Standards / Best Practices

Standards / Best Practices

At Secura, we strive to make security more tangible, understandable and measurable. That is why we use international norms and standards as much as possible.

This allows you to know and compare the level of security that a system has, and provides assurance on the depth and width of testing. Secura works with multiple organizations such as OWASP and Cyberveilig Nederland to bring the adoption of such standards and frameworks to a higher level.

Secura follows a phased approach for its assessments and applies guidelines and standards that are common within your sector for carrying out (application, infrastructure or other) assessments. These depend on the purpose, the environment to be assessed (architecture, platform, application, etcetera.), sector requirements or regulations per country.

Some examples of the standards we use:

• Application Security Validation Standard (ASVS) for (web) applications;
• Relevant OWASP publications such as the Top 10 and the ASVS, supported by the OWASP Application Security Testing Guide;
• SANS-top 25: the most common and most dangerous errors when making software;
• CIS-baselines for infrastructure and configuration assessments;
• Relevant NIST guidelines on e.g. password and key management;
• NCSC ICT security guidelines for web applications and the ICT security guidelines for Transport Layer Security (TLS);
• Baseline Information Security Government (BIO);
• The OWASP Testing Guide versions 3 and 4 with the OWASP Web Service Security Cheat Sheet, where relevant;
• M-ASVS for mobile applications (Mobile ASVS);
• Logius standards for DigiD assessments;
• STRIDE methodology in Threat Modelling;
• OWASP Mobile Top 10;
• Up-to-date information from (software) suppliers such as Google, Apple, Amazon, Microsoft, et cetera.