recommendations chapter

[elarlang]

Things that are processes and out of the scope of ASVS:

• Threat Modeling as a process - we don't require the process, but we still need outcomes from this otherwise it's not possible to implement and test certain requirements
• CI/CD as a process - we don't require it, but a lot of things (such as setting correct permissions, components up-to-date check) should be done with this step - but we measure the end product, (application), not the CI/CD process
• backup - making a backup is not part of the application's responsibility, this is something that the external process is doing with the application

Things that can not be required, but can be recommended:

• security.txt

[tghosth]

I like this concept, I think it is good for the sorts of things that would be considered as valid ASVS requirements but do not have a strong enough security case to be compulsory.

Another example could be password strength meters.

I don't think that this list should include things which are out of scope by nature such as processes (threat modeling), things not in the control of developers (backup/CICD).

[tghosth]

Added to PR #1838

[tghosth]

I am going to close this but we should bear it in mind for future changes