Common Criteria Web Application Security Scoring (CCWAPSS) Released

The New Acunetix V12 Engine


The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.

CCWAPSS is focused on rating the security level of a distinct web application, web services or e-business platform. CCWAPSS does not aim at scoring a whole heterogenic perimeter.

Key benefits of CCWAPSS

  • Fighting against the inclination of using a restricted granularity that forces the auditor to clear-cut score (there is no medium choice).
  • Offering a solution to interpretation problems between different auditors by providing clear and 11 well documented criteria.
  • The maximum score (10/10) means “compliant with Best Practices”. This score could be exceeded in case of excellence (like a medical vision evaluation such as 12/10).
  • Each criteria is relative to section of the OWASP Guide 3.0.

The 11 scoring criteria

1. Authentication
2. Authorization
3. User’s Input Sanitization
4. Error Handling and Information leakage
5. Passwords/PIN Complexity
6. User’s data confidentiality
7. Session mechanism
8. Patch management
9. Administration interfaces
10. Communication security
11. Third-Party services exposure

You can get the CCWAPSS whitepaper here:

CCWAPSS release 1.0 [PDF]

Or read more here.

Posted in: Countermeasures, Web Hacking

, , , ,


Latest Posts:


Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.


One Response to Common Criteria Web Application Security Scoring (CCWAPSS) Released

  1. dre October 25, 2007 at 1:20 am #

    for similar work look at the fortifysoftware metricon 2.0 talk by fred lee, Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software. i wasn’t able to see it at metricon 2.0, but he gave the talk along with me at the owasp msp event last week.

    mark cuphey and the owasp team (including chris wysopal and myself) have also been working on another set of metrics. darkreading did an article on it called OWASP Preps Framework for Website Security Certification. wysopal is also working on a more generic vulnerability rating system using CVSS from CWE data as described in Software Security Weakness Scoring