As digital transformation continues to take over the world, security increasingly becomes a concern for companies of all sizes.
No matter how big of a security team you might have, it is hard to speak a common language between security and development teams on what controls you need during the software development life cycle.
To tackle this problem, OWASP has released Application Security Verification Standard towards the end of 2021.
ASVS is a community effort to create a set of generally accepted controls that any organization needs to implement to have adequate security controls within development processes.
Here are three ways ASVS can help your organization.
ASVS gives security teams a lot of power as an undeniable source of truth for the maturity of the security program in your organization.
Instead of having your gut feeling guide you, ASVS offers generally accepted standards that can easily quantify your maturity.
For any security-related discussion, numbers always speak louder than words to get other stakeholders' buy-in.
Once you start measuring your maturity with numbers, rest assured that the next management meeting will be different. Unveiling that your organization satisfies only 30% of the required controls will help you rub salt in the wound and grab others’ attention.
As cloud security gains popularity and security questionnaires become an integrated part of the vendor selection process, most SAAS companies must now prove their compliance with information security standards such as SOC2 or ISO 27001 to facilitate their sales process.
Even start-ups with only a few developers are not an exception and face difficulties convincing their auditors that security is an integral part of their software development life cycle.
With limited or no resources allocated to security, it might be a nightmare for startups to figure out where to start security initiatives.
By providing a framework that can be used for SOC2 or ISO27001 audits, ASVS guides startups in the right direction while making it easier to prove to auditors that relevant security controls are in place.
Depending on your industry and who has more power in the organization, it might be a challenge to align the interests of security and development teams and it is hard to say the communication between them is frictionless.
ASVS can help to bring these two teams together and make them talk to each other to reach a common goal.
The first step of implementing ASVS is determining a criticality level for your applications which requires the judgment of both teams.
As teams examine the application and assess the criticality level, this activity offers a great opportunity to instill threat modeling activities into the design phase of the SDLC.
Level 1 is used for all applications that require a bare minimum level of assurance, Level 2 for applications with medium business criticality that might contain sensitive data, and Level 3 for highly critical applications.
Once applications are put into categories, the controls you must comply with in each level differ, which makes sense as a customer-facing application is inherently riskier than an internal one and requires more in-depth security controls.
As an orchestration platform aggregating vulnerabilities from multiple sources, Kondukto automatically maps all your vulnerabilities with relevant ASVS categories using the CWE ID’s.
Once applications are assigned a business criticality level as required by the ASVS, Kondukto automatically filters the relevant controls that need to be satisfied in each application.
Suppose a vulnerability with a specific CWE ID breaches one of the controls. In that case, Kondukto displays this vulnerability and shows the status of the control as “Not Valid” until the vulnerability is fixed or marked as a false-positive or won’t fix.
It also displays the ratio of valid controls to total relevant controls so that you can easily track how well you are doing in each category of controls.
In short, Kondukto brings visibility into your ASVS compliance process and helps you make informed decisions about your priorities and where to focus your time and effort.