Assessment and Certification

OWASP's Stance on SCVS Certifications and Trust Marks

OWASP, as a vendor-neutral not-for-profit organization, does not certify any vendors, verifiers or software.

All such assurance assertions, trust marks, or certifications are not officially vetted, registered, or certified by OWASP, so an organization relying upon such a view needs to be cautious of the trust placed in any third-party or trust mark claiming SCVS certification.

This should not inhibit organizations from offering such assurance services, as long as they do not claim official OWASP certification.

Guidance for Certifying Software Component Supply Chains

The recommended way of verifying compliance of a software supply chain with SCVS is by performing an "open book" review, meaning that the auditors are granted access to key resources such as legal, procurement, build engineers, developers, repositories, documentation, and build environments with source code.

A certifying organization must include in any report the scope of the verification (particularly if any practice is out of scope), a summary of verification findings, with clear indications of how to resolve and improve results. In case of dispute, there should be sufficient supportive evidence to demonstrate that every verified practice has indeed been met.

Evaluators and software suppliers may describe assessments as having been performed using SCVS controls, as long as control levels are disclosed.

The Role of Automated Verification

Whenever possible, automation should be used to verify the controls detailed in SCVS in order to increase efficiency and accuracy. Some controls cannot be verified through automation. However, for the controls that can, automation is encouraged if the results can be validated through other means.

For higher levels of assurance controls may be independently validated using automated methods.