Hi all,
What skills, level or type of knowledge areas should have a team development to understand the requirements of ASVS?
Thanks in advance for your answers or ideas you can give me.
Best regards
Beto.
Ari said:
I think that is a very good question that we actually should focus more on later editions of the ASVS.
There are at least these things you need to consider:
- what are the most essential pieces of general knowledge the team must have, e.g. understanding the concept of injection or validation
- what coding principles are followed and why (defensive coding, complying with external or internal architecture standards etc — this of course varies but typically a team should have some guiding security and implementation principles, some of which are relatively universal)
- what does the team need to understand about the technology stack they’re using (and I think this is very important thing), that is, how does it work
- what parts of the ASVS are handled already by the technology stack (also an important thing to consider)
In practice, I would think that at the very least, the team needs to understand how HTTP works, how things like HTTP parameters and requests get handled in their application, and what an injection is (as a general concept, not just XSS and SQLi). Also they should have a clear concept how authorisation is supposed to work in the application and be able to validate that with the requirements. I’m less concerned about authentication, as it typically is handled by an external component and just kind of plugged in to the application.
I would put less emphasis on for example session handling (unless you do that in your application, which you shouldn’t) and cryptography (rarely needed). Proper configuration of cookies, secured connections etc. are important, but luckily they can be relatively easily fixed if the team doesn’t get them right already during development.
As for ASVS, would it make sense to somehow categorize verification items based on where they are (or should be) handled, e.g. infrastructure, middleware, program code, centralised libraries etc? Or maybe as part of the ASVS itself, but as a supplemental guide? I can help with this, although it is obvious that there’s no one single categorisation as it depends on what technology is used and how. But I still assert that typically a software development team should only consider a subset of the verification items, while other items are considered by other teams (e.g. infra).