339+01:00Comments on Web Application Security - from the start: OWASP ASVS "Level 0 - No Verification"alexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-456496077409731969.post-23983928475939545242020-06-30T14:12:07.498+02:002020-06-30T14:12:07.498+02:00Individuals everywhere throughout the world are fo...Individuals everywhere throughout the world are following each other on Twitter, and receiving a major kick in return. In this manner, Twitterific is our top pick from the iTunes Application Store. <a href="https://police-mt.com" rel="nofollow">먹튀검증</a><br />abarie1https://www.blogger.com/profile/08808852934851082310noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-71138786510921954772020-04-28T22:40:53.361+02:002020-04-28T22:40:53.361+02:00The author has composed this blog in an extremely ...The author has composed this blog in an extremely informal way.<br /><a href="https://braveinternetbrowser.com/download" rel="nofollow">Brave Browser Download</a><br />alex petarhttps://www.blogger.com/profile/01776711159538392466noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-5876349355088156742018-11-28T22:16:35.385+01:002018-11-28T22:16:35.385+01:00I should assert barely that its astounding! The bl...I should assert barely that its astounding! The blog is informational also always fabricate amazing entitys.<br /><a href="https://medium.com/@masonsoizaseoexpert" rel="nofollow">mason soiza</a><br />Ladla Kinghttps://www.blogger.com/profile/02409861137160583173noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-41204521215910607182017-09-17T16:57:13.504+02:002017-09-17T16:57:13.504+02:00The most outstanding component about this blog is ...The most outstanding component about this blog is the means by which it doesn't neglect to keep its gathering of people connected with at each point.<br /><a href="http://steveseos.com/" rel="nofollow">web design company</a><br />Rockethttps://www.blogger.com/profile/10731517671016296799noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-87591661909534458062017-05-16T22:58:47.324+02:002017-05-16T22:58:47.324+02:00This comment has been removed by a blog administrator.Alex monerhttps://www.blogger.com/profile/02635328221496286054noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-52688066812927502062010-09-27T09:50:42.956+02:002010-09-27T09:50:42.956+02:00I wish you all the best in your new role as ASVS p...I wish you all the best in your new role as ASVS project leader!alexisfitzghttps://www.blogger.com/profile/11125069272250693078noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-72245375175015554682010-09-24T02:47:00.602+02:002010-09-24T02:47:00.602+02:00@alexisfitzg,
In relation to ASVS,
The major cau...@alexisfitzg,<br /><br />In relation to ASVS,<br /><br />The major cause of resistant to ASVS is that it was created from the perspective of an webappsec vendor with some experience Common Criteria (i.e. CC EAL was translated to ASVS Target of Verification (TOV) - yes this is an oversimplification) rather then the perspective of the consumer.<br /><br />Creating a TOV 0 would imply that the vendor has at least dedicated some effort to webappsec controls and hence would confuse the consumer and would therefore simply be exploiting the intent of ASVS as you have stated.<br /><br />TOV 1 and TOV 2 should be consolidated as should TOV 3 and TOV 4 as a majority of the effort to reach the higher TOV has already been delivered in the lower TOV - again this is an oversimplification due to the discrete overlap of each TOV<br /><br />I will rectify your issues which I had already identified previously when I am elected as the OWASP ASVS Project Leader i.e. http://www.owasp.org/index.php/OWASP_Request_for_Proposals/New_Project_Leader/ASVS/Application_5cmlhhttps://www.blogger.com/profile/16937512417517955446noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-62697009577721096562010-09-24T02:07:09.331+02:002010-09-24T02:07:09.331+02:00@alexisfitzg,
In relation to PA-DSS,
I doubt the...@alexisfitzg,<br /><br />In relation to PA-DSS,<br /><br />I doubt the PCI SSC will transition to ASVS in the short to medium term considering a majority of the Validated Payment Application(s) (VPA) still conform to the former Payment Application Best Practice (PABP) published by VISA.<br /><br />Furthermore, ASVS is scoped to web applications only and hence may not be applicable to Payment Applications which are served from TANDEM, AS/400 and Mainframe unless the Payment Application is served from a web server on an LPAR.<br /><br />I have highlighted a number of other issues with PA-DSS within http://www.slideshare.net/cmlh/padsscmlhhttps://www.blogger.com/profile/16937512417517955446noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-18872344288432125342010-09-20T14:22:03.365+02:002010-09-20T14:22:03.365+02:00There could be some internal applications where le...There could be some internal applications where level 0 is enough to aim for (and automatically achieve)<br /><br />If it is literally a loader for some scripts that are handy to run every so often or something of similar ilk where if it breaks no one would actually miss it then I think it is fine to say it reaches level 0.Toby Osbournhttps://www.blogger.com/profile/12272318108145320922noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-13174667781885776892010-09-20T09:22:03.640+02:002010-09-20T09:22:03.640+02:00Joeri, It's interesting to hear of a company t...Joeri, It's interesting to hear of a company that has decided to formally adopt the standard as you have. I wonder would the PCI standards council ever specify that payment card applications need to verify to a specific ASVS level. Alexisalexisfitzghttps://www.blogger.com/profile/11125069272250693078noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-11108746623711968512010-09-17T14:30:27.895+02:002010-09-17T14:30:27.895+02:00(Repost because I got an error earlier)
We have a ...(Repost because I got an error earlier)<br />We have a dedicated security resource set on achieving level 1 compliance in our upcoming release. We intend to reach level 2 in future releases. We already had a security process, but ASVS revealed several gaps in our security architecture, even at level 1. In our case getting the resources assigned was not a big issue, because we are selling to several banks and multinationals, and they're tightening up on web app security.Joerihttps://www.blogger.com/profile/17500278865823313342noreply@blogger.com