Use an up-to-date version of ASVS

[kingthorin]

Per: https://owasp.org/www-project-security-qualitative-metrics/FAQ.html

Version 1.0.0 is prepared based on OWASP ASVS version 3.0. For each item in version 3.0, there is one or more items in OWASP Security Qualitative Metrics Lists.

ASVS 3.0 was released in 2015, six years later this should be updated to use a 4.x release.

    [27 October 2020] ASVS 4.0.2 released!
    [2 March 2019] ASVS 4.0.1 released!
    [9 March 2018] OWASP ASVS 3.1 Spreadsheet created by August Detlefsen
    [29 June 2016] Version 3.0.1 released
    [9 Oct 2015] Version 3.0 released
    [20 May 2015] “First Cut” Version 3.0 released
    [11 Aug 2014] Version 2.0 released

_{Ref: https://owasp.org/www-project-application-security-verification-standard/ "News and Events" tab}

[kingthorin]

[28 October 2021] ASVS 4.0.3 released!

[ferdasonmez]

Ok. I will check the difference in both versions soon. Thanks

On Fri, 24 Dec 2021, 03:22 Rick M, @.***> wrote:

[28 October 2021] ASVS 4.0.3 released!

— Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-security-qualitative-metrics/issues/4#issuecomment-1000630209, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6QWFFG7SFDJC7NNYSFF7LUSPRP5ANCNFSM43EZ7NKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: <OWASP/www-project-security-qualitative-metrics/issues/4/1000630209@ github.com>

[ferdasonmez]

Hi Again Rick, I need a correct and complete ASVS3.0 to ASVS 4.0 mapping resource. Of course, I understand that there may be new items, or deleted items, which I will need to work on, but otherwise I need a correct recourse. I found this link, it only includes the comparison for Section 2 and I am not sure if it is correct cause it is not on OWASP site. Can you please guide me on this? I am sure there should be a list somewhere showing the changes made in detail. Cause, ASVS 4.0 didn't come out of nowhere but built on top of the previous version.

https://docs.google.com/spreadsheets/d/1UbOsbgv4WsmuVuL8M3NoCRD7UQKAw7vl6BLYaLk-EtI/edit#gid=0

I plan to focus on this task on this holiday period, if I can have the resources.

Kind Regards, Dr. Ferda Özdemir Sönmez

On Fri, Dec 24, 2021 at 3:22 AM Rick M @.***> wrote:

[28 October 2021] ASVS 4.0.3 released!

— Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-security-qualitative-metrics/issues/4#issuecomment-1000630209, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6QWFFG7SFDJC7NNYSFF7LUSPRP5ANCNFSM43EZ7NKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: <OWASP/www-project-security-qualitative-metrics/issues/4/1000630209@ github.com>

[kingthorin]

ASVS isn’t a project I contribute to or use very often. I’m not aware of a concise guide to changes you’d probably have to look through the repository history. But, given your project is based so closely off that project it should kind of be maintained in locked step or you end up in this horrible trying to catch-up state :cry:

[kingthorin]

Oops sorry for the duplicate comment, GitHub web ui was misbehaving on my phone.

[ferdasonmez]

Hi Again, I understand that you are trying to help me. Please do not blame me to not to maintain the project in a timely manner. First of all I do not have enough resources who can do this work, and I have other responsibilities. Even in this condition I became a volunteer to spend my holiday to make this version update. Second, I can not get internal information for AVSV. How can I be part of a project and get all the modification decisions in time, that I am not actually part of?

These things should be documented properly, not just for me, of course, but for anybody who may have used AVSV 3 version for any purpose, such as evaluating a project and who may want to use the 4th version in the future for the same project.

Normally, an excel table showing the item number for each row from AVSV4 or Deleted mark for all items in 3rd would do. I am sure this discussion is made and someone noted this change on some table. For new items coming with 4rd edition new detailed work can be done. I copied the contents of both versions in an excel and sorted in multiple ways. Unfortunately, not only the numbers are changed, although meaning still the same or similar (I could only check a small number of items) the wording was changed in both versions significantly. This makes it impossible to sort and check for similar items. I would appreciate any available information and help to form a AVSV 3 to AVSV 4 mapping table, please, from you or from other proper contributor who took part active role in the preparation of new version.

Kind Regards, Dr. Ferda Özdemir Sönmez

https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Mon, Dec 27, 2021 at 1:34 AM Rick M @.***> wrote:

ASVS isn’t a project I contribute to or use very often. I’m not aware of a concise guide to changes you’d probably have to look through the repository history. But, given your project is based so closely off that project it should kind of be maintained in locked step or you end up in this horrible trying to catch-up state 😢

— Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-security-qualitative-metrics/issues/4#issuecomment-1001282275, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6QWFAHQZXZGX673U27IA3US67D3ANCNFSM43EZ7NKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.*** .com>

[kingthorin]

It wasn’t meant to be blaming.

[ferdasonmez]

It is ok. What about this part? "I am sure this discussion is made and someone noted this change on some table. For new items coming with the 4rd edition new detailed work can be done." Is there any person who can provide this information?

Kind Regards, Dr. Ferda Özdemir Sönmez

https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Mon, Dec 27, 2021 at 10:34 PM Rick M @.***> wrote:

It wasn’t meant to be blaming.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-security-qualitative-metrics/issues/4#issuecomment-1001785314, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6QWFHI3RSWLF3DN6FDJQ3UTDSWJANCNFSM43EZ7NKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.*** .com>

[kingthorin]

I don’t think so. The document is maintained using a modern development flow, similar to code projects. Changes are discussed in GitHub issues and pull requests. The “history” of the doc is in the repo.

https://github.com/OWASP/ASVS/tree/master

You could join OWASP slack and ask in the #project-asvs channel.

There is some detail of the 4.0.2 to 4.0.3 changes here: https://github.com/OWASP/ASVS/tree/master#latest-stable-version---403.

[bkimminich]

When creating a project that is based on another project in the way SQM depends on ASVS then there's basically two things you can do:

1. Keep up with the latest changes of the upstream project (i.e. updating to match with their latest version)
2. Clearly state the last compatible version of the upstream project you support (like you did in the FAQ already, but I would rather replace every mention of "ASVS" in your entire project with "ASVS 3.0" to make it clear)

Obviously 1. is the preferred way to do it if you intend to keep the project active and relevant for the community. With 2. you more or less abandon SQM and it will become irrelevant latest when every user of ASVS has moved to their latest version.

[ferdasonmez]

Hi Björn, I want and am trying to take the first route (making the necessary updates), but not having any structured information regarding backward compatibility of ASVS 4.0 makes it very difficult, nearly impossible for me.

It is sad and very discouraging to contribute any future project for me to take the second route (clearly state ASVS 3.0) and knowing that the project would be abandoned soon if I do so, after so much effort (months of rigorous work). I am asking backward compatibility information so that I can work on it and update my project accordingly, so far, no one provided any information. Everybody acts as if I am asking a weird question (backward compatibility information) and suggesting me nearly to abandon.

If OWASP is a foundation, then the contributors should support each other and also the users which use earlier versions potentially. Creating a project update with no backward compatibility does not look professional to me. If I make such a version change, I would have provided a table of the changes which is not difficult to prepare (not now but during the version update).

Kind Regards, Dr. Ferda Özdemir Sönmez

https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Tue, Dec 28, 2021 at 12:12 PM Björn Kimminich @.***> wrote:

When creating a project that is based on another project in the way SQM depends on ASVS then there's basically two things you can do:

1. Keep up with the latest changes of the upstream project (i.e. updating to match with their latest version)
2. Clearly state the last compatible version of the upstream project you support (like you did in the FAQ already, but I would rather replace every mention of "ASVS" in your entire project with "ASVS 3.0" to make it clear)

Obviously 1. is the preferred way to do it if you intend to keep the project active and relevant for the community. With 2. you more or less abandon SQM and it will become irrelevant latest when every user of ASVS has moved to their latest version.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-security-qualitative-metrics/issues/4#issuecomment-1002064462, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6QWFFMMHJCK6VDDNPVFTTUTGSRJANCNFSM43EZ7NKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.*** .com>

[bkimminich]

Referencing document content in a backward-compatible way is kind of a thing of the OWASP Integration Project (via CREs, see opencre.org) and also in the OSIB initiative.

Maybe there is a mapping/migration table available from ASVS, but the best place to find out would be OWASP Slack.

Channels als #project-integration and #project-asvs.

[ferdasonmez]

Hi, I already asked the same question from slack today. Here is the link. I hope someone can answer.

https://app.slack.com/client/T04T40NHX/C06MNF14M

Kind Regards, Dr. Ferda Özdemir Sönmez

https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free. www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Tue, Dec 28, 2021 at 9:17 PM Björn Kimminich @.***> wrote:

Referencing document content in a backward-compatible way is kind of a thing of the OWASP Integration Project (via CREs, see opencre.org) and also in the OSIB initiative.

Maybe there is a mapping/migration table available from ASVS, but the best place to find out would be OWASP Slack.

Channels als #project-integration and #project-asvs.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-security-qualitative-metrics/issues/4#issuecomment-1002285386, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6QWFFW5PDW6VVTQUZFHELUTISQJANCNFSM43EZ7NKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.*** .com>