Replies: 1 comment
-
|
ASVS is strictly Application Security Verification Standard and scope for v5.0 is made more precise based on that. Guidance is more Cheat Sheet area. Verification requirement is with a "true of false" outcome and applies for everyone while guidance is wide open and depends on the solution a lot - one can not fit for everyone. What also is in for v5.0 is that there are requirements for documented security decisions that are pre-condition information for implementation and later testing. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
While this is a Verification standard, I think it's important to get the point across that the ASVS Level that will be adhered to is understood in the early design, build phases
the biggest challenge for security change is retrofitting security when no one wants to pay for the time, the downtime or loss of perceived functionality that wouldn't have made it had the ramifications been understood, there is always defense compromise, mostly because the app has recently survived a pen-test, not specifically that it's well built but just that a report is light
Wouldn't it be great if this was framed as a resource in the design phase and in the verification phase - I assume many are already doing this but ... spell it out, it's an awesome body of work
Does that make sense ? or what am I missing :)
Should we stick a G in there? Application Security Guidance and Verification Standard
or am I just being pedantic - looking at you @danielcuthbert :)
Beta Was this translation helpful? Give feedback.
All reactions