Ordering of ASVS chapters

[tkisason]

Hi guys,

What do you say about the concept that we keep the ordering of chapters as it is, but set: 0x24 - IoT (Since IoT ASVS is non-existant yet) 0x25 - Mobile security (And refer to MASVS etc as there is an entire MASVS project)

Or 24 Mobile and 25 IoT. To me, it makes no sense to have IoT in Appendix, if there is no need for a chapter, you simply don't apply it, same as with any standard like NIST 800 or ISO 27001. Currently there is no IoTSVS, there is only IoT Top 10, so if you are deploying a IoT project, you have nothing to verify this against...

What do you think? cc @vanderaj @danielcuthbert @tghosth @jmanico

Sincerely, Tonimir

[vanderaj]

the number at the beginning is simply to keep the order when we generate the PDF. Internally, we need to have a monotonically incremental number.

At this point, I'm thinking that we close up holes from 1.0-3.0.1, such as V6 and V12, but leave the ordering of chapters alone.

@jmanico @danielcuthbert @tghosth @m8urnett thoughts?

[jmanico]

Agreed, Andrew

On 2/15/19 2:14 PM, Andrew van der Stock wrote:

the number at the beginning is simply to keep the order when we generate the PDF. Internally, we need to have a monotonically incremental number.

At this point, I'm thinking that we close up holes from 1.0-3.0.1, such as V6 and V12, but leave the ordering of chapters alone.

@jmanico https://github.com/jmanico @danielcuthbert https://github.com/danielcuthbert @tghosth https://github.com/tghosth @m8urnett https://github.com/m8urnett thoughts?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/ASVS/issues/440#issuecomment-464166010, or mute the thread https://github.com/notifications/unsubscribe-auth/AAgcCToTpbtIQILGs559e3XEiS4amg8Eks5vNwcdgaJpZM4a-Mqf.

[elarlang]

No one asked, but here is my opinion :)

IoT and MASVS categories ASVS is de facto WASVS where W is Web. And if to look this project like Web Application Security Verification Standard, then M-ASVS IoT-ASVS etc are offtopic because there are more requirements than just web. So, please - no.

V17 can be removed. Otherwise it's just a placeholder which needs extra explanation - why it's there and why it's empty.

use increasing numbers for categories +1 for use increasing numbers for categories. Quite weird to use and explain why there is no V6 or V12. There is no requirement 1 to 1 mapping anymore (like there kind of was from ASVS v2 to ASVS v3), so no huge point to keep categories with same numbers also.

[jmanico]

I removed mobile for starters 64253d7

[tkisason]

So if you ask me, i wouldn't remove mobile and IoT. Reason is pretty simple, ASVS is a top level application security verification framework, and it maps nicely to a lot of stuff that's not only web. Currently, ASVS 4.0 has a lot of new content that MASVS is missing (yes, they can c/p and update), but i still think that ASVS should have a reference like the mobile one was currently (Mobile -> Follow MASVS the security levels match and map nicely), it takes 1/2 page, and it's no drama. Also, to make truly secure mobile apps, you need both ASVS and MASVS. You can't build a secure system with only MASVS, so let's keep that link.

Mobile apps and IoT devices both have an Backend services (where ASVS is a must) and a frontend (Mobile App or IoT Device). And a lot of IoT devices simply run full fledged GNU/Linux based OSes, with a service communicating with a REST backend over HTTP (HTTP (without S) is more prevalent than MQTT believe it or not). So i think that it's useful to leave IoT as there is no current standard, and ASVS will be used a lot in those areas (i personally know 4 companies using ASVS as guidance for IoT development). When the IoT team develops the IoTSVS, we can still have a reference to that as with mobile and remove those verifications. Here we are raising the standard on what's considered a good practice.

Currently, it's easier to gain approval in large organizations to make one standard mandatory than 3-4. ASVS now is used by organizations that use it as their guiding framework for secure application development.

Sincerely, Tonimir

[tkisason]

cc @vanderaj @jmanico :)

[vanderaj]

The last time we all met at AppSec USA, we decided to make the ASVS the basis for the other ASVS's to help them reduce bloat and to be more specific. The main ASVS will focus on being for web apps (modern, responsive, traditional) and all forms of web services (RESTful, web socket, SOAP), whilst allowing other ASVS's work on the issues they need to care about. The MASVS for example, has over 80 of its own controls. If we have a chapter with 80 extra items, there would be a revolution.

[vanderaj]

So I'm going to close this for now - we are absolutely renumbering and closing up gaps. Let us know how we go on that.

[tkisason]

The last time we all met at AppSec USA, we decided to make the ASVS the basis for the other ASVS's to help them reduce bloat and to be more specific. The main ASVS will focus on being for web apps (modern, responsive, traditional) and all forms of web services (RESTful, web socket, SOAP), whilst allowing other ASVS's work on the issues they need to care about. The MASVS for example, has over 80 of its own controls. If we have a chapter with 80 extra items, there would be a revolution.

I didn't mean including the 80 controls, but putting a notice in ASVS - If you are developing a mobile app -> You need to follow MASVS, but it's your call. It's literally a 1/4 of a page pointer: Here's what you need if you do this...