Standard

Inhalt

The goal of ÖNORM A 7700 (A7700) is it, to clearly and comprehensively describe the security issues found in web applications, which are only discussed tangentially in other norms (e.g. ISO 27001). Additionally, the compliance process demands a high level of security that is reached by a methodical, complete source code audit. The A7700 norm defines the current state of the art for web application security. The A7700 standard thus provides an important guideline for vendors and customers acquiring web applications.

An except from the table of contents of A7700:

Architecture of web applications
Data storage and data transfer
Configuration data
Authentication
Authentication methods
Passwords
Authorization
Sessions
Session-based separation
Quality criteria for sessions
Handling of user input
File generation
Storage management
Integration of resources
Handling of data output
Back-end systems
System and error messages
Cryptography

Resources

The ÖNORM A 7700 is available for purchase from:

History

2003

Several concerns, including the Austrian National Bank, request that SEC Consult develop a standard for web application security.

2004/2005

Together with the Austrian Standards Institute and numerous major banks, insurance companies, public authorities, and industrial concerns, the ONR 17700 norm is drafted. The contents of this standard were based on the recommendations of the internationally accepted OWASP-Guide, which comprehensively describes web application security issues, but not the certification process.

September 2005

ONR 17700 is published, and is the first EU-wide acknowledged standard that permits certification of web applications based on security criteria.

2007

The first ONR 17700 certification processes are completed. Companies and public authorities begin to establish ONR 17700 certification as a requirement for the development and purchase of web applications.

Dezember 2008

ONR 17700 is succeeded by ÖNORM A 7700, the current state of the art for secure web applications.