Web Application Security Check List is a documentation project of OWASP Turkey. It provides 61 security controls that need to be integrated within web applications. It targets mainly auditors but is helpful for application developers, IT-architects, project managers, system administrators and database administrators as well. The security controls are integrated within an Excel-tool with graphical representation support.
The first version of the check list was published in 2010 in Turkish whereas the second and current version of the check list was published with many enhancements in January 2012 in Turkish and English.
The main characteristics of the check list are as follows:
- Each security control has Category, Responsible Person, ASVS (Application Security Verification Standard) Category, Risk Level and Status sections.
- The categories of the check list are based on the categories of OWASP Testing Guide.
- For each security control in the checklist, a verification requirement from OWASP ASVS is assigned.
- Risk levels (Critical-High-Medium-Low) are used for defining criticality of each security control.
- A tool in Excel was implemented for the check list. A status flag (Yes/No/—) is used for tracking activation status of each security control.
- The security flag enables to display the security status of an IT-system visually with graphics for different categories as well as for overall system. If a security control is out-of-scope for the relevant system (e.g. web services are not implemented within the system), its status is assigned as “—” and it would not be evaluated for graphics.
For your comments and suggestions, you can contact us via checklist(at)webguvenligi.org
Download template (PDF)
Download template (XLS)