Closed mario-platt closed 3 years ago
Second stage would be to extend this to include the Compliance as Code checks to go along with it, this would be an example using Chef Inspec for it. Any suggestions on how best to organise it in the repo would be welcomed
I've created a slightly different version for the tests part, by providing greater clarity on the test title and adding ASVS and (in this instance) ISO 27001 mapping in the test itself through the use of tags. this approach/template can help in a) greater clarity on the title for the test and b) help orgs adopting it to get the metadata on what the tests helps them evidence across their required security compliance needs
Picking this one up, what's the best way to get it integrated in I wonder? I agree that this is more of a 4.1 milestone, so @mario-platt are we good to add it there you think?
@danielcuthbert apologies for having missed this. What would it mean to be on 4.1?I have a few more of these and beginning to need to do some of these for work purposes. Keen on hearing thoughts on the best way to capture this information in this repo.
4.1 is the next major release that I work working on right now. There are tons of edits that went into main. What's your plan?
@jmanico I started consolidating in its own repo until I can understand if there's interest and in which format this information (Stories, Scenarios and related links to technical validations) could live in. It's currently sitting here: https://github.com/mario-platt/ASVS-Agile-Delivery-Guide We'll be having some Open Security Summit sessions to get contributions, so I think a realistic timeline of 3 months would be needed to have all the content ready for all ASVS (I'm currently only focusing on Level 1 stuff).
Do you think this would sit well in the main ASVS repo or another OWASP project ?
I don't have a big charge over this, but I am worried that there are numerical risk factors and other data that might not be in line with ASVS. I am inclined to think this should be a separate project, but what do you think @tghosth @vanderaj @danielcuthbert and @elarlang ?
In general I think every project (including ASVS) should contain as minimum amount of content and dependencies as possible. There is reason why ASVS and Testing Guide are different projects.
In this case I'm failing to understand - what is the extra value what user-story gives? Is only one role perspective enough? Maybe "As an attacker I should not be able to do..."?
But here again - if there is huge amount of changes in ASVS - who is able to "duplicate" and "synchronize" this constantly to "another language"? For whom it is? Does not seem realistic. ... or I just don't get the point for entire issue :)
Recommendation for this project - link requirement precisely to ASVS version. For example v4.0.2-14.4.1. In some future version of ASVS requirement number may present some other meaning.
This kind of projects should be mentioned somewhere in ASVS: "Examples how ASVS is in use" or something like that but even for that should be clear criterias for linked projects - link and dependency will be linked to ASVS release forever.
My response also applies for #898
We fully support the ideas being proposed here and think it's better suited as a separate project. We are closing this for now, if you have a reference, let us know and we will look at it.
As part of the Open Security Summit, we've developed a number of Control Stories and associated scenarios to add to ASVS.
We've developed (Mario Platt, DIdar Gelici, Cillian Lyons and Luis Servin) some relating to requirement 8 and 14 (content below). You can find some of the content below, meant to be a first pass at creating these for all ASVS requirements:
ASVS - 14.4 Configuration Verification.md
ASVS Section 14
Id: ASVS-4.0-V14.1.1
Id: ASVS-4.0-V14.1.2
Id: ASVS-4.0-V14.1.3
Id: ASVS-4.0-V14.1.5
Id: ASVS-4.0-V14.2.1
Id: ASVS-4.0-V14.2.2
Id: ASVS-4.0-V14.4.1
Id: ASVS-4.0-V14.4.4
ASVS - 8.1 General Data Protection.md
ASVS Section 8
Id: ASVS-4.0-V8.1.1
Id: ASVS-4.0-V8.1.2
Id: ASVS-4.0-V8.1.3