Web Application Security Consortium

From The Secure Arc Wiki

Jump to: navigation, search

The following summary is referenced from the WASC (Web Application Security Consortium) website:

The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.

Each aspect of the standard can be broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.



Web Application Security Scanner Evaluation Criteria

  • The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. It will cover things like crawling, parsing, session handling, types of vulnerabilities and information about those vulnerabilities.

Web Security Threat Classification

  • The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues. The following classifications are used;
  • Abuse of Functionality
  • Brute Force
  • Buffer Overflow
  • Content Spoofing
  • Credential/Session Prediction
  • Cross-site Scripting
  • Denial of Service
  • Directory Indexing
  • Format String Attack
  • Information Leakage
  • Insufficient Anti-automation
  • Insufficient Authentication
  • Insufficient Authorization
  • Insufficient Process Validation
  • Insufficient Session Expiration
  • LDAP Injection
  • OS Commanding
  • Path Traversal
  • Predictable Resource Location
  • Session Fixation
  • SQL Injection
  • SSI Injection
  • Weak Password Recovery Validation
  • XPath Injection
  • Fingerprinting
  • HTTP Response Splitting

Web Application Firewall Evaluation Criteria

  • Develop the industry standard testing criteria for evaluating the quality of web application firewall solutions. Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can't, and they do not require modification of application source code. As today's web application attacks expand and their relative level of sophistication increases, it is vitally important to develop a standardized criteria for product evaluation. How else can we accurately compare or measure the performance of a particular solution?

Information Assets

The WASC guidelines are specific to Web Application Security. Their relationship to Information Assets are to describe and categorise threats to them.

Licensing and Documentation

See the following link for details.

Or, the following links for specific projects;


Personal tools