CCWAPSS : Pentest and score the security level of a webapps

The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.

CCWAPSS is focused on rating the security level of a distinct web application, web services or e-business platform. CCWAPSS does not aim at scoring a whole heterogenic perimeter.

Key benefits of CCWAPSS scoring

• Fighting against the « gaussienne » inclination using a restricted granularity that forces the auditor to clear-cut score (there is no medium choice).

• Offering a solution to interpretation problems between different auditors by providing clear and well documented criteria.

• The maximum score (10/10) means “compliant with Best Practices”. This score could be exceeded in case of excellence (like a medical vision evaluation such as 12/10).

• Each criteria is relative to section of the OWASP Guide 3.0.

The 11 scoring criteria

1 - Authentication
2 - Authorization
3 - User’s Input Sanitization
4 - Error Handling and Information leakage
5 - Passwords/PIN Complexity
6 - User’s data confidentiality
7 - Session mechanism
8 - Patch management
9 - Administration interfaces
10 - Communication security
11 - Third-Party services exposure

Risk factor : Difficulty of Exploit vs Business Impact

The Risk Factor concept used by the CCWAPPSS is the answer to the question : Could this vulnerability lead to major issues ?

To figure out the Risk Factor of a vulnerability, the auditor has to answer the following questions :
  • Is the exploitation of this vulnerability trivial or sophiticated ?
  • Could the exploitation of this vulnerability have an impact on the business activity ?