The certification of a web application is the result of a successful multi-level and complete security audit of the source code.
In order to certify a web service ÖNORM A 7700 compliant, a multi-level source code review is performed. Once the decision has been made to obtain certification, the starting point is the Austrian Standards Institute (www.on-norm.at), which can arrange an accredited auditor to perform the evaluation.
The entire source code is then audited for vulnerabilities. Known and suspected defects are verified in a test environment. Exploitable vulnerabilities discovered during this stage are recorded and collected for communication to the development team. This first stage is called the main audit, and the primary part of the certification process. (See diagram)
Based on the results of the main audit, the developer team then has the chance to remedy the discovered defects. Depending on the architecture of the service, these changes can range from minor code patches to complete re-engineering of vulnerable components. Therefore, is is recommended to plan a secuity framework in the design phase of an application, in order to limit security-critical changes (e.g. extension of an input filter) to a well-defined section of code.
In order to verify the correct implementation of changes, all altered files are subjected to a second audit. The changes are again verified in a test environment, which permits the auditor to evaluate theoretical weaknesses in practice. Should new implementation defects be found, the auditor can once again inform the developers of the new problems in the source code, so that they can remedy them.
Previous experience with certification projects have shown that almost all problems are successfully resolved in the final audit - the applications can, most of the time, be considered secure by this point. As soon as this status is attained and certified by the auditor, the Austrian Standards Institute (ÖNORM) issues the certificate. In order to clearly identify the certified version, checksums of all audited files are given to the Austrian Standards Institute for safe-keeping.