[OWASP ASVS] ASVS 3.1 (draft) uploaded to Github

Andrew van der Stock vanderaj at owasp.org
Tue Jan 10 08:56:21 UTC 2017

Hi there,

I've been through almost all of the outstanding GitHub issues, and cleaned
up the IoT donation so we can start to QA it.

I'd really like us to be doing a housekeeping of the ASVS to be released in
time for AppSec EU, and hopefully include the IoT section there, too.

- Ensuring that L1 is completely pen-testable without access to code or
configuration or admins or documentation
- Ensuring that L2 is pretty much the correct level for most application
architecture, development, testing and code review
- Ensuring that L3 is for code that can kill you or has extremely high
validation requirements, such as requiring debugging and backdoors gone
- Finally having a JSON version that has a CWE mapping as well as a
contextualized "what happened to X" available so tools can consume ASVS

The last one is particularly relevant to the new IoT section - I think we
need to revisit each and every requirement to ensure that it adheres to the
basic ASVS-ness of it all.

If we can get through the IoT review, de-dupe and QA before AppSec EU in
May, I'd be happy to call the IoT version "v4.0", but if we can't, let's
hold off on v20 until AppSec USA, and release "v3.1" at AppSec EU. I've
kept v3.1 as the milestone in GitHub, so if you log an issue, please mark
it as v3.1.


Please review and raise issues. I am also more than happy to receive "bike
shedding" comments; these are valuable in getting the ASVS right. Every
little detail is picked up in a standard, and let's get it right.

Additionally, I've had several requests to start an infrastructure version
of the ASVS, to be used by DevOps to build and secure modern
infrastructure. If you are intersted in this, please contact me and Daniel,
and let's get it going.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/attachments/20170110/2f53ccdf/attachment.html>

More information about the Owasp-application-security-verification-standard mailing list