2

Are there any web application security standards that I can use as a baseline for the security related requirements for a web application, web service, and for applications supported/hosted by third parties?

How is security risk managed for web application and what are the preventive and corrective controls that I should expect to see?

Additionally, how can we provide security compliance for web applications?

From my findings I found that most organizations have developed their own standards/guidelines like

Am I mistaken in that there is no universal standard?

Xander
  • 35,525
  • 27
  • 113
  • 141
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
  • _Are there any web application security standards?_ based on some reports, it seems there are no standards. – mah Nov 12 '13 at 21:18

3 Answers3

8

From what I understand there is no 'universal' standard, however several standards do exist that you can use as a point of reference.

These are just a few I know about. The standards you build for yourself will be dictated by the nature of your application and the information is serves/stores. However the above resources should help you get an idea of what things you might want to keep in mind or work into your own standard.

KDEx
  • 4,981
  • 2
  • 20
  • 34
  • There are also regulators like the FFIEC, Monetary Authority of Singapore (MAS), and others. These are generally at a process and procedure level, dealing with how an organization should run itself and its systems. – GdD Nov 13 '13 at 13:12
1

In Austria we have a standard more or less written by SecConsult which is loosely based on OWASP documents. You can find more information on it here: http://www.a7700.org/index_e.html

Patrick Pic
  • 26
  • 1
1

For financial organizations, PCI compliance is a must.

Also, take a look at the ISO 27000 series.

John Wu
  • 9,101
  • 1
  • 28
  • 39