RiieCco
commented
4 years ago Open RiieCco opened 4 years ago
RiieCco
commented
4 years ago 
kingthorin
commented
4 years ago This kind of requires ASVS to formalize their reference standard: https://github.com/OWASP/ASVS/issues/715
ThunderSon
commented
4 years ago The above doc kind of shifted gears and is actually building the full CRE repository, and inside it there is a direct mapping between ASVS and WSTG and other projects.
kingthorin
commented
4 years ago What I was getting at is that if we are going to reference ASVS in WSTG we need a solid way to do it.
themayursinha
commented
4 years ago Is it going to be released in WSTG v5?
ThunderSon
commented
4 years ago Hello @themayursinha! This task is somewhat going to be a bit bigger. Since we saw such a huge opportunity out of this, a project is currently being run in parallel to map out requirements, test guides, code advice, standards, policies, etc. This project is the Integration Standards Project. We are looking to have some sort of an MVP in the summer. A lot of thought is going into it.
All projects will be affected and linked under a certain umbrella ID, and that ID will create the maps underneath it.
In short, there is work happening to make that happen :)
github-actions[bot]
commented
4 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
ThunderSon
commented
4 years ago As this is the work of another project, this will be closed and tracking should follow with the other project :)
jeremychoi
commented
4 years ago While this was closed and there was the other project, I've created https://github.com/jeremychoi/owasp-asvs-wstg-checklist which would be relevant to this issue.
ThunderSon
commented
4 years ago @jeremychoi this is different! I love it. @kingthorin this is something we should look into taking in.
Why this is different? This allows the attacker and the reviewer to understand the level of coverage, and their stance overall, which is different from simply mapping everything together! The new project will map things out, but not give smart information (yet) :)
I'll await Rick's comments, once done, if in agreement, create a PR to add the XLSX to this repository!
Thanks :)
jeremychoi
commented
4 years ago @ThunderSon I see. Thanks. If the files could be added to this repo, that would be great. One thing I am not sure about is if there is something to be done with regards to the license(MIT) of the spreadsheet file. I created them based on https://github.com/shenril/owasp-asvs-checklist and added the WSTG mapping information to it. Your help would be appreciated on that.
kingthorin
commented
4 years ago Sure I guess I'm fine with it being added as a checklist artifact. It would be really nice if it was a non-proprietary format like tsv, csv, etc instead of XLS/XLSX though. If it has to be maintained/offered as an Excel file then it should be done similar to the existing one (specifying the hash and other info).
jeremychoi
commented
4 years ago Thanks for the comment. I'll create a csv one soon.
ThunderSon
commented
4 years ago @jeremychoi this is not critical nor urgent. Actually this can wait enough till v5 is being prepared. Since you poked at another issue, #492 , that one is definitely more critical if we can focus on it.
github-actions[bot]
commented
4 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
2 years ago Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
themayursinha
commented
2 years ago hi, I've been wondering if this is already applied in the new version?
kingthorin
commented
2 years ago The issue would be closed if the work was done :wink:
ryarmst
commented
2 weeks ago If this is still intended, I did some work on ASVS V5 and would be happy to work on mapping.
What would you like added? See how the testing guide content correlates to ASVS controls and determine effective coverage. This will help ASVS users to get more context with the controls. This can than also be used in SKF when generating requirements
Would you like to be assigned to this issue? Check the box if you will submit a PR to add the proposed content. Please read CONTRIBUTING.md.