Fortify Software

Fortify Software

Home Security Resources CLASP

CLASP

Comprehensive Lightweight Application Security Process

CLASP — Comprehensive, Lightweight Application Security Process — is an activity-driven, role-based set of process components, whose core contains formalized best practices for building security into your existing or new-start software development lifecycles in a structured, repeatable, and measurable way.

CLASP is the outgrowth of years of extensive field work in which system resources of many development lifecycles were methodically decomposed in order to create a comprehensive set of security requirements. These resulting requirements form the basis of CLASP's best practices which allow organizations to systematically address vulnerabilities that, if exploited, can result in the failure of basic security services — e.g., confidentiality, authentication, and authorization.

  • Adaptability of CLASP to Existing Development Processes

  • CLASP is designed to allow you to easily integrate its security-related activities into your existing application development processes. Each CLASP activity is divided into discrete process components and linked to one or more specific project roles. In this way, CLASP provides guidance to project participants — e.g., project managers, security auditors, developers, architects, testers, and others — that is easy to adopt to their way of working; this results in incremental improvements to security that are easily achievable, repeatable, and measurable.

  • Catalog of CLASP Problem Types

  • CLASP also contains a comprehensive vulnerability catalog that helps development teams avoid/remediate specific designing/coding errors that can lead to exploitable security services. The basis of this catalog is a highly flexible taxonomy — i.e., classification structure — that enables development teams to quickly locate information from many perspectives: e.g., problem types (i.e., basic causes of vulnerabilities); categories of problem types; exposure periods; avoidance and mitigation periods; consequences of exploited vulnerabilities; affected platforms and programming languages; risk assessment.

  • Automated Analysis Tools

  • Much of the information in the CLASP Catalog of Problem Types can be enforced through use of automated tools for static analysis of source code.

Click here for more information on the OWASP CLASP Project

Sign up for a Free Trial

Contact me about products from Fortify Software

Contact Fortify Software

An insecurely coded application can cancel the value of other security solutions.

Forrester Research

© 2008 Fortify Software Inc., Headquartered in San Mateo, CA USA, (650) 358-5600

Purchase | Register | Software Security Blog | Contact Us | Privacy