[Owasp-leaders] Nominating OWASP ASVS to be adopted by the IDESG Standards Registry

daniel cuthbert daniel at owasp.org
Tue Aug 11 13:34:28 UTC 2015


i'm all for it Ann, what do you need from us?

On 24 July 2015 at 14:16, Ann Racuya-Robbins <ann.racuya.robbins at owasp.org>
wrote:

> Hi Andrew and all,
>
> I am following up to see how you feel about the IDESG ASVS Nomination and
> how you would like to proceed?
>
> Regards,
>
> Ann Racuya-Robbins
>
> On Fri, Jul 17, 2015 at 11:55 AM, Ann Racuya-Robbins <
> ann.racuya.robbins at owasp.org> wrote:
>
>> Thank you for your response. I have included a copy of the Nomination
>> Form and am happy to work with you to give you more background and to
>> complete it. In regards to auditing...the IDESG is considering having a
>> third party auditing for Standard compliance to the IDESG Functional
>> Baseline Requirements. This will be down the road but was simply a question
>> as to whether ASVS has been or more importantly could be put through such a
>> process. For example the Cloud Security Alliance has a self-attestation as
>> well as a third party auditability. I can discuss this with you further.
>>
>> Regards,
>>
>> Ann Racuya-Robbins
>>
>> On Thu, Jul 16, 2015 at 10:48 PM, Andrew van der Stock <
>> vanderaj at owasp.org> wrote:
>>
>>> Hi Ann,
>>>
>>> Thank you for your work with the IDESG - that's the sort out of outreach
>>> that OWASP should be more involved in. I am more than happy to have ASVS
>>> 3.0 included in the IDESG standards registry.
>>>
>>> Is there something specific that they are looking for when asking for
>>> the ASVS to be assured (it's a special class of review that offers an
>>> assurance opinion) by an accountancy firm?
>>>
>>> For what it's worth, I was the technical leader of the IPBR group
>>> working at one of the Big 4 accounting firms whilst I pushed out ASVS 2.0
>>> and continued the push on ASVS 3.0. We used the ASVS in our work plans for
>>> various types of reviews and assurance. The ASVS is significantly more
>>> thorough and tangible/useful than the work plans that previously existed at
>>> that firm.
>>>
>>> However, in my view there's no reason for an accounting firm to assure
>>> an information security standard. That's like me reviewing the GAAP and
>>> offering up my unqualified opinions or one of us doing Google's taxes. Sure
>>> we could do it, but would we do it well?
>>>
>>> There's several accountancy-led information security standards out
>>> there, including:
>>>
>>>    - SSAE 16 (nee SAS 70)
>>>    - ISACA Cobit
>>>    - Most accountancy firms also have internal audit checklists such as
>>>    ITGC (IT General Controls)
>>>
>>> These do not address the technical aspects of application security like
>>> the ASVS does, and are very unlikely to do so as our field is not an
>>> accountancy body of knowledge.
>>>
>>> thanks
>>> Andrew
>>>
>>> On Fri, Jul 17, 2015 at 4:50 AM, Ann Racuya-Robbins <
>>> ann.racuya.robbins at owasp.org> wrote:
>>>
>>>> Hello all,
>>>>
>>>> I would like to nominate ASVS to be evaluated for adoption into the
>>>> IDESG Standards Registry either through the IDESG Security Committee or by
>>>> myself working with others in OWASP. The question that came up from the
>>>> IDESG Security Committee is whether or not ASVS has been accepted or
>>>> processed by an auditor?
>>>>
>>>> Please let me know what the sense is of the ASVS group.  I will get the
>>>> Evaluation Form to you asap.
>>>>
>>>> Regards,
>>>>
>>>> Ann Racuya-Robbins
>>>>
>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150811/072ae6a1/attachment.html>


More information about the OWASP-Leaders mailing list