Software Security Audit - OWASP Compliance

At SoftSeq, we adhere to recognized international standards for Software Security auditing – OWASP Application Security Verification Standard (pdf).

OWASP ASVS offers an exhaustive list of over 160 software security requirements, at 3 levels of risk profiles, fitting even the most security-critical applications.

Our audits offer full visibility across all 160 OWASP ASVS requirements, reflecting both positive and negative findings.

OWASP ASVS Audit Deliverables

Click here

Certificate of Compliance.

This document certifies that SoftSeq has verified full compliance of the software in question with an appropriate level of OWASP Application Security Verification Standard. This certificate is always accompanied by Compliance Audit Report.

Click here

Compliance Audit Report.

This document details audit’s methodology, coverage, and key metrics in an executive-friendly format.

Click here

Compliance Audit Report – technical appendix.

This document details audit’s findings per each security requirement of OWASP ASVS, describing the observed mechanisms, and risk assessment and security findings.

Note that specific vulnerabilities are reported separately in Jira, with screenshots, problem description, potential impact assessment, and technical solution. They are linked to respective ASVS requirements in this report.

Full scope of Software Security

  • Secure architecture review
  • Manual security testing
  • Manual security
    code review
  • Business logic
    security analysis
  • Production deployment
    security assessment

FAQ

  • Is OWASP ASVS Audit expensive?

    No.

    The exact cost varies based on product’s attack surface – how many features and data-entry points it has. For preliminary estimation purposes, as a short-hand for this number, we tend to use the number of API endpoints.

    Approximate cost ranges of web application OWASP ASVS audits, by size:

    – Small-size web app (up to 50 API endpoints) – $5,000 to $9000

    – Medium-size web app (50 to 300 API endpoints) – $9,000 to $23,000

    – Large, enterprise-scale web app (300 to 1000 API endpoints) – $23,000 to $65,000

     

    If SoftSeq is provided with source-code and engineering guidance at scoping stage, the audit will be performed at fixed-price.

  • Security Audit or Penetration Testing?

    As far as Software goes, pentests pale in comparison to Software Security Audits – both in depth and breadth.

    Penetration Testing is a fitting security control to assess security of a mature organization – it’s staff, networks, and systems. Yet, its black-box approach is an ill choice for testing security of a web application.

    Many more issues can be identified with a white-box audit in the same time-frame, and some issues, like backdoors, improper logging, data storage, etc., can only be identified reliably with access to the source code.

  • Security Audit or crowdsource bug-bounty program?

    Crowdsourced bug-bounty programs are a great tool when used properly. They can be a very cost-effective addition to the security program – if you come prepared.

    For a well tested application, with most security issues found and fixed, crowdsourced bug-hunting can bring attention of many professionals from around the globe on the cheap.

    In a medium-sized web application, finding 95% of security issues before bug-bounty starts can cut its cost from $25000 down to about $1000 in the first 6 months – which is a bargain for the attention you get.

  • Why are automated nightly scans by security tool not enough?

    Because DAST (Dynamic Application Security Testing) tools deliver extremely poor results while lulling its users into a false sense of security.

    No matter how clever or expensive, they lack human context-awareness and miss most security issues that a Security Engineering intern with 3 months of training would find easily.

    SoftSeq engineers have worked first-hand developing some of the worlds best DAST tools, and yet we don’t use any in our DevSecOps offering.

     

    SAST (Static Application Security Testing) tools, while also missing many security issues, are extremely noisy. The time it takes a security engineer to find a single true-positive issue in a sea of reported false-positives is far longer than finding the same issues by hand.

  • Do we need to provide source code for OWASP ASVS audit?

    Yes, most OWASP ASVS requirements cannot be verified without access to source code that underlines the mechanics of the application.

    In case there are any sensitive algorithms in the software, they can normally be omitted from the source code submitted for review. Most of application’s code that handles critical security functions like authentication, session management, authorization, input processing, etc., is of little value to anyone.

    Also, prior to any engagement, SoftSeq signs an NDA of customer’s choice obliging to guard and protect all transferred IP.

  • What specifically is reviewed during OWASP ASVS audit?

    OWASP Application Security Verification Standard specifically covers:

    • – Architecture, design and threat modelling
    • – Authentication
    • – Session management
    • – Access control
    • – Malicious input handling
    • – Cryptography at rest
    • – Error handling and logging
    • – Data protection
    • – Communications security
    • – HTTP security configuration
    • – Malicious controls
    • – Business logic
    • – Files and resources
    • – Mobile
    • – Web services
    • – Configuration
    • – Internet of Things (IoT)

Have questions?

We have answers. Write us at security@softseq.com

Your message has been sent!

We'll get in touch shortly