OWASP-Turkey published in 2010 a check list for web application security which provides various security controls for web application developers and system administrators.

It was planned to create the second version of the check list. I have been involved in the project and within the past 6 months we have worked on the new check list and structured and enhanced the document. Today we have announced the new check list and published it in Excel and PDF formats.

Compared to the first version, the new security check list contains the following enhancements:

• More security controls have been added. The new check list contains now 62 security controls.
• The categorization is now based on OWASP Testing Guide categories.
• Each security control is assigned to a verification requirement of OWASP ASVS (Application Security Verification Standard Project).
• The document has been published in PDF as well as in Excel format. The Excel format provides tool functionality and shows implemented and unimplemented security controls in graphical representations.
• Each security control has a status (Yes, No, Out-of-Scope) flag which is explicitly managed within the Excel tool.
• A Turkish-English terminology of security terms has been added to the document.

Now, our next step is translation into English. I believe the document would be very helpful for anyone (e.g. developer, auditor, security architect, IT architect, system administrator, database administrator, etc.) focusing on security aspects during development and operations of web applications.

You can download the documents from Publications section as well.

I have completed the review of the book “Secure and Resilient Software Development” for IACR (International Association for Cryptologic Research) book review program.

The review can be summarized as follows:

This book is a “must read” resource for security experts focusing on application security and for application designers and developers who need to integrate security into their systems. It provides various aspects of application security for each phase of software development. The authors have practical experience in application security and wrote a practice-oriented book. The chapters are well-structured and arranged in a good logical order. I would strongly recommend this book to security architects, security trainers, application designers and developers. But I would not recommend the book for students who might have less security and development knowledge due to missing real-life project experience. The broad content of the book could be quite complicated for students to follow.

You can download the review from the Publications section as well.

I have recently completed penetration testing of a SAP portal application for a customer. It was a short-time (5 days) assignment which required execution of tool-supported automatic pentest (with IBM Appscan), manual pentest and preparation of final presentation that explains findings and countermeasures.

In such short time pentests, it is very important that test plan is scheduled efficiently. In the following, I want to summarize some important aspects that are relevant for executing pentests successfully and efficiently:

Read the rest of this entry »

Two nice articles from Dinis Cruz (Chief Owasp Evangelist) regarding application security assessment by IBM: