[Owasp-leaders] Nominating OWASP ASVS to be adopted by the IDESG Standards Registry
daniel at owasp.org
Tue Aug 11 13:34:28 UTC 2015
i'm all for it Ann, what do you need from us?
On 24 July 2015 at 14:16, Ann Racuya-Robbins <ann.racuya.robbins at owasp.org>
> Hi Andrew and all,
> I am following up to see how you feel about the IDESG ASVS Nomination and
> how you would like to proceed?
> Ann Racuya-Robbins
> On Fri, Jul 17, 2015 at 11:55 AM, Ann Racuya-Robbins <
> ann.racuya.robbins at owasp.org> wrote:
>> Thank you for your response. I have included a copy of the Nomination
>> Form and am happy to work with you to give you more background and to
>> complete it. In regards to auditing...the IDESG is considering having a
>> third party auditing for Standard compliance to the IDESG Functional
>> Baseline Requirements. This will be down the road but was simply a question
>> as to whether ASVS has been or more importantly could be put through such a
>> process. For example the Cloud Security Alliance has a self-attestation as
>> well as a third party auditability. I can discuss this with you further.
>> Ann Racuya-Robbins
>> On Thu, Jul 16, 2015 at 10:48 PM, Andrew van der Stock <
>> vanderaj at owasp.org> wrote:
>>> Hi Ann,
>>> Thank you for your work with the IDESG - that's the sort out of outreach
>>> that OWASP should be more involved in. I am more than happy to have ASVS
>>> 3.0 included in the IDESG standards registry.
>>> Is there something specific that they are looking for when asking for
>>> the ASVS to be assured (it's a special class of review that offers an
>>> assurance opinion) by an accountancy firm?
>>> For what it's worth, I was the technical leader of the IPBR group
>>> working at one of the Big 4 accounting firms whilst I pushed out ASVS 2.0
>>> and continued the push on ASVS 3.0. We used the ASVS in our work plans for
>>> various types of reviews and assurance. The ASVS is significantly more
>>> thorough and tangible/useful than the work plans that previously existed at
>>> that firm.
>>> However, in my view there's no reason for an accounting firm to assure
>>> an information security standard. That's like me reviewing the GAAP and
>>> offering up my unqualified opinions or one of us doing Google's taxes. Sure
>>> we could do it, but would we do it well?
>>> There's several accountancy-led information security standards out
>>> there, including:
>>> - SSAE 16 (nee SAS 70)
>>> - ISACA Cobit
>>> - Most accountancy firms also have internal audit checklists such as
>>> ITGC (IT General Controls)
>>> These do not address the technical aspects of application security like
>>> the ASVS does, and are very unlikely to do so as our field is not an
>>> accountancy body of knowledge.
>>> On Fri, Jul 17, 2015 at 4:50 AM, Ann Racuya-Robbins <
>>> ann.racuya.robbins at owasp.org> wrote:
>>>> Hello all,
>>>> I would like to nominate ASVS to be evaluated for adoption into the
>>>> IDESG Standards Registry either through the IDESG Security Committee or by
>>>> myself working with others in OWASP. The question that came up from the
>>>> IDESG Security Committee is whether or not ASVS has been accepted or
>>>> processed by an auditor?
>>>> Please let me know what the sense is of the ASVS group. I will get the
>>>> Evaluation Form to you asap.
>>>> Ann Racuya-Robbins
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders