OWASP Application Security Assessment Standards Project Roadmap

The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements.

This project will not define how to technically to conduct an assessment (refer to OWASP Testing Project); it is instead meant to tie business operations and information management practices to application security in order to establish a common, consistent set of standards which provide guidance in conducting such assessments.

Overall Roadmap Phases
Phase I – Project Approach: Comment Period for Proposed Project Approach, Solicit Contributor Support

Phase II – Application Assessment Definitions: Establish core assessment definitions to ensure common base terminology.

Phase III – Assessment Context: Establish standard assessment context, selection, qualification and process frameworks.

Phase IV – Assessment Levels: Establish a common set of application assessment levels to be used as business guidance to ensure conducting appropriate level based on business-application-security requirements.

Phase V – OWASP Integration: Document integration components and linkages with existing and underway OWASP projects.

Per Phase Project Objectives
Phase I – Project Approach and Objectives Project Objective: Solicit Contributor feedback to ensure the most effective and widely supported approach. Target Time Frame: August, 2006 Current Status:	Call for Volunteers Contributors: Reviewers:

Phase II – Application Assessment Definitions Project Objective: Establish common business application and security assessment type’s definitions. Target Time Frame: September, 2006 Current Status:	Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective:	Define standard application assessment process in SWIM flow chart. Target Time Frame:	October, 2006 Current Status:	Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective:	Define standard assessment scope of work per application type. Includes standard testing boundaries and requirements/needs placed upon end user requesting assessment. Target Time Frame:	October, 2006 Current Status:	Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective:	Plot where within standard System Development Lifecycle (SDLC) application security assessment steps should be defined and conducted. Target Time Frame:	October, 2006 Current Status:	Call for Volunteers Contributors: Reviewers:

Phase III – Assessment Context Project Objective:	Establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type. Target Time Frame:	October, 2006 Current Status:	Call for Volunteers Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective:	Establish assessment level system common terminology and decision criteria - Included is analysis of potentially corresponding security measurements (i.e. common security metrics, security assurance/maturity models, related legislation, other standards, etc.). Target Time Frame:	December, 2006 Current Status:	In hold based on outcome of Phase I and II. Calling for future volunteers. Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective:	Create assessment levels based on previous Phase III objective. Define assessment depth, testing components required, and level of tool usage/type (not product names) of tools used per level. Target Time Frame:	March, 2007 Current Status:	In hold based on outcome of Phase I and II. Calling for future volunteers. Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective:	Document corresponding linkages between assessment levels and common security metrics, security assurance/maturity models, related legislation, other documented national standards defined as component of first Phase III objective. Target Time Frame:	May, 2007 Current Status:	In hold based on outcome of Phase I and II. Contributors: Reviewers:

Phase IV – Assessment Levels Project Objective:	Establish guidance parameters to allow organizations to determine appropriate assessment level based on business application to be assessed. Target Time Frame:	May, 2007 Current Status:	In hold based on outcome of Phase I and II. Calling for future volunteers. Contributors: Reviewers:

Phase V – OWASP Integration: Project Objective:	Document integration components and linkages with existing and underway OWASP projects. Target Time Frame:	July, 2007 Current Status:	In hold based on outcome of Phases I through III. Contributors: Reviewers: