Gartner Blog Network

More Application Security Goodness From OWASP

by Neil MacDonald  |  January 14, 2010  |  6 Comments

I’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the ‘produce’ part – improving their development processes to ensure that more secure code is produced and that security testing is incorporated in the software development lifecycle.

What about the ‘procure’ part?

Here, organizations should make sure that their contract language when procuring (or outsourcing) software externally also includes similar requirements of proof of testing in their software development lifecycle.

OWASP has a project that provides sample contract language here and using OWASP as a foundation, SANs provides guidance here 

If you haven’t modified your procurement and outsourcing contracting process to include security-related requirements like these, make this a priority in 2010. Use these sample contracts as starting points and make sure to have a qualified attorney help with the final contract negotiation language.

Additional Resources

Evaluating the Security Risks to Blockchain Ecosystems

Blockchain is early in its development, and long-term investments can be risky. Security and risk management leaders must temper the hype with effective risk-mitigation techniques.

Read Free Gartner Research

Category: application-security  security-of-applications-and-data  

Tags: application-security  best-practices  information-security  security-no-brainer  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on More Application Security Goodness From OWASP

  1. Dan Cornell says:

    For procurement purposes, you could also look to use the OWASP Application Security Verification Standard (ASVS):

    It lays out increasing degrees of verification that can be performed for web applications and provides what is intended to be a reasonably unambiguous description of the security controls in an application. For example, an Organization A could agree to have their applications successfully verified at level 2A by an independent 3rd party before Organization B would start using them. We’re talking to some firms right now about possibly using ASVS as a web application equivalent of a SAS 70.

    I would avoid using the OWASP Top 10 _for procurement_ because it is an awareness document and not a standard. That being said – the OWASP Top 10 is great for promoting awareness.


  2. Jim Manico says:

    This is a very interesting and timely topic. Neil, I’d like to invite you to interview with the OWASP Podcast Series – please just email us at if you are interested. It will help you get a little visibility for Gartner.

    Keep up the great work!

    Jim Manico
    OWASP Podcast Host/Producer
    OWASP ESAPI Project Manager

  3. Gartner has rightfully pointed out for some time that a holistic approach to implementing an enterprise application security strategy should include the assessment of third party (vendor or outsourced development) code and application of equally as rigorous security testing as you would do internally. I believe this most recent attack on Google by the Chinese suggest that this should be considered as equally high in importance as third party vulnerabilities will be an attack vector that is increasingly leveraged by hackers given the inconsistent and lengthy enterprise patch and upgrade cycles. The Google and Adobe hacks have shown that no enterprise – and no type of information – will be spared given the perceived and marketable value of the asset.

  4. Neil MacDonald says:

    Daniel – thanks for the link – much appreciated

    Matthew – yes – third party apps are every bit as important as in-house developed apps. You could require these vendors to show proof of security testing as part of the contract language (as this post talks about) – or you could test it yourself. This is critical in the case of IE, Adobe, Symantec and other common desktop software (esp when users run as standard user). See this post:

  5. Social comments and analytics for this post…

    This post was mentioned on Twitter by DinisCruz: RT Neil McDonald, security analyst, at Gartner Group, on OWASP’s guidance on how to procure more secure code @owasp…

  6. […] require developers to show proof of security testing before being allowed to post an application. We require this for procured enterprise software, why not for mobile software? Problem is, there aren’t any standards of proof for this and a […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.