Collaborate Disseminate
I am new to this role. So I am trying to understand a few things.
My organisation wants to evaluate the existing application according to ASVS https://github.com/OWASP/ASVS/blob/master/4.0/docs_en/OWASP%20Application%20Security%20Verificat… Continue reading Automate ASVS with ZAP
I am new to this role. So I am trying to understand a few things.
My organisation wants to evaluate the existing application according to ASVS https://github.com/OWASP/ASVS/blob/master/4.0/docs_en/OWASP%20Application%20Security%20Verificat… Continue reading Automate ASVS with ZAP
I am trying to create a security checklist for developers/testers of web applications to make sure that the web app is compliant with all the security guidelines.
When looking at the different standards available, I found OWASP top 10, OWA… Continue reading Which standard can be used to seed security checklist for web application?
I was assigned homework at university. It’s about describing ASVS 1.4 – 1.5 and how I would verify it on 3rd party application. Can you help me where to find how to test those requirements? Teacher told me to use WSTG but there is nothing … Continue reading ASVS V1 test description
We are planning to lay out guidelines in our organisation for everyone to follow a secure software development lifecycle. As part of this, we plan to adopt the security knowledge framework (SKF) that provides a checklist based on the ASVS … Continue reading Do we need threat modelling after following ASVS standard?
NIST and OWASP ASVS recommends checking passwords against those obtained from previous data breaches. The list of such passwords can be downloaded from "Have I Been Pwned" (https://haveibeenpwned.com/Passwords), but there are mor… Continue reading Passwords verification against a set of breached passwords
I’ve been looking at OWASP Application Security Verification Standard 4.0.2 for a while now, and I’m trying to understand all the checkpoints in detail.
I am not sure what exactly the author of a particular point meant. Therefore, I have a… Continue reading How to interpret "Verify the use of a secure software development lifecycle that addresses security in all stages of development"?
I am working on a new project with a team of developers. The SOPA web services will be the main channel to publish the services.
I’d like to make secure those services from the begging and give the developers the guidelines on how to secur… Continue reading Session Management Verification Requirements from ASVS 3.0.1 and SOAP web services
Has any 3rd party audited Keycloak for OWASP ASVS compliance (at any level – 1 2 or 3)?
I’m building a case for retiring the custom auth part of a legacy application in favour of Keycloak.
The longer term goal is to achiev… Continue reading Has any 3rd party audited Keycloak for OWASP ASVS compliance (at any level – 1 2 or 3)?
I recognise that context-sensitive authorisation to applications is a good security control however I can currently only think of location being an example of a sensitive context.
I don’t consider time being a sensitive cont… Continue reading What parameters can be used to configure context-sensitive authorisation?