This is the official site of TSS-WEB, an open framework of ~200 baseline requirements that you can use for your web development security standard, policy or security concept. All of these requirements are based on common best practices (including those from OWASP, SAFECode, ISO/IEC 27002, NIST and BSI) plus our own experiences in this field.

For instance, TSS-WEB also meets 14.2.1 control ("Secure Development Policy") of ISO/IEC 27002. Detailed compliance mappings are provided in appendix B to E.

Objective

The objective of TSS-WEB is to provide a framework of language-independent application security requirements that can used by organizations as a baseline to implement own security standards or policies for their web development.

Secure Coding Guidelines

TSS-WEB provides high-level requirements that can be used to derive secure coding guidelines for specific languages and frameworks.

Related Standards

ISO/IEC 27002:2013: Appendix E: ISO/IEC 27002:2013 Mapping (Draft)

• OWASP SAMM 2.0 (Maturity Model): Appendix D: OWASP SAMM 2.0 Mapping
• BSIMM (Maturity Model)
• IT-Grundschutz-Kompendium 2020 (German Standard): Appendix C: BSI Grundschutz Mapping (German)
• SAFECode Software Integrity Controls
• NIST Secure Software Development Framework (SSDF) 
• OWASP Top Ten 2017 (only implementation requirements): Appendix B: OWASP Top Ten 2017 Mapping

License

The document is licensed under Creative Commons By 4.0 and can therefore be used and changed to individual needs free of charge and without any other obligations than to name document and author of the used template. Furthermore, any adapted version of this document does not have to be published under the same license.

Author

This site is maintained by Secodis GmbH. Responsible for the content is Matthias Rohr. 

Feedback 

Feedback about this content is very much welcome. Please post it in the TSS-WEB Google Group or send it directly to tss-web@googlegroups.com.