[Owasp-leaders] [OWASP ASVS] OWASP Application Security Verification Standard 3.0.1 released!

Jim Manico jim.manico at owasp.org
Thu Jun 30 07:08:41 UTC 2016


I mostly use it as an aid to woo my dear wife since it reads like poetry. :)

I also use ASVS in my developer training practice to standardize the
courseware material I author. I also use it in my architectural analysis
practice - I  fork ASVS with architect teams to help them build
standards[1] for their company. I also use it with certain clients to
help verify the work that their expensive pentest consultants deliver. I
see ASVS as the heart of almost any aspect of an application security
program.

Aloha Daniel, Jim

[1] I think just handing the ASVS standard to developers "from the
security department" is a fundamentally bad idea. It's crucial to go
through an acceptance process where developers/architects review each
requirement with the security team and accept and re-prioritize each
requirement as it fits into their technology stack and culture. Then
ASVS is no longer a forced standard - but a standard that the developer
teams "own". This is subtle but critical to success, IMO.


On 6/30/16 8:36 AM, daniel cuthbert wrote:
> A huge thanks to all who submitted bugs and helped us get to another
> great release. If you've used it at your company, or on a project,
> would you mind dropping us a mail? 
>
> Andrew, Jim and I would love to hear where/how you are using the ASVS.
>
> thanks again to everyone who contributed. 
>
> On 29 June 2016 at 14:19, Andrew van der Stock <vanderaj at owasp.org
> <mailto:vanderaj at owasp.org>> wrote:
>
>     Hi there,
>
>     I am pleased to announce that through the auspices of the most
>     awesome AppSec EU Project Summit, the OWASP Application Security
>     Verification Standard 3.0.1 has been released!
>
>     https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Downloads
>
>     List of changes:
>     https://github.com/OWASP/ASVS/issues?q=milestone%3A3.0.1+is%3Aclosed
>
>     Thank you to all those who logged issues, these have all been
>     resolved, making 3.0.1 a much cleaner standard! If you find an
>     issue that needs resolving, please log them directly in GitHub. 
>
>     I think the next version will be v4.0 and let's set a date of
>     AppSec USA 2017, with working parties at each of the Project
>     Summits at AppSec USA 2016 and AppSec EU 2017. 
>
>     Some ideas for future topics of conversation
>
>     * Add infrastructure / platform section
>     * Add SDLC section
>     * Revamp architecture section
>     * Add more requirements on single page application (SPA) applications
>     * Add more DOM protection issues
>     * Consider if we need to add an IoT section
>     * Closer integration with the killer OWASP SKF project (GET IT!)
>     * Closer integration with all the other killer OWASP Guides 
>     * Consider breaking into Core, Mobile, App, SPA, IoT, Web Service
>     so you can mix and match
>     * Maintain all existing sections, weeding out old or ambiguous
>     requirements
>
>     If you feel you have something to contribute, either log issues
>     marked as "4.0" milestone, or mail the ASVS mail list, or mail one
>     of the project leaders! Actively looking for more contributors!
>
>     thanks,
>     Andrew
>
>
>
>
> _______________________________________________
> Owasp-application-security-verification-standard mailing list
> Owasp-application-security-verification-standard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard



DISCLAIMER:
================================================================================================================
"The information contained in this e-mail message may be privileged and/or confidential and protected from disclosure under applicable law. It is intended only for the individual to whom or entity to which it is addressed as shown at the beginning of the message. If the reader of this message is not the intended recipient, or if the employee or agent responsible for delivering the message is not an employee or agent of the intended recipient, you are hereby notified that any review, dissemination,distribution, use, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by return e-mail and permanently delete this message and your reply to the extent it includes this message. Any views or opinions presented in this message or attachments are those of the author and do not necessarily represent those of the Company. All e-mails and attachments sent and received are subject to monitoring, reading, and archival by the Company"
================================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160630/93def717/attachment-0003.html>
-------------- next part --------------
_______________________________________________
Owasp-application-security-verification-standard mailing list
Owasp-application-security-verification-standard at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard


DISCLAIMER:
================================================================================================================
"The information contained in this e-mail message may be privileged and/or confidential and protected from disclosure under applicable law. It is intended only for the individual to whom or entity to which it is addressed as shown at the beginning of the message. If the reader of this message is not the intended recipient, or if the employee or agent responsible for delivering the message is not an employee or agent of the intended recipient, you are hereby notified that any review, dissemination,distribution, use, or copying of this message is strictly prohibited. If you have received this message in error, please notify us immediately by return e-mail and permanently delete this message and your reply to the extent it includes this message. Any views or opinions presented in this message or attachments are those of the author and do not necessarily represent those of the Company. All e-mails and attachments sent and received are subject to monitoring, reading, and archival 
 
 by the Company"
================================================================================================================


More information about the OWASP-Leaders mailing list