wstg icon indicating copy to clipboard operation
wstg copied to clipboard
verified publisher icon OWASP

Map WSTG to ASVS and determine coverage and possible knowledge gaps

Open RiieCco opened this issue 6 years ago • 22 comments

What would you like added? See how the testing guide content correlates to ASVS controls and determine effective coverage. This will help ASVS users to get more context with the controls. This can than also be used in SKF when generating requirements

Would you like to be assigned to this issue? Check the box if you will submit a PR to add the proposed content. Please read CONTRIBUTING.md.

  • [x] Assign me, please!

RiieCco avatar Jan 20 '20 07:01 RiieCco

https://docs.google.com/spreadsheets/d/1CPaeT1bCoI7OydbNJaIVb4i9QEgyxMydGqSiBSK0aKk

RiieCco avatar Jan 21 '20 16:01 RiieCco

This kind of requires ASVS to formalize their reference standard: https://github.com/OWASP/ASVS/issues/715

kingthorin avatar Apr 16 '20 02:04 kingthorin

The above doc kind of shifted gears and is actually building the full CRE repository, and inside it there is a direct mapping between ASVS and WSTG and other projects.

ThunderSon avatar Apr 16 '20 10:04 ThunderSon

What I was getting at is that if we are going to reference ASVS in WSTG we need a solid way to do it.

kingthorin avatar Apr 16 '20 10:04 kingthorin

Is it going to be released in WSTG v5?

themayursinha avatar Jun 03 '20 15:06 themayursinha

Hello @themayursinha! This task is somewhat going to be a bit bigger. Since we saw such a huge opportunity out of this, a project is currently being run in parallel to map out requirements, test guides, code advice, standards, policies, etc. This project is the Integration Standards Project. We are looking to have some sort of an MVP in the summer. A lot of thought is going into it.

All projects will be affected and linked under a certain umbrella ID, and that ID will create the maps underneath it.

In short, there is work happening to make that happen :)

ThunderSon avatar Jun 03 '20 15:06 ThunderSon

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Jul 15 '20 00:07 github-actions[bot]

As this is the work of another project, this will be closed and tracking should follow with the other project :)

ThunderSon avatar Jul 15 '20 08:07 ThunderSon

While this was closed and there was the other project, I've created https://github.com/jeremychoi/owasp-asvs-wstg-checklist which would be relevant to this issue.

jeremychoi avatar Aug 14 '20 09:08 jeremychoi

@jeremychoi this is different! I love it. @kingthorin this is something we should look into taking in.

Why this is different? This allows the attacker and the reviewer to understand the level of coverage, and their stance overall, which is different from simply mapping everything together! The new project will map things out, but not give smart information (yet) :)

I'll await Rick's comments, once done, if in agreement, create a PR to add the XLSX to this repository!

Thanks :)

ThunderSon avatar Aug 14 '20 10:08 ThunderSon

@ThunderSon I see. Thanks. If the files could be added to this repo, that would be great. One thing I am not sure about is if there is something to be done with regards to the license(MIT) of the spreadsheet file. I created them based on https://github.com/shenril/owasp-asvs-checklist and added the WSTG mapping information to it. Your help would be appreciated on that.

jeremychoi avatar Aug 18 '20 01:08 jeremychoi

Sure I guess I'm fine with it being added as a checklist artifact. It would be really nice if it was a non-proprietary format like tsv, csv, etc instead of XLS/XLSX though. If it has to be maintained/offered as an Excel file then it should be done similar to the existing one (specifying the hash and other info).

kingthorin avatar Aug 20 '20 16:08 kingthorin

Thanks for the comment. I'll create a csv one soon.

jeremychoi avatar Aug 25 '20 00:08 jeremychoi

@jeremychoi this is not critical nor urgent. Actually this can wait enough till v5 is being prepared. Since you poked at another issue, #492 , that one is definitely more critical if we can focus on it.

ThunderSon avatar Aug 25 '20 10:08 ThunderSon

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Oct 15 '20 00:10 github-actions[bot]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Apr 15 '21 02:04 github-actions[bot]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Jun 15 '21 00:06 github-actions[bot]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Oct 15 '21 00:10 github-actions[bot]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.

github-actions[bot] avatar Feb 15 '22 00:02 github-actions[bot]

hi, I've been wondering if this is already applied in the new version?

themayursinha avatar Jun 29 '22 16:06 themayursinha

The issue would be closed if the work was done :wink:

kingthorin avatar Jun 29 '22 17:06 kingthorin