From ec6e69cb94c62960177abffc2c58d21b55c3b90b Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Mon, 26 Oct 2020 00:07:55 +0200 Subject: [PATCH 1/3] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index d67d02f526..2c4fe1b444 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -# THIS BRANCH IS AN UNRELEASED DRAFT -# # OWASP Application Security Verification Standard ![LicenseBadge](https://img.shields.io/badge/license-C_C-blue.svg)
[![LICENSE](https://i.creativecommons.org/l/by-sa/3.0/88x31.png)](http://creativecommons.org/licenses/by-sa/3.0/) From 43df545e9b843f826b95e5021925bbbe63062e87 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Wed, 28 Oct 2020 23:52:41 +0200 Subject: [PATCH 2/3] Update README.md --- README.md | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 2c4fe1b444..c413ffa978 100644 --- a/README.md +++ b/README.md @@ -9,20 +9,6 @@ The standard provides a basis for designing, building, and testing technical app **Please [log issues](https://github.com/OWASP/ASVS/issues) if you find any bugs or if you have ideas. We may subsequently ask you to [open a pull request](https://github.com/OWASP/ASVS/pulls) based on the discussion in the issue. We are also actively looking for translations of the 4.n branch.** -## Standard Objectives - -The requirements were developed with the following objectives in mind: - -* Help organizations adopt or adapt a high quality secure coding standard -* Help architects and developers build secure software by designing and building security in, and verifying that they are in place and effective by the use of unit and integration tests that implement ASVS tests -* Help deploy secure software via the use of repeatable, secured builds -* Help security reviewers use a comprehensive, consistent, high quality standard for hybrid code reviews, secure code reviews, peer code reviews, retrospectives, and work with developers to build security unit and integration tests. It is even possible to use this standard for penetration testing at Level 1 -* Assist tool vendors by ensuring there is an easily generatable machine readable version, with CWE mappings -* Assist organizations to benchmark application security tools by the percentage of coverage of the ASVS for dynamic, interactive, and static analysis tools -* Minimize overlapping and competing requirements from other standards, by either aligning strongly with them (NIST 800-63), or being strict supersets (OWASP Top 10 2017, PCI DSS 3.2.1), which will help reduce compliance costs, effort, and time wasted in accepting unnecessary differences as risks. - -ASVS requirement lists are made available in CSV, JSON, and other formats which may be useful for reference or programmatic use. - ## Latest Stable Version - 4.0.2 The latest stable version is version 4.0.2 (dated October 2020), which can be found: @@ -33,6 +19,8 @@ The latest stable version is version 4.0.2 (dated October 2020), which can be fo The master branch of this repository will always be the "bleeding edge version" which might have in-progress changes or other edits open. The next release target will be version **4.1**. +For information on changes between 4.0.1 and 4.0.2 of the standard, see [this wiki page](https://github.com/OWASP/ASVS/wiki/What-is-new-in-version-4.0.2) and for a full diff, see [this pull request](https://github.com/OWASP/ASVS/pull/780/files?file-filters%5B%5D=.md&file-filters%5B%5D=.py&file-filters%5B%5D=.sh&file-filters%5B%5D=.yml&file-filters%5B%5D=No+extension) + ### Translations * [OWASP Application Security Verification Standard 4.0.1 Persian (PDF)](4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-fa.pdf) (Thanks to [SajjadPourali](https://github.com/SajjadPourali)) @@ -40,6 +28,20 @@ The master branch of this repository will always be the "bleeding edge version" * [OWASP Application Security Verification Standard 4.0 Japanese (PDF)](4.0/OWASP-Application-Security-Verification-Standard-4.0-ja.pdf) (Thanks to Software ISAC Japan / [Riotaro OKADA](https://github.com/okdt)) * [OWASP Application Security Verification Standard 4.0 Turkish (PDF)](4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-tr.pdf) (Thanks to [Fatih ERSINADIM](https://github.com/fatihersinadim)) +## Standard Objectives + +The requirements were developed with the following objectives in mind: + +* Help organizations adopt or adapt a high quality secure coding standard +* Help architects and developers build secure software by designing and building security in, and verifying that they are in place and effective by the use of unit and integration tests that implement ASVS tests +* Help deploy secure software via the use of repeatable, secured builds +* Help security reviewers use a comprehensive, consistent, high quality standard for hybrid code reviews, secure code reviews, peer code reviews, retrospectives, and work with developers to build security unit and integration tests. It is even possible to use this standard for penetration testing at Level 1 +* Assist tool vendors by ensuring there is an easily generatable machine readable version, with CWE mappings +* Assist organizations to benchmark application security tools by the percentage of coverage of the ASVS for dynamic, interactive, and static analysis tools +* Minimize overlapping and competing requirements from other standards, by either aligning strongly with them (NIST 800-63), or being strict supersets (OWASP Top 10 2017, PCI DSS 3.2.1), which will help reduce compliance costs, effort, and time wasted in accepting unnecessary differences as risks. + +ASVS requirement lists are made available in CSV, JSON, and other formats which may be useful for reference or programmatic use. + ## How To Reference ASVS Requirements Each requirement has an identifier in the format `.
.` where each element is a number, for example: `1.11.3`. From 78b4b6c404af99dab66e2cb30ab33b1de48fee94 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Wed, 28 Oct 2020 23:54:16 +0200 Subject: [PATCH 3/3] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c413ffa978..01c4a99007 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ The latest stable version is version 4.0.2 (dated October 2020), which can be fo The master branch of this repository will always be the "bleeding edge version" which might have in-progress changes or other edits open. The next release target will be version **4.1**. -For information on changes between 4.0.1 and 4.0.2 of the standard, see [this wiki page](https://github.com/OWASP/ASVS/wiki/What-is-new-in-version-4.0.2) and for a full diff, see [this pull request](https://github.com/OWASP/ASVS/pull/780/files?file-filters%5B%5D=.md&file-filters%5B%5D=.py&file-filters%5B%5D=.sh&file-filters%5B%5D=.yml&file-filters%5B%5D=No+extension) +For information on changes between 4.0.1 and 4.0.2 of the standard, see [this wiki page](https://github.com/OWASP/ASVS/wiki/What-is-new-in-version-4.0.2) and for a full diff, see [this pull request](https://github.com/OWASP/ASVS/pull/780/files?file-filters%5B%5D=.md&file-filters%5B%5D=.py&file-filters%5B%5D=.sh&file-filters%5B%5D=.yml&file-filters%5B%5D=No+extension). ### Translations