search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.74k stars 668 forks source link

Mapping of ASVS OTG v4 #269

Closed D00gs closed 3 years ago

D00gs commented 6 years ago

Hi,

It would be really great if we could map these two standards together, similar to what was done for MASVS. Would be happy to help.

Cheers,

Doogs

hello7s commented 6 years ago

Willing to help, will send note for starting point and where to jump in.

markderijkinfosec commented 6 years ago

I would love to help, would love some guidance on how to start contributing.

danielcuthbert commented 5 years ago

Thanks for the offers of help, much appreciated. I guess what is needed is to go through all the 4.0 requirements and look where they map to the testing guide. For example:

V2: Authentication Verification Requirements

| 2.1.2 | Verify that one or more anti-automation controls--including rate limiting, CAPTCHA, increasing delays, IP address restrictions, risk-based restrictions--are in place and effective to mitigate breached credential testing, brute force, and

would map to https://www.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)

Then you add this as a possibly as a reference or maybe even a new section?

make sense?

dyjakan commented 5 years ago

I guess the best course of action would be to create similar checklist as MASVS has (https://github.com/OWASP/owasp-mstg/tree/master/Checklists) and map proper OTG resources over there. This is a win-win because (1) there is a consistency between OWASP documents, and (2) because checklists themselves are useful.

subrosaassociates commented 5 years ago

I think a good approach would be to reference corresponding testing tasks (from the testing guide v4>) to the ASVS Detailed Verification Requirements from v1 > v19
that way you can set expectations of testing for +/- validation modularly to the detailed verification requirements, no ?

vanderaj commented 5 years ago

Hi there

I want to get a version ready for publication no later than the middle of next week. If we can have a pull request for Checklists by the time we close it out, I'd be happy to accept it, but at this point, I'm going to mark this as a 4.1 issue rather than a 4.0 issue. I'll leave the ticket open.

jeremychoi commented 4 years ago

@vanderaj (and all here)

I have created this: https://github.com/jeremychoi/owasp-asvs-wstg-checklist, which might be very relevant to this issue. I am not sure how to proceed with this to contribute to the ASVS project, so please have a look and just let me know if there's anything I can further help. (maybe I could add such details to the 'csv' version of the ASVS doc)

danielcuthbert commented 3 years ago

Hi

We are interested in this but feel this is better suited as a separate project and give us an idea of how you feel this might work? We are closing this for now