tag:blogger.com,1999:blog-77842756875359546422012-01-22T17:59:05.576-08:00A comprehensive security scoring method for web applicationsFredhttp://www.blogger.com/profile/09157392358166457109noreply@blogger.comBlogger41100tag:blogger.com,1999:blog-7784275687535954642.post-37005563160220581652007-08-24T04:33:00.000-07:002007-08-27T01:06:54.973-07:00The purpose of the scoring scale CCWAPSS is to share a <span style="font-weight:bold;">common evaluation method</span> for web application security assessments/pentests between security auditors and final customers.<br /><br />This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the <span style="font-weight:bold;">security level of a web application</span>.<br /><br />CCWAPSS is focused on rating the security level of a distinct web application, web services or e-business platform. CCWAPSS does not aim at scoring a whole heterogenic perimeter.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7784275687535954642-3700556316022058165?l=ccwapss.blogspot.com' alt='' /></div>Fredhttp://www.blogger.com/profile/09157392358166457109noreply@blogger.com11tag:blogger.com,1999:blog-7784275687535954642.post-46928063533428492412007-08-23T05:09:00.000-07:002007-08-26T02:32:14.487-07:00• Fighting against the « gaussienne » inclination using a restricted granularity that forces the auditor to <span style="font-weight:bold;">clear-cut</span> score (there is no medium choice).<br /><br />• Offering a solution to interpretation problems between different auditors by providing clear and well <span style="font-weight:bold;">documented criteria</span>.<br /><br />• The maximum score (10/10) means “compliant with <span style="font-weight:bold;">Best Practices</span>”. This score could be exceeded in case of excellence (like a medical vision evaluation such as 12/10).<br /><br />• Each criteria is relative to section of the <span style="font-weight:bold;"><a href="http://www.owasp.org/index.php/OWASP_Guide_Project">OWASP Guide 3.0</a></span>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7784275687535954642-4692806353342849241?l=ccwapss.blogspot.com' alt='' /></div>Fredhttp://www.blogger.com/profile/09157392358166457109noreply@blogger.com1tag:blogger.com,1999:blog-7784275687535954642.post-80076359441401975722007-08-22T05:13:00.000-07:002007-08-24T05:17:35.693-07:001 - Authentication<br />2 - Authorization<br />3 - User’s Input Sanitization<br />4 - Error Handling and Information leakage<br />5 - Passwords/PIN Complexity<br />6 - User’s data confidentiality<br />7 - Session mechanism<br />8 - Patch management<br />9 - Administration interfaces<br />10 - Communication security<br />11 - Third-Party services exposure<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7784275687535954642-8007635944140197572?l=ccwapss.blogspot.com' alt='' /></div>Fredhttp://www.blogger.com/profile/09157392358166457109noreply@blogger.com3tag:blogger.com,1999:blog-7784275687535954642.post-88843992096563964962007-01-06T10:55:00.000-08:002007-11-06T11:40:36.050-08:00The Risk Factor concept used by the CCWAPPSS is the answer to the question : <i>Could this vulnerability lead to major issues</i> ?<br /><br />To figure out the Risk Factor of a vulnerability, the auditor has to answer the following questions :<br /><ul><li>Is the exploitation of this vulnerability trivial or sophiticated ?<br /></li><li>Could the exploitation of this vulnerability have an impact on the business activity ?</li></ul><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/7784275687535954642-8884399209656396496?l=ccwapss.blogspot.com' alt='' /></div>Fredhttp://www.blogger.com/profile/09157392358166457109noreply@blogger.com2