Raising the Bar in Application Security Verification

CREST Teams Up with OWASP in Pursuit of Greater Software Assurance
Raising the Bar in Application Security Verification

Application security cannot be underrated in the age when most of the organizations and businesses rely on web or mobile applications for their operations. It is exciting to see the standard for the AppSec being raised and its importance emphasized. CREST, an international organization representing global cybersecurity industry with a mission to create a secure digital world for all through quality assuring its members, announced a new accreditation program that infuses OWASP Foundation’s ASVS (Application Security Verification Standard) framework into a new standard – OVS (OWASP Verification Standard). It is intended to allow companies to obtain greater software assurance around their products through accredited firms from CREST.

What does it mean for companies and software development?

The OVS is meant to provide software-based companies and companies that want to vet software products made by third-party developers with a standard to evaluate their application security posture of the products that are coming in. The framework defines a new threshold for companies to find a greater software assurance, as well as help form a countermeasure library when performing risk-centric threat modeling.

So, it is a great way to finally have a good reliable test to make sure that application security principals are well baked into the software. It is good to see the collaboration between two separate distinct entities – CREST being a global accreditation firm and OWASP (Open Web Application Security Project), a widely recognized name with so many projects affiliated with it. It’s a great organization that works to promote openness in the global InfoSec community in order to come up with innovative projects. The application security verification standard is one of them, and its latest iteration is now being adopted as OVS (OWASP Verification Standard). CREST OVS will provide a consistent approach to web and mobile application security and elevate the standard to a new level.

It is a great news for the cybersecurity community and we, at VerSprite, are very excited for the collaboration. Now, we can expect to see is a lot of companies use the OVS as a way to evaluate the software being adopted within their own environment. There are so many use cases to apply the OWASP Verification Standard, even beyond the standard provided by CREST, you have a phenomenal ASVS framework. It helps meet requirements for secure development and provides a basis for testing application security controls.

Speaking of the security frameworks, if you are a practitioner and you do threat modeling, look out for an adapting that VerSprite will be doing in order to take ASVS and incorporate it as a countermeasure library mapping it to the existing libraries that we have adapted from different industry sources as a part of our risk centric modeling process called PASTA (Process for Attack Simulation and Threat Analysis). If you are not familiar with PASTA, I explain the process by metaphorically cooking pasta and making analogies to the methodology.

Going back to OVS, it is such an exciting news to see a framework from OWASP get the endorsement officially from CREST and now as a part of formal accreditation. Any organization that is looking to vet how software gets produced and validate it in terms of the security standard can now use the accreditation process and a family of accredited firms, such as VerSprite, to be able to evaluate whether or not the software passes a certain rigor of application security measures. VerSprite is a proud to be one of the 300 companies accredited by CREST. All members undergo a thorough quality assurance process and employ competent professionals.

Again, this is a great development for the cybersecurity community and a perfect timing as we go into the week of BlackHat and DefCon conferences. I hope to see many of you there.
If not, let’s connect: Twitter   LinkedIn

Tony UcedaVelez is a CEO at VerSprite, co-founder of PASTA threat modeling methodology, and Atlanta Chapter President of OWASP.

If you would like to learn more about PASTA methodology, you can download the FREE eBook.

The VerSprite PASTA Threat Model Framework provides enterprises with results to support their security efforts, meet business objectives, and provide stakeholders and decision-makers with solutions and guidance to scale the business.