Threat Intelligence Announces the Latest Application Security Verification Standards at OWASP AppSec EU Conference
Announcement posted by Threat Intelligence 22 May 2015
Comprehensive open source security standards checklist, free to developers. The 133 controls in ASVS Version 2.1 also cover mobile app risks.
Amsterdam, The Netherlands, 21 May 2015 and Sydney, Australia 22 May 2015 – Today from the OWASP AppSec EU 2015 conference - in Amsterdam, The Netherlands - Threat Intelligence, a leader in next era risk management and penetration testing, announced the release of version 2.1 of the open source Application Security Verification Standards (ASVS).
Now downloadable to application developers and testers, the broad ranging controls included in the Standards have been created by the 40,000-strong membership of the Open Web Application Security Project (OWASP), the foremost web application security organisation in the world. With this latest evolution of the ASVS, project teams can confidently embed the security testing checklist into their development cycle to verify their app’s built-in security.
Principal Security Consultant at Threat Intelligence, Andrew van der Stock, is the Principal Author of the ASVS and also a Director of OWASP. In addressing the AppSec EU forum he said: “Threat Intelligence is committed to the development of the Standards which are specifically designed to fulfil the security verification needs of every app development. The release of Version 2.1 is a significant achievement. Individuals and organisations worldwide can now make informed decisions about the security risks to software under development. The ASVS puts a professional grade checklist into the hands of every project team.”
The 133 controls within the ASVS include authentications, access controls, business logic flaws, data protection, encryption, import validation, cryptography and auditing. The Standards also cover off mobile application risks.
Andrew van der Stock, an acknowledged leader of the global application security field, conducted a two day ASVS hackathon during the AppSec EU conference: “The Standards have been refined, with industry consensus, to deliver a new and hugely beneficial approach to software security verification. Crucially, the ASVA will continue to evolve as we leverage feedback from industry and our OWASP membership,” he said.
About ASVS Version 2.1
The ASVS are specifically designed to fulfil the security verification needs of every app development. They can be scaled for very small to large project teams of hundreds of programmers. Developers are able to choose from and apply the most appropriate of the three levels:
• ASVS Level 1: Auto analysis and verification – 33 controls – basic requirements for every app. These are simple and fast to complete.
• ASVS Level 2: Identity data – a further 80 controls – for apps that have personal data or transaction details. This mid-range set of controls will be highly valuable to professional teams that must invest time in verifying sophisticated protections within their apps.
• ASVS Level 3: High risk apps – 20 controls – deep assessments required to safeguard apps that deal with large volume currency and credit card transactions, and the personal identity data in critical corporate and public sector apps. These controls are to prevent high risk, complex malware such as Easter Eggs and Salami attacks.
/Ends
About Threat Intelligence Pty Ltd - www.threatintelligence.com
Threat Intelligence is an Australian security consultancy specialising in next era, intelligence-based threat management and penetration testing. It was established in 2013 to meet the new challenges of an ever evolving global threat environment. Threat Intelligence uses its intelligence-based security framework to provide enhanced strategic and operational consultancy to public and private enterprises. The company’s proprietary Threat Analytics product is the only offering on the market that provides alerts to attacks and security breaches before they occur, which enables organisations to take its threat management to the next level of intelligent protection. Services include managed intelligence, threat analytics, penetration testing, training and incident response. TI’s founder, Ty Miller, is one of Australia’s leading information security specialists.
Follow Threat Intelligence:
Our updates on Twitter at twitter.com/tyronmiller
Our insights on our Blog - https://www.threatintelligence.com/tyronmiller/
Andrew van der Stock, Threat Intelligence Principal Security Consultant
Andrew van der Stock is an acknowledged leader of the application security field, with over 15 years application security experience in Australia and the USA, and over 20 years’ experience in the IT industry.
Andrew’s skills include:
• Enterprise security architecture and design
• Secure coding assistance
• Secure Code Review in Java, .NET and PHP
• Web application security assessments
• Mobile application security assessments for iOS and Android platforms
• Cloud security, including OAuth and SAML SSO integrations
• API management implementation and advice
• REST and SOAP based web service assessment and advice
Andrew joined OWASP in 2002, and continued sharing his passion for information sharing by participating in and then leading the Developer Guide project, culminating in the OWASP Guide to Building Secure Software 2.0 in 2005. He led the OWASP Top 10 2007 effort, initiated and led the OWASP ESAPI for PHP effort, currently leads the OWASP Developer Guide project, and is a key contributor to the OWASP Proactive Controls. Andrew is lead author of the OWASP Application Security Verification Standard 2.1. He is the long-time moderator of the Symantec SecurityFocus webappsec mailing list.
Andrew is currently on the global Board of Directors of OWASP, and has previously held the Executive Director position at OWASP and been a member of the OWASP Global Chapters Committee.
Andrew is an in demand speaker and trainer, with past speaking engagements at AusCERT, linux.conf.au, BlackHat, OWASP AppSec EU and AppSec USA, and many training many thousands of developers and information security professionals through public and private training offerings.
About OWASP
The Open Web Application Security Project (OWASP) is the foremost web app security organisation in the world, with thousands of members globally, including some of the biggest names in the industry. The goals of OWASP are to make web applications safe and to educate users, developers, governments, and business leaders on how to protect vulnerable information and avoid dangerous hacks that can cost millions of pounds to fix.
The OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of application security.
Media Enquiries:
Cathryn van der Walt 12 Worlds 0402 327 633 cathryn@12worlds.com
Amsterdam, The Netherlands, 21 May 2015 and Sydney, Australia 22 May 2015 – Today from the OWASP AppSec EU 2015 conference - in Amsterdam, The Netherlands - Threat Intelligence, a leader in next era risk management and penetration testing, announced the release of version 2.1 of the open source Application Security Verification Standards (ASVS).
Now downloadable to application developers and testers, the broad ranging controls included in the Standards have been created by the 40,000-strong membership of the Open Web Application Security Project (OWASP), the foremost web application security organisation in the world. With this latest evolution of the ASVS, project teams can confidently embed the security testing checklist into their development cycle to verify their app’s built-in security.
Principal Security Consultant at Threat Intelligence, Andrew van der Stock, is the Principal Author of the ASVS and also a Director of OWASP. In addressing the AppSec EU forum he said: “Threat Intelligence is committed to the development of the Standards which are specifically designed to fulfil the security verification needs of every app development. The release of Version 2.1 is a significant achievement. Individuals and organisations worldwide can now make informed decisions about the security risks to software under development. The ASVS puts a professional grade checklist into the hands of every project team.”
The 133 controls within the ASVS include authentications, access controls, business logic flaws, data protection, encryption, import validation, cryptography and auditing. The Standards also cover off mobile application risks.
Andrew van der Stock, an acknowledged leader of the global application security field, conducted a two day ASVS hackathon during the AppSec EU conference: “The Standards have been refined, with industry consensus, to deliver a new and hugely beneficial approach to software security verification. Crucially, the ASVA will continue to evolve as we leverage feedback from industry and our OWASP membership,” he said.
About ASVS Version 2.1
The ASVS are specifically designed to fulfil the security verification needs of every app development. They can be scaled for very small to large project teams of hundreds of programmers. Developers are able to choose from and apply the most appropriate of the three levels:
• ASVS Level 1: Auto analysis and verification – 33 controls – basic requirements for every app. These are simple and fast to complete.
• ASVS Level 2: Identity data – a further 80 controls – for apps that have personal data or transaction details. This mid-range set of controls will be highly valuable to professional teams that must invest time in verifying sophisticated protections within their apps.
• ASVS Level 3: High risk apps – 20 controls – deep assessments required to safeguard apps that deal with large volume currency and credit card transactions, and the personal identity data in critical corporate and public sector apps. These controls are to prevent high risk, complex malware such as Easter Eggs and Salami attacks.
/Ends
About Threat Intelligence Pty Ltd - www.threatintelligence.com
Threat Intelligence is an Australian security consultancy specialising in next era, intelligence-based threat management and penetration testing. It was established in 2013 to meet the new challenges of an ever evolving global threat environment. Threat Intelligence uses its intelligence-based security framework to provide enhanced strategic and operational consultancy to public and private enterprises. The company’s proprietary Threat Analytics product is the only offering on the market that provides alerts to attacks and security breaches before they occur, which enables organisations to take its threat management to the next level of intelligent protection. Services include managed intelligence, threat analytics, penetration testing, training and incident response. TI’s founder, Ty Miller, is one of Australia’s leading information security specialists.
Follow Threat Intelligence:
Our updates on Twitter at twitter.com/tyronmiller
Our insights on our Blog - https://www.threatintelligence.com/tyronmiller/
Andrew van der Stock, Threat Intelligence Principal Security Consultant
Andrew van der Stock is an acknowledged leader of the application security field, with over 15 years application security experience in Australia and the USA, and over 20 years’ experience in the IT industry.
Andrew’s skills include:
• Enterprise security architecture and design
• Secure coding assistance
• Secure Code Review in Java, .NET and PHP
• Web application security assessments
• Mobile application security assessments for iOS and Android platforms
• Cloud security, including OAuth and SAML SSO integrations
• API management implementation and advice
• REST and SOAP based web service assessment and advice
Andrew joined OWASP in 2002, and continued sharing his passion for information sharing by participating in and then leading the Developer Guide project, culminating in the OWASP Guide to Building Secure Software 2.0 in 2005. He led the OWASP Top 10 2007 effort, initiated and led the OWASP ESAPI for PHP effort, currently leads the OWASP Developer Guide project, and is a key contributor to the OWASP Proactive Controls. Andrew is lead author of the OWASP Application Security Verification Standard 2.1. He is the long-time moderator of the Symantec SecurityFocus webappsec mailing list.
Andrew is currently on the global Board of Directors of OWASP, and has previously held the Executive Director position at OWASP and been a member of the OWASP Global Chapters Committee.
Andrew is an in demand speaker and trainer, with past speaking engagements at AusCERT, linux.conf.au, BlackHat, OWASP AppSec EU and AppSec USA, and many training many thousands of developers and information security professionals through public and private training offerings.
About OWASP
The Open Web Application Security Project (OWASP) is the foremost web app security organisation in the world, with thousands of members globally, including some of the biggest names in the industry. The goals of OWASP are to make web applications safe and to educate users, developers, governments, and business leaders on how to protect vulnerable information and avoid dangerous hacks that can cost millions of pounds to fix.
The OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of application security.
Media Enquiries:
Cathryn van der Walt 12 Worlds 0402 327 633 cathryn@12worlds.com