Overview

Our Approach

This App Defense Alliance's validation approach involves a collaborative effort between a standards setting organization (the alliance itself), software developers, and independent assessors.

• The App Defense Alliance establishes the criteria for product evaluation.

• Software developers use these standards to create software and secure cloud configurations that meet these requirements.

• Independent assessors, acting as neutral evaluators, then assess a developer's product against the standards and are authorize to issue a certification document if so.

Certification Scheme

The ADA Certification Scheme provides a valuable opportunity for participating developers to demonstrate their commitment to security by achieving an industry-recognized level of security for their applications. 

Participation in the ADA Certification Scheme is entirely voluntary, allowing developers to choose which applications they want to undergo security evaluation. This flexibility enables developers to prioritize their applications' security needs and demonstrate their dedication to delivering secure products to their users.

1. Security Evaluation: Developers can submit their applications for evaluation at one or more security assurance levels.

2. Time-Limited Certificate: Applications that pass the evaluation receive a time-limited certificate (valid for 365 days), which confirms compliance with the specified security standards.

3. Security Credentials: The certificate serves as proof of the application's security credentials, providing transparency and assurance to users.

Validation Levels

The App Defense Alliance has adopted a tiered approach to certification that varies the depth and intensity of assessment according to risk level. Higher-risk products undergo more rigorous testing and evaluation compared to lower-risk products. 

This tiered structure ensures that resources are allocated efficiently while maintaining appropriate levels of scrutiny for products that require greater assurance. 

1. AL0 - Self Assessment: Low risk products can be self assessed by the developer

2. AL1 - Developer Tested, Lab Reviewed: Medium risk products can be tested such that the developer runs the test cases and submits evidence demonstrating their conformance with the requirements to an independent assessor, who is then responsible for confirming the completeness and sufficiency of the evidence

3. AL2 - Lab Tested: High risk products can be tested directly by the independent assessor, providing the highest level of assurance that a product has met the requirements