02 October 2007 | 20,818 views

Common Criteria Web Application Security Scoring (CCWAPSS) Released

Check For Vulnerabilities with Acunetix

The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.

CCWAPSS is focused on rating the security level of a distinct web application, web services or e-business platform. CCWAPSS does not aim at scoring a whole heterogenic perimeter.

Key benefits of CCWAPSS

  • Fighting against the inclination of using a restricted granularity that forces the auditor to clear-cut score (there is no medium choice).
  • Offering a solution to interpretation problems between different auditors by providing clear and 11 well documented criteria.
  • The maximum score (10/10) means “compliant with Best Practices”. This score could be exceeded in case of excellence (like a medical vision evaluation such as 12/10).
  • Each criteria is relative to section of the OWASP Guide 3.0.

The 11 scoring criteria

1. Authentication
2. Authorization
3. User’s Input Sanitization
4. Error Handling and Information leakage
5. Passwords/PIN Complexity
6. User’s data confidentiality
7. Session mechanism
8. Patch management
9. Administration interfaces
10. Communication security
11. Third-Party services exposure

You can get the CCWAPSS whitepaper here:

CCWAPSS release 1.0 [PDF]

Or read more here.

Recent in Countermeasures:
- isowall – Completely Isolate A Device From The Local Network
- ThreadFix – Vulnerability Aggregation & Management System
- StegExpose – Steganalysis Tool For Detecting Steganography In Images

Related Posts:
- Academic Papers on Web Application Security
- GoLISMERO – Web Application Mapping Tool
- BodgeIt Store – Vulnerable Web Application For Penetration Testing

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,243 views
- Password Hasher Firefox Extension - 117,081 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,572 views

Low-cost VPS Hosting

One Response to “Common Criteria Web Application Security Scoring (CCWAPSS) Released”

  1. dre 25 October 2007 at 1:20 am Permalink

    for similar work look at the fortifysoftware metricon 2.0 talk by fred lee, Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software. i wasn’t able to see it at metricon 2.0, but he gave the talk along with me at the owasp msp event last week.

    mark cuphey and the owasp team (including chris wysopal and myself) have also been working on another set of metrics. darkreading did an article on it called OWASP Preps Framework for Website Security Certification. wysopal is also working on a more generic vulnerability rating system using CVSS from CWE data as described in Software Security Weakness Scoring