SlideShare a Scribd company logo

ASVS 5.0 - The rise of the Security Verification Standard

T
TuynNguyn819213

1. The document discusses the OWASP Application Security Verification Standard (ASVS) which aims to provide requirements for securing applications and be used as an actual security standard. 2. The ASVS is designed to address limitations of other awareness documents and provide comprehensive and practical security requirements organized into three levels. 3. The speaker discusses how the ASVS is being adopted by organizations and assessment companies to help structure application security testing and control documentation. 4. Looking ahead, key principles for the upcoming ASVS 5.0 release focus on clarifying requirements, enhancing explanations of levels, and streamlining the main document to improve usability.

Engineering
1 of 47
Josh Grossman ASVS 5.0 – The rise of the Security Verification Standard Bounce Security and ASVS project co-leader
Josh Grossman ASVS 5.0 - The rise of the Security Verification Standard Bounce Security and ASVS project co-leader
Josh Grossman ■ Over 15 years of IT and Application Security, IT Risk and development experience ■ CTO for Bounce Security, value- driven Application Security support ■ Consulting and training for clients internationally and locally ■ Contact: – @JoshCGrossman – josh@bouncesecurity.com – https://joshcgrossman.com/ – https://appsecg.host – ■ OWASP Israel Chapter Board ■ Co-leader of the OWASP ASVS Project ■ Major Contributor to the OWASP Top Ten Proactive Controls project ■ Contributor to: – OWASP Top 10 Risks – OWASP JuiceShop
Today, I will be mostly discussing… Background to the ASVS 01 What is the OWASP ASVS? 02 What is the plan for version 5.0? 03 How are we seeing it used in industry? 04 How you can you use it and get involved? 05 @JoshCGrossman 4 | ASVS 5.0 - The rise of the Security Verification Standard
BACKGROUND SO, WHAT IS THE ASVS?
Quiz time! You tell me! (Vote with your hands) • Who has heard of the ASVS? • Who has used the ASVS? • Who uses it on an ongoing basis? • Who knows by heart what section V2 is called? • Authentication ☺ • Who can tell me by heart what v4.0.3-2.5.2 says? @JoshCGrossman 6 | ASVS 5.0 - The rise of the Security Verification Standard
BACKGROUND SO, WHAT IS THE ASVS?
SO, WHAT IS THE ASVS? WELL FIRST, WHAT ISN’T THE ASVS
The OWASP Top 10 Risks – The Good • Released every 3-4 years • Led by security experts from around the world - Andrew van der Stock, Neil Smithline, Torsten Gigler, Brian Glas • Public comments and conversation on 2017/2021 choices • Frequently cited • Application security awareness document @JoshCGrossman 9 | ASVS 5.0 - The rise of the Security Verification Standard
The OWASP Top 10 Risks – The Less Good • Spread awareness regarding Web Security issues. • It is not a standard. - Take note, PCI-DSS and others who incorrectly list it as one. • Not a comprehensive list • Bringing problems, not solutions @JoshCGrossman 10 | ASVS 5.0 - The rise of the Security Verification Standard
OWASP Top Ten Proactive Controls • Guidance document • Developer/builder focused Validate All Inputs 05 Define Security Requirements 01 Leverage Security Frameworks and Libraries 02 Secure Database Access 03 Encode and Escape Data 04 Handle All Errors and Exceptions 10 Implement Digital Identity 06 Enforce Access Controls 07 Protect Data Everywhere 08 Implement Security Logging and Monitoring 09 @JoshCGrossman 11 | ASVS 5.0 - The rise of the Security Verification Standard
Top Ten Proactive Controls – The Good • A great starting point • Gives practical prevention details • Also a great team: - Katy Anton, Jim Manico, Jim Bird @JoshCGrossman 12 | ASVS 5.0 - The rise of the Security Verification Standard
Top Ten Proactive Controls – The Less Good • Still not comprehensive • Again, more for awareness • Not organized as a standard @JoshCGrossman 13 | ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 14 | So, watcha gonna do? ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 15 | The OWASP ASVS! ASVS 5.0 - The rise of the Security Verification Standard
WHAT IS THE ASVS SO, WHAT IS THE ASVS?
What is the ASVS? • Requirements for a secure application • Designed to be an actual standard • Set of leading practices • Community and practitioner driven • Developed in the open • Split into 3 levels of requirement @JoshCGrossman 17 | ASVS 5.0 - The rise of the Security Verification Standard
More about ASVS 4.0.3 • Not going to cover today • See my previous talk 😊 https://appsecg.host/asvs @JoshCGrossman 18 | ASVS 5.0 - The rise of the Security Verification Standard
INDUSTRY Use of the ASVS in industry
Use of the ASVS in industry • Develop Secure Requirements • Design Security Checklist • Guidelines for Implementation • Map security properties of a security mechanism • … • Verification Standard @JoshCGrossman 20 | ASVS 5.0 - The rise of the Security Verification Standard
Not this verification! @JoshCGrossman 21 | ASVS 5.0 - The rise of the Security Verification Standard
VERIFICATION Verifying the security of an App
What about our usual AppSec verification? Penetration Testing Considered Harmful, Haroon Meer - 44CON 2011 https://www.youtube.com/watch?v=GvX52HPAfBk https://thinkst.com/resources/slides/44con-final.pdf @JoshCGrossman 23 | ASVS 5.0 - The rise of the Security Verification Standard
What about our usual AppSec verification? Penetration Testing Considered Harmful, Haroon Meer - 44CON 2011 https://www.youtube.com/watch?v=GvX52HPAfBk https://thinkst.com/resources/slides/44con-final.pdf @JoshCGrossman 24 | ASVS 5.0 - The rise of the Security Verification Standard
We can do better….can we? @JoshCGrossman 25 | ASVS 5.0 - The rise of the Security Verification Standard
Various suggestions, including: @JoshCGrossman 26 | ASVS 5.0 - The rise of the Security Verification Standard
So, what about AppSec? @JoshCGrossman 27 | ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 28 | Challenges for OWASP 1. How can OWASP remain neutral? 2. How can we drive adoption of standard? 3. How do we know the tester is competent? ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 29 | Case Study 1 - CREST OVS • Defines a standard for performing application security assessments • Based around Levels 1 and 2 of ASVS and MASVS • Intended to result in standardized and comparable reports • % of revenue will be donated back to OWASP • Announced in Summer 2022 ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 30 | CREST OVS - Response to challenges 1. How can OWASP remain neutral? • OWASP defines the standards, CREST does the rest (in consultation with OWASP). • No exclusivity 2. How can we drive adoption of standard? • CREST have experience in getting assessment standards adopted in industry 3. How do we know the tester is competent? • CREST have experience in accrediting testers ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 31 | Case Study 2 – Other industry group • Oversee a large ecosystem of applications • Applications go through some form of ASVS/MASVS based assessment • Type depends on application “impact” • Needs to be scalable ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 32 | Large tech company - Other industry group 1. How can OWASP remain neutral? ▪ OWASP defines the standards, Industry group does the rest (in consultation with OWASP). ▪ No exclusivity 2. How can we drive adoption of standard? ▪ Industry members control the ecosystem 3. How do we know the tester is competent? ▪ Open problem... ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 33 | Other outstanding challenges 4. Usability of standard 5. Scope of standard 6. Scalability of standard ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 34 | Other outstanding challenges 4. Usability of standard • We are planning release 5.0 5. Scope of standard • Let us know in the issues! 6. Scalability of standard • Open problem... ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 35 | ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 36 | Key principles for 5.0 Making it easier to use by: • Clarifying existing requirements and adding new ones based on community feedback • Enhance explanations on the levels and reduce the barrier to entry • Clean up mappings • Streamline the main document ASVS 5.0 - The rise of the Security Verification Standard
ACTION Calls to action
@JoshCGrossman 38 | 1) Get ready for Verification! • Expect ASVS/MASVS assessments based in the future • Application Penetration Testers: Can you start structuring your testing around the *SVS? • Application Developers: Can you structure your control documentation based on *SVS? ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 39 | Jim Manico NAME SURNAME Elar Lang Daniel Cuthbert NAME SURNAME Andrew Van der Stock NAME SURNAME Josh Grossman 2) Help with version 5.0 But we need you too!!! ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 40 | • Submit issues/change suggestions • Submit general feedback • Comment on other people's issues https://github.com/OWASP/ASVS/issues https://github.com/OWASP/ASVS/blob/master/CONTRIBUTING.md 2) Help with version 5.0 ASVS 5.0 - The rise of the Security Verification Standard
https://xkcd.com/2347/ @JoshCGrossman 41 | 3) Support the standard https://xkcd.com/2347/ ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 42 | 3) Support the standard Thanks to our supporters! ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 43 | 3) Support the standard ASVS 5.0 - The rise of the Security Verification Standard
@JoshCGrossman 44 | • Get ready for Verification! • Help with version 5.0 • Support the standard Summary ASVS 5.0 - The rise of the Security Verification Standard
45 | Whilst I have you…
46 | Whilst I have you… Tel Aviv, May 2023 Tell your friends! Tell your employers! https://appsecil.org/ @OWASP_IL
THANK YOU! ASVS Project @OWASP_ASVS https://github.com/OWASP/ASVS https://owasp.slack.com, #project-asvs https://owasp.org/asvs Josh Grossman josh.grossman@owasp.org josh@bouncesecurity.com @JoshCGrossman Any Questions? Thanks to Michal Kamensky for help with the slides

Recommended

Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
 
WAF 101
WAF 101WAF 101
WAF 101Null Bhubaneswar
 

Recommended

Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewalldavidjohnrace
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
 
WAF 101
WAF 101WAF 101
WAF 101Null Bhubaneswar
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
Wireless network security
Wireless network security Wireless network security
Wireless network security Aurobindo Nayak
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy Network Intelligence India
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 

More Related Content

What's hot

Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
Wireless network security
Wireless network security Wireless network security
Wireless network security Aurobindo Nayak
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 

What's hot (20)

Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
Wireless network security
Wireless network security Wireless network security
Wireless network security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Application Security
Application SecurityApplication Security
Application Security
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 

Similar to ASVS 5.0 - The rise of the Security Verification Standard

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017malvvv
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)PrashantDhakol
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfSamSepiolRhodes
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPROWASP
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...Josh Grossman
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 

Similar to ASVS 5.0 - The rise of the Security Verification Standard (20)

Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Owasp top 10-2017
Owasp top 10-2017Owasp top 10-2017
Owasp top 10-2017
 
Owasp top 10 2017 (en)
Owasp top 10 2017 (en)Owasp top 10 2017 (en)
Owasp top 10 2017 (en)
 
OWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdfOWASP_Top_10-2017_(en).pdf.pdf
OWASP_Top_10-2017_(en).pdf.pdf
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR
 
In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...In that case, we have an OWASP Top 10 opportunity...
In that case, we have an OWASP Top 10 opportunity...
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014Institute of Internal Auditors Presentation 2014
Institute of Internal Auditors Presentation 2014
 

Recently uploaded

Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxPoojaBan
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxbritheesh05
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxvipinkmenon1
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningmisbanausheenparvam
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 

Recently uploaded (20)

Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
Heart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptxHeart Disease Prediction using machine learning.pptx
Heart Disease Prediction using machine learning.pptx
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Artificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptxArtificial-Intelligence-in-Electronics (K).pptx
Artificial-Intelligence-in-Electronics (K).pptx
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Introduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptxIntroduction to Microprocesso programming and interfacing.pptx
Introduction to Microprocesso programming and interfacing.pptx
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
chaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learningchaitra-1.pptx fake news detection using machine learning
chaitra-1.pptx fake news detection using machine learning
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 

ASVS 5.0 - The rise of the Security Verification Standard

  • 1. Josh Grossman ASVS 5.0 – The rise of the Security Verification Standard Bounce Security and ASVS project co-leader
  • 2. Josh Grossman ASVS 5.0 - The rise of the Security Verification Standard Bounce Security and ASVS project co-leader
  • 3. Josh Grossman ■ Over 15 years of IT and Application Security, IT Risk and development experience ■ CTO for Bounce Security, value- driven Application Security support ■ Consulting and training for clients internationally and locally ■ Contact: – @JoshCGrossman – josh@bouncesecurity.com – https://joshcgrossman.com/ – https://appsecg.host – ■ OWASP Israel Chapter Board ■ Co-leader of the OWASP ASVS Project ■ Major Contributor to the OWASP Top Ten Proactive Controls project ■ Contributor to: – OWASP Top 10 Risks – OWASP JuiceShop
  • 4. Today, I will be mostly discussing… Background to the ASVS 01 What is the OWASP ASVS? 02 What is the plan for version 5.0? 03 How are we seeing it used in industry? 04 How you can you use it and get involved? 05 @JoshCGrossman 4 | ASVS 5.0 - The rise of the Security Verification Standard
  • 6. Quiz time! You tell me! (Vote with your hands) • Who has heard of the ASVS? • Who has used the ASVS? • Who uses it on an ongoing basis? • Who knows by heart what section V2 is called? • Authentication ☺ • Who can tell me by heart what v4.0.3-2.5.2 says? @JoshCGrossman 6 | ASVS 5.0 - The rise of the Security Verification Standard
  • 8. SO, WHAT IS THE ASVS? WELL FIRST, WHAT ISN’T THE ASVS
  • 9. The OWASP Top 10 Risks – The Good • Released every 3-4 years • Led by security experts from around the world - Andrew van der Stock, Neil Smithline, Torsten Gigler, Brian Glas • Public comments and conversation on 2017/2021 choices • Frequently cited • Application security awareness document @JoshCGrossman 9 | ASVS 5.0 - The rise of the Security Verification Standard
  • 10. The OWASP Top 10 Risks – The Less Good • Spread awareness regarding Web Security issues. • It is not a standard. - Take note, PCI-DSS and others who incorrectly list it as one. • Not a comprehensive list • Bringing problems, not solutions @JoshCGrossman 10 | ASVS 5.0 - The rise of the Security Verification Standard
  • 11. OWASP Top Ten Proactive Controls • Guidance document • Developer/builder focused Validate All Inputs 05 Define Security Requirements 01 Leverage Security Frameworks and Libraries 02 Secure Database Access 03 Encode and Escape Data 04 Handle All Errors and Exceptions 10 Implement Digital Identity 06 Enforce Access Controls 07 Protect Data Everywhere 08 Implement Security Logging and Monitoring 09 @JoshCGrossman 11 | ASVS 5.0 - The rise of the Security Verification Standard
  • 12. Top Ten Proactive Controls – The Good • A great starting point • Gives practical prevention details • Also a great team: - Katy Anton, Jim Manico, Jim Bird @JoshCGrossman 12 | ASVS 5.0 - The rise of the Security Verification Standard
  • 13. Top Ten Proactive Controls – The Less Good • Still not comprehensive • Again, more for awareness • Not organized as a standard @JoshCGrossman 13 | ASVS 5.0 - The rise of the Security Verification Standard
  • 14. @JoshCGrossman 14 | So, watcha gonna do? ASVS 5.0 - The rise of the Security Verification Standard
  • 15. @JoshCGrossman 15 | The OWASP ASVS! ASVS 5.0 - The rise of the Security Verification Standard
  • 16. WHAT IS THE ASVS SO, WHAT IS THE ASVS?
  • 17. What is the ASVS? • Requirements for a secure application • Designed to be an actual standard • Set of leading practices • Community and practitioner driven • Developed in the open • Split into 3 levels of requirement @JoshCGrossman 17 | ASVS 5.0 - The rise of the Security Verification Standard
  • 18. More about ASVS 4.0.3 • Not going to cover today • See my previous talk 😊 https://appsecg.host/asvs @JoshCGrossman 18 | ASVS 5.0 - The rise of the Security Verification Standard
  • 19. INDUSTRY Use of the ASVS in industry
  • 20. Use of the ASVS in industry • Develop Secure Requirements • Design Security Checklist • Guidelines for Implementation • Map security properties of a security mechanism • … • Verification Standard @JoshCGrossman 20 | ASVS 5.0 - The rise of the Security Verification Standard
  • 21. Not this verification! @JoshCGrossman 21 | ASVS 5.0 - The rise of the Security Verification Standard
  • 23. What about our usual AppSec verification? Penetration Testing Considered Harmful, Haroon Meer - 44CON 2011 https://www.youtube.com/watch?v=GvX52HPAfBk https://thinkst.com/resources/slides/44con-final.pdf @JoshCGrossman 23 | ASVS 5.0 - The rise of the Security Verification Standard
  • 24. What about our usual AppSec verification? Penetration Testing Considered Harmful, Haroon Meer - 44CON 2011 https://www.youtube.com/watch?v=GvX52HPAfBk https://thinkst.com/resources/slides/44con-final.pdf @JoshCGrossman 24 | ASVS 5.0 - The rise of the Security Verification Standard
  • 25. We can do better….can we? @JoshCGrossman 25 | ASVS 5.0 - The rise of the Security Verification Standard
  • 26. Various suggestions, including: @JoshCGrossman 26 | ASVS 5.0 - The rise of the Security Verification Standard
  • 27. So, what about AppSec? @JoshCGrossman 27 | ASVS 5.0 - The rise of the Security Verification Standard
  • 28. @JoshCGrossman 28 | Challenges for OWASP 1. How can OWASP remain neutral? 2. How can we drive adoption of standard? 3. How do we know the tester is competent? ASVS 5.0 - The rise of the Security Verification Standard
  • 29. @JoshCGrossman 29 | Case Study 1 - CREST OVS • Defines a standard for performing application security assessments • Based around Levels 1 and 2 of ASVS and MASVS • Intended to result in standardized and comparable reports • % of revenue will be donated back to OWASP • Announced in Summer 2022 ASVS 5.0 - The rise of the Security Verification Standard
  • 30. @JoshCGrossman 30 | CREST OVS - Response to challenges 1. How can OWASP remain neutral? • OWASP defines the standards, CREST does the rest (in consultation with OWASP). • No exclusivity 2. How can we drive adoption of standard? • CREST have experience in getting assessment standards adopted in industry 3. How do we know the tester is competent? • CREST have experience in accrediting testers ASVS 5.0 - The rise of the Security Verification Standard
  • 31. @JoshCGrossman 31 | Case Study 2 – Other industry group • Oversee a large ecosystem of applications • Applications go through some form of ASVS/MASVS based assessment • Type depends on application “impact” • Needs to be scalable ASVS 5.0 - The rise of the Security Verification Standard
  • 32. @JoshCGrossman 32 | Large tech company - Other industry group 1. How can OWASP remain neutral? ▪ OWASP defines the standards, Industry group does the rest (in consultation with OWASP). ▪ No exclusivity 2. How can we drive adoption of standard? ▪ Industry members control the ecosystem 3. How do we know the tester is competent? ▪ Open problem... ASVS 5.0 - The rise of the Security Verification Standard
  • 33. @JoshCGrossman 33 | Other outstanding challenges 4. Usability of standard 5. Scope of standard 6. Scalability of standard ASVS 5.0 - The rise of the Security Verification Standard
  • 34. @JoshCGrossman 34 | Other outstanding challenges 4. Usability of standard • We are planning release 5.0 5. Scope of standard • Let us know in the issues! 6. Scalability of standard • Open problem... ASVS 5.0 - The rise of the Security Verification Standard
  • 35. @JoshCGrossman 35 | ASVS 5.0 - The rise of the Security Verification Standard
  • 36. @JoshCGrossman 36 | Key principles for 5.0 Making it easier to use by: • Clarifying existing requirements and adding new ones based on community feedback • Enhance explanations on the levels and reduce the barrier to entry • Clean up mappings • Streamline the main document ASVS 5.0 - The rise of the Security Verification Standard
  • 38. @JoshCGrossman 38 | 1) Get ready for Verification! • Expect ASVS/MASVS assessments based in the future • Application Penetration Testers: Can you start structuring your testing around the *SVS? • Application Developers: Can you structure your control documentation based on *SVS? ASVS 5.0 - The rise of the Security Verification Standard
  • 39. @JoshCGrossman 39 | Jim Manico NAME SURNAME Elar Lang Daniel Cuthbert NAME SURNAME Andrew Van der Stock NAME SURNAME Josh Grossman 2) Help with version 5.0 But we need you too!!! ASVS 5.0 - The rise of the Security Verification Standard
  • 40. @JoshCGrossman 40 | • Submit issues/change suggestions • Submit general feedback • Comment on other people's issues https://github.com/OWASP/ASVS/issues https://github.com/OWASP/ASVS/blob/master/CONTRIBUTING.md 2) Help with version 5.0 ASVS 5.0 - The rise of the Security Verification Standard
  • 41. https://xkcd.com/2347/ @JoshCGrossman 41 | 3) Support the standard https://xkcd.com/2347/ ASVS 5.0 - The rise of the Security Verification Standard
  • 42. @JoshCGrossman 42 | 3) Support the standard Thanks to our supporters! ASVS 5.0 - The rise of the Security Verification Standard
  • 43. @JoshCGrossman 43 | 3) Support the standard ASVS 5.0 - The rise of the Security Verification Standard
  • 44. @JoshCGrossman 44 | • Get ready for Verification! • Help with version 5.0 • Support the standard Summary ASVS 5.0 - The rise of the Security Verification Standard
  • 46. 46 | Whilst I have you… Tel Aviv, May 2023 Tell your friends! Tell your employers! https://appsecil.org/ @OWASP_IL
  • 47. THANK YOU! ASVS Project @OWASP_ASVS https://github.com/OWASP/ASVS https://owasp.slack.com, #project-asvs https://owasp.org/asvs Josh Grossman josh.grossman@owasp.org josh@bouncesecurity.com @JoshCGrossman Any Questions? Thanks to Michal Kamensky for help with the slides