Closed jmanico closed 1 year ago
10.1.1 | Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections. |
---|
for me L3 seems more correct
Taking into account development world moving more and more into DevOps and highlighting automation (also security-wise) I find it incomprehensible that a SAST tool is a requirement only for L3 i.e. "the most critical applications" as per definition in the ASVS.
If the penetration testable approach needs to be maintained for L1, how about putting the requirement 10.1.1 mandatory beginning from L2?
Absolutely I agree this should be a level 1 or 2 requirement. Lack of a static analysis tool during development is close to security negligence these days. +1
I would make this a L2 requirement. L1 claims to be completely penetration testable and I would say that this requirement asks for attestation instead.
We are dropping the "testing" designation for each ASVS level and are just moving it to risk levels. We may mimic MASVS where Level 1 is the low baseline for secure apps and level 2 is for advanced apps and drop the three levels.
So if the current three levels were risk levels, would that change your opinion?
Loosely today, level 1 is for public apps and provides low security, level 2 is for sensitive apps and level 3 is for critical infrastructure....
I like to hear that the ASVS is moving to risk levels.
If that is the case I would recommend it for Level 1 Even a SAST that is not tuned optimally will provide insight. Perhaps add that the findings of SAST should be blocking from Level 2 onwards.
I agree that using SAST should be a requirement at the most basic levels of ASVS. +1
I would like to clarify that the purpose of SAST for Level 1 is awareness, especially if the tool is not tuned for the application. For higher levels the tool needs to be tuned to reduce FP as those findings are more of a hindrance than help raise awareness.
I agree that everyone should run SAST to detect security bugs. But is that what this requirement says?
that can detect potentially malicious code
Not security bugs, but actively malicious code.
This item has been removed as per #1507, the issue can be closed