The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.

CCWAPSS is focused on rating the security level of a distinct web application, web services or e-business platform. CCWAPSS does not aim at scoring a whole heterogenic perimeter.

Key benefits of CCWAPSS

• Fighting against the inclination of using a restricted granularity that forces the auditor to clear-cut score (there is no medium choice).
• Offering a solution to interpretation problems between different auditors by providing clear and 11 well documented criteria.
• The maximum score (10/10) means “compliant with Best Practices”. This score could be exceeded in case of excellence (like a medical vision evaluation such as 12/10).
• Each criteria is relative to section of the OWASP Guide 3.0.

The 11 scoring criteria

1. Authentication
2. Authorization
3. User’s Input Sanitization
4. Error Handling and Information leakage
5. Passwords/PIN Complexity
6. User’s data confidentiality
7. Session mechanism
8. Patch management
9. Administration interfaces
10. Communication security
11. Third-Party services exposure

You can get the CCWAPSS whitepaper here:

CCWAPSS release 1.0 [PDF]

Or read more here.