0

The OWASP ASVS focuses on web-application verification. It is free and recognised worldwide as a good reference to build upon, or simply reuse. It is useful to use it when outsourcing web development.

However OWASP does not provide similar documentation for non-web developments (like heavy client applications, services / daemons etc).

Ofcourse companies like Gartner provide similar documentation related to the non-web world, but those are not free.

I'm looking for standards similar to OWASP ASVS that would cover non-web developments - are there such good free standards available ? If yes, which ones ?

Thanks !

AviD
  • 72,138
  • 22
  • 136
  • 218
niilzon
  • 1,587
  • 2
  • 10
  • 17
  • I don't think the ASVS is web-specific, though there are a few chapters focused on that most of it is technology-agnostic. It is weighted mostly to server applications, but again not to the exclusion of all else: there is even a whole chapter just on mobile apps. – AviD Apr 06 '17 at 10:50
  • Indeed it goes a little further than webapps, but as described by OWASP : "provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development". For example, usage of insecure c functions leading to buffer overflows is not covered. Also it would be hard to present this as the only source of requirements standards to, let's say, management members that expect generic secure application requirements – niilzon Apr 06 '17 at 10:58

0 Answers0