Common Criteria Web Application Security Scoring (CCWAPSS) Released


The purpose of the scoring scale CCWAPSS is to share a common evaluation method for web application security assessments/pentests between security auditors and final customers.

This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application.

CCWAPSS is focused on rating the security level of a distinct web application, web services or e-business platform. CCWAPSS does not aim at scoring a whole heterogenic perimeter.

Key benefits of CCWAPSS

  • Fighting against the inclination of using a restricted granularity that forces the auditor to clear-cut score (there is no medium choice).
  • Offering a solution to interpretation problems between different auditors by providing clear and 11 well documented criteria.
  • The maximum score (10/10) means “compliant with Best Practices”. This score could be exceeded in case of excellence (like a medical vision evaluation such as 12/10).
  • Each criteria is relative to section of the OWASP Guide 3.0.

The 11 scoring criteria

1. Authentication
2. Authorization
3. User’s Input Sanitization
4. Error Handling and Information leakage
5. Passwords/PIN Complexity
6. User’s data confidentiality
7. Session mechanism
8. Patch management
9. Administration interfaces
10. Communication security
11. Third-Party services exposure

You can get the CCWAPSS whitepaper here:

CCWAPSS release 1.0 [PDF]

Or read more here.

Posted in: Countermeasures, Web Hacking

, , , ,


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


One Response to Common Criteria Web Application Security Scoring (CCWAPSS) Released

  1. dre October 25, 2007 at 1:20 am #

    for similar work look at the fortifysoftware metricon 2.0 talk by fred lee, Security Metrics in Practice: Development of a Security Metric System to Rate Enterprise Software. i wasn’t able to see it at metricon 2.0, but he gave the talk along with me at the owasp msp event last week.

    mark cuphey and the owasp team (including chris wysopal and myself) have also been working on another set of metrics. darkreading did an article on it called OWASP Preps Framework for Website Security Certification. wysopal is also working on a more generic vulnerability rating system using CVSS from CWE data as described in Software Security Weakness Scoring