ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

[Clarification/For Discussion] 1.14.4 - "build and verify the secure deployment of the application"

Open blincoln-bf opened this issue 3 years ago • 0 comments

1.14.4 refers to "the secure deployment of the application". It doesn't refer to a CWE. It's unclear to me (and several other people I discussed this with) what is being required here. For context, here is the full text as it stands today:

"Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts."

Here are a few alternative phrasings I can think of depending on what the intent is. I don't know that you need something quite this wordy, just trying to get across the different interpretations I see.

"Verify that the build pipeline contains steps to automatically build and deploy the application in a test environment, then automatically test that the deployment meets security requirements defined in the build pipeline. If the application infrastructure is software defined (such as cloud environment build scripts), verify that the automated build and deploy step creates an ephemeral instance of the infrastructure and deploys the application into that ephemeral instance, and that the automated security validation includes infrastructure-level tests."

"Verify that the build pipeline contains steps to validate the integrity of the source code, such as checking cryptographic signatures on code commits. If the application infrastructure is software defined (such as cloud environment build scripts), verify that the same tests are applied to the infrastructure code."

"Verify that the build pipeline contains a step to generate metadata that can be used to cryptographically validate the integrity of the application, and a step that performs the cryptographic validation to ensure that it is successful. If the application infrastructure is software defined (such as cloud environment build scripts), verify that the build pipeline generates and validates the integrity metadata for the infrastructure components as well."

i.e. is it more like "build and deploy the application, then validate that the deployed application is secure [in some way]", "build the application using secured source code", "build the application deployment package, then validate the security aspects of the deployment package itself", or something else?

If it's the second one, CWE-494 could be referenced. I didn't find a good CWE match for the other two cases.

blincoln-bf avatar Mar 21 '22 17:03 blincoln-bf