FAQ

• Is OWASP ASVS Audit expensive?

  No.

  The exact cost varies based on product’s attack surface – how many features and data-entry points it has. For preliminary estimation purposes, as a short-hand for this number, we tend to use the number of API endpoints.

  Approximate cost ranges of web application OWASP ASVS audits, by size:

  – Small-size web app (up to 50 API endpoints) – $5,000 to $9000

  – Medium-size web app (50 to 300 API endpoints) – $9,000 to $23,000

  – Large, enterprise-scale web app (300 to 1000 API endpoints) – $23,000 to $65,000

   

  If SoftSeq is provided with source-code and engineering guidance at scoping stage, the audit will be performed at fixed-price.

• Security Audit or Penetration Testing?

  As far as Software goes, pentests pale in comparison to Software Security Audits – both in depth and breadth.

  Penetration Testing is a fitting security control to assess security of a mature organization – it’s staff, networks, and systems. Yet, its black-box approach is an ill choice for testing security of a web application.

  Many more issues can be identified with a white-box audit in the same time-frame, and some issues, like backdoors, improper logging, data storage, etc., can only be identified reliably with access to the source code.

• Security Audit or crowdsource bug-bounty program?

  Crowdsourced bug-bounty programs are a great tool when used properly. They can be a very cost-effective addition to the security program – if you come prepared.

  For a well tested application, with most security issues found and fixed, crowdsourced bug-hunting can bring attention of many professionals from around the globe on the cheap.

  In a medium-sized web application, finding 95% of security issues before bug-bounty starts can cut its cost from $25000 down to about $1000 in the first 6 months – which is a bargain for the attention you get.

• Why are automated nightly scans by security tool not enough?

  Because DAST (Dynamic Application Security Testing) tools deliver extremely poor results while lulling its users into a false sense of security.

  No matter how clever or expensive, they lack human context-awareness and miss most security issues that a Security Engineering intern with 3 months of training would find easily.

  SoftSeq engineers have worked first-hand developing some of the worlds best DAST tools, and yet we don’t use any in our DevSecOps offering.

   

  SAST (Static Application Security Testing) tools, while also missing many security issues, are extremely noisy. The time it takes a security engineer to find a single true-positive issue in a sea of reported false-positives is far longer than finding the same issues by hand.

• Do we need to provide source code for OWASP ASVS audit?

  Yes, most OWASP ASVS requirements cannot be verified without access to source code that underlines the mechanics of the application.

  In case there are any sensitive algorithms in the software, they can normally be omitted from the source code submitted for review. Most of application’s code that handles critical security functions like authentication, session management, authorization, input processing, etc., is of little value to anyone.

  Also, prior to any engagement, SoftSeq signs an NDA of customer’s choice obliging to guard and protect all transferred IP.

• What specifically is reviewed during OWASP ASVS audit?

  OWASP Application Security Verification Standard specifically covers:

  • – Architecture, design and threat modelling
  • – Authentication
  • – Session management
  • – Access control
  • – Malicious input handling
  • – Cryptography at rest
  • – Error handling and logging
  • – Data protection
  • – Communications security
  • – HTTP security configuration
  • – Malicious controls
  • – Business logic
  • – Files and resources
  • – Mobile
  • – Web services
  • – Configuration
  • – Internet of Things (IoT)