verification standard 4 0
play

Verification Standard 4.0 Andrew van der Stock, co-leader ASVS - PowerPoint PPT Presentation

Nov 26, 2023 •490 likes •789 views

Application Security Verification Standard 4.0 Andrew van der Stock, co-leader ASVS Project March 2019 - NullCon Andrew van der Stock Senior Principal Consultant, Synopsys Technical Leader of Managed Services Joined OWASP late ~2002

  1. Application Security Verification Standard 4.0 Andrew van der Stock, co-leader ASVS Project March 2019 - NullCon

  2. Andrew van der Stock • Senior Principal Consultant, Synopsys • Technical Leader of Managed Services • Joined OWASP late ~2002 • Lifetime OWASP member • Board Member (2015-2018) and Treasurer (2016-2018) • Selected works: • Application Security Verification Standard • OWASP Top 10 {2007, 2017} • OWASP Developer Guide 2.0

  3. What is the ASVS? • Started as 80/20 checklist • Designed to be an actual application security standard • Set of leading practices – even 2.0 was challenging for many • Community and Industry Driven • Completely developed in the open at GitHub • Submit issues! Submit PRs! Translate please!

  4. Who is involved? • You • Andrew van der Stock, Daniel Cuthbert, Jim Manico • Josh Grossman, Mark Burnett, Abhay Bhargarv • Amazing reviewers such as Elar Lang, ossie-git, Ron Perris, Tonimir Kisasondi, Serg Belokamen, Jason Axley, and Adam Caudill

  5. So what’s new?

  6. What’s new • Now completely written in Markdown • Uses MASVS script and CSV generation • Easy to translate • Easy to determine what changed, when, by whom, and why • NIST 800-63 compliance • Data Protection has been upped to be primarily about human sensitive personal identifying information • Helps with GDPR and APPs • IoT ASVS Preview Chapter

  7. Modern web applications • Full support for server-less, responsive applications • Containers • API • DOM • Templating

  8. CWE all the things • Most requested feature for the last decade finally delivered • Let’s talk about CWE for a minute • ASVS is a control based standard • Weaknesses are not controls • CWE is an imperfect mapping, but it’s the mapping we have • Not every item ended up with a CWE. CWE needs our help

  9. What’s changed • Basically everything • Renumbered completely • Each section is reorganized and re-ordered • De-duped. Do not omit any section for your level

  10. L1 is the new minimum • OWASP Top 10 2017 is simply not sufficient • Level 1 is now completely testable using pentest techniques • It’s the only level that is completely penetration testable • Stop penetration testing. Hybrid reviews at least!

  11. PCI DSS 6.5.x • Yep • We even included buffer overflows, integer and safer string operations, as well as ensuring that folks compiled code properly!

  12. What’s gone • Less impactful controls • Controls that were implemented by one browser or language • “Since” • Mobile Chapter (use MASVS) • IoT Chapter (use IoT Project)

  13. Detailed Changes

  14. Architecture • Completely new • Replaces “dead” section with something that can produce secure by default software • Design and build security in! • Level 2 and 3 only

  15. Authentication and NIST 800-63 • Completely aligned with NIST 800-63 • Except that we had to go to 12 characters for SFA passwords • Credentials construction and protection (including credential stuffing) • Credential lifecycle from issuance to retirement • Multi-factor is now expected, crypto devices, web services • JWT, Oauth, federated security • Advanced session management attacks • Half open attack

  16. Validation, Sanitization, and Encoding • Major revamp • Divided into easy to consume sections • Standardized Input and Output Pipelines • Input validation for modern applications and APIs • Output encoding is the new hotness • Injection prevention (including XXE and XML attacks) • SSRF • Deserialization

  17. Communications Security • Now DevSecOps friendly • No more building a secure chain / path … what does that even mean? • Easier to comply … automatically • TLS all the things • Use modern configuration builders • Use the verification tools you use today

  18. Malicious Code • Major update to this section to cover more than just time bombs and Easter eggs • Detect malicious code introduction • Continuous detection through building • Privacy invading libraries (Google’s PUA) mentioned for first time • Malicious business logic, such as salami attacks • Privacy invading permissions (camera, location, microphone, contacts, etc) • Mostly Level 3 for apps that can kill you or run the world economy

  19. Business Logic Verification • Major update • Business logic step order • Business logic human time • Business logic limits • Business logic anti-automation • Threat model (attack driven design) business logic risks • TOCTOU Race conditions that might affect business logic • Monitoring, alerting, and detection of unusual business logic events

  20. Files and Resources • Major revamp • Architecture items moved to architecture • Configuration items moved to configuration • Upload - Size and number • Contents and integrity • Storage, including malicious file detection • Execution, including LFI, RFI, and SSRF • Download

  21. API Security • Total revamp • General controls include common sense API controls • Must be read in conjunction with authentication, authorization and session management • RESTful includes schema validation, CORS and origin attacks • SOAP – fewer more impactful items, far clearer, and not obfuscated • GraphQL and Web Service Data Layer

  22. Configuration • Major revamp • Repeatable, Continuous integration, continuous deployment • Support for DevSecOps culture and agile practices • Containers • Dependency checks mandated • Sandboxing components including uploaded assets • Sub-domain takeover

  23. I’m in. How do I use it?

  24. Generally Accepted Security Practices Secure code review Security architecture Integration testing Developer training Peer coding checklists Hybrid reviews Unit testing DevSecOps automation Vulnerability programs Consultant training Tool Benchmark Secure coding checklist Deployment checklist Penetration test Functional constraints Planning Sprint Assistance Non-functional and functional features Supplier Benchmarking

  25. How do I use it? • Use it as is or fork it • Level 1 – entry level, penetration testing • Level 2 – most apps • Level 3 – apps that can kill you or run the world economy • Deep standards have no bounds

  26. When can I get it? • The ASVS 4.0 Final will be released at nullcon on March 1 • GitHub – Development • OWASP Wiki – Word, PDFs, CSVs, and Hot Linkable markdown

  27. What’s next? • 4.0 is a complete revamp, so likely to have a few issues at least • Minor 0.0.1 updates will address critical issues as necessary • 4.1 will come in 9-12 months or so to address larger changes • OWASP Top 10 2020? • OWASP MASVS • OWASP IoT • OWASP Testing Guide

  28. How to get involved • Grab a copy today and start to migrate from earlier versions and T10 • If it’s not a good fit for you, fork it, and make it your own • We need case studies! If you use ASVS, we’d love to hear from you! • Create issues (4.0.x) or PRs (4.1) if you identify issues • We need translations. Please join the #asvs channel on OWASP Slack

  29. Thank you vanderaj@owasp.org (ASVS) | vander@synopsys.com ($dayjob) @vanderaj

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BEST Design of Steel Columns for Standard Cross-Sections Verification according to DIN

BEST Design of Steel Columns for Standard Cross-Sections Verification according to DIN

BEST Design of Steel Columns for Standard Cross-Sections Verification according to DIN and EN with national annexes for DE, AT, SK/CZ & UK Modelling of multi-storey columns with different stepped cross-sections Use of

210 views • 6 slides
Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva

Introduction to OWASP Mobile Application Security Verification Standard (MASVS) OWASP Geneva 12/12/2016 Jrmy MATOS whois securingapps Developer background Spent last 10 years working between Geneva and Lausanne on security products

867 views • 22 slides
ASIC Physical Design Post-Layout Verification ASIC Physical Design (Standard Cell) (can also do

ASIC Physical Design Post-Layout Verification ASIC Physical Design (Standard Cell) (can also do

ASIC Physical Design Post-Layout Verification ASIC Physical Design (Standard Cell) (can also do full custom layout) Component-Level Netlist (Verilog) Std. Cell Cadence: Floorplan Layouts Encounter Chip/Block (std cells) Libraries

1.13k views • 33 slides
Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records OVERVIEW 01 04 Scope of Verification Peggys Picks Types of verification, Verifying exam results or parameters, privacy graduation using databases

1.25k views • 81 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
W+ Standard Verification Information Webinar Liz Allen & Lisa McMullan Social Audit Network

W+ Standard Verification Information Webinar Liz Allen & Lisa McMullan Social Audit Network

W+ Standard Verification Information Webinar Liz Allen & Lisa McMullan Social Audit Network May 2019 Webinar hosts, SAN Directors Lisa McMullan Liz Allen Social enterprise, corporate social Womens entrepreneurship,

490 views • 19 slides
Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and Validation Does the program you built do what you designed it to do? Dr. James A. Bednar Validation is getting the right system : jbednar@inf.ed.ac.uk

331 views • 8 slides
Switchboard Testing as per IEC 61439 Part 1 & 2 LV Assemblies Standard IEC 61439 Series

Switchboard Testing as per IEC 61439 Part 1 & 2 LV Assemblies Standard IEC 61439 Series

Switchboard Testing as per IEC 61439 Part 1 & 2 LV Assemblies Standard IEC 61439 Series Part 2 to 7: Part 0: Relevant Part 1 : General Rule Assembly Guide Standard Simplifying Panel Building Design Verification Methods by IEC 61439

643 views • 42 slides
Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Verification and Validation Steven Zeil February 13, 2013 Verification and Validation Outline The Process 1 Non-Testing V&V 2 Code Review Mathematically-based verification Static analysis tools

790 views • 55 slides
Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Reading Strand and Ideas Standard Statement 9 Range of Reading and Standard Statement 10 Level

Standard Statement 1 Standard Statement 2 Key Ideas and Details Standard Statement 3 Reading: Literature Standard Statement 4 Standard Statement 5 Craft and Structure Standard Statement 6 Standard Statement 7 Integration of Knowledge

391 views • 16 slides
Verification regulations: Description Draft to define model for meeting verification

Verification regulations: Description Draft to define model for meeting verification

Verification regulations: Description Draft to define model for meeting verification regulations Verification Code Extension (draft-gould-eppext-verificationcode) Purpose Separate verification details from registry interface

167 views • 6 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Session 14: Poster highlights 14b. Medical Physics Dosimetry and verification Ben Mijnheer

Session 14: Poster highlights 14b. Medical Physics Dosimetry and verification Ben Mijnheer

Session 14: Poster highlights 14b. Medical Physics Dosimetry and verification Ben Mijnheer Absorbed dose to water FeSo4- based standard for 192 Ir HDR C. E. deAlmeida 1 ; R. Ochoa 1 ; C. Austerlitz 2 ; M. Coelho 1 ; M. G. David 1 ; J. G.

570 views • 37 slides
Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of

Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of

Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of assets for initial and re-determinations for OSIP-M consumers without SSI. Asset Verification Service Kick-Off 11/8/18 Introduce Project Team

253 views • 14 slides
Test and Verification Solutions The Verification Experts Essentials for Developing and Deploying

Test and Verification Solutions The Verification Experts Essentials for Developing and Deploying

Test and Verification Solutions The Verification Experts Essentials for Developing and Deploying SV-based VIP DV Club Presentation (23 April 2012) NEED FOR VERIFICATION IP Why do we need VIPs? Time To Market Ready-to-integrate models

403 views • 22 slides
Systema(c Explora(on of Computa(onal Music Structure Research Oriol

Systema(c Explora(on of Computa(onal Music Structure Research Oriol

Systema(c Explora(on of Computa(onal Music Structure Research Oriol Nieto Juan Pablo Bello New York City, NY, USA August 10th, 2016 Outline - MIR task:

409 views • 16 slides
ECO 199 GAMES OF STRATEGY Spring Term 2004 April 1 STRATEGIC MOVES SUMMARY AND

ECO 199 GAMES OF STRATEGY Spring Term 2004 April 1 STRATEGIC MOVES SUMMARY AND

ECO 199 GAMES OF STRATEGY Spring Term 2004 April 1 STRATEGIC MOVES SUMMARY AND CREDIBILITY PURPOSES OF THREATS AND PROMISES 1. Deterrence Stop the other from doing something that he would otherwise have done 2. Compellence

217 views • 4 slides
Boundaries and novelty: the correspondence between points of change and perceived boundaries

Boundaries and novelty: the correspondence between points of change and perceived boundaries

Boundaries and novelty: the correspondence between points of change and perceived boundaries Jordan B. L. Smith, Ching-Hua Chuan and Elaine Chew DMRN+7 18 December 2012 Outline I. What the research is about and why it is very interesting

597 views • 45 slides
WHAT WE ARE WORKING TOWARDS Automated process of generating complex, bespoke assemblies in BIM

WHAT WE ARE WORKING TOWARDS Automated process of generating complex, bespoke assemblies in BIM

MassBespoke A BRIEF OVERVIEW MassBespoke Buildings by their very nature are bespoke and their individual recurring design requirements have restricted the technological advancements which can be made when compared to those in

695 views • 7 slides
distress Peter Gotham Gotham Consulting Ltd peter.gotham@gmail.com Who am I? Peter Gotham

distress Peter Gotham Gotham Consulting Ltd peter.gotham@gmail.com Who am I? Peter Gotham

Working with organisations in financial distress Peter Gotham Gotham Consulting Ltd peter.gotham@gmail.com Who am I? Peter Gotham Former head Charities and Social Enterprise @ MHA Specialist in support to this sector including

549 views • 10 slides
Journal Paper Writing Club Mark Nixon a nd any academics and all Audience participation is

Journal Paper Writing Club Mark Nixon a nd any academics and all Audience participation is

Journal Paper Writing Club Mark Nixon a nd any academics and all Audience participation is welcome!! Edited from V. Patel and M. Nixon BTAS 2018 Conferences/ Workshops/ Schools are part of a students experience They include:

1.34k views • 30 slides
So You Want To Rewrite That Lessons from a successful

So You Want To Rewrite That Lessons from a successful

So You Want To Rewrite That Lessons from a successful rearchitec8ng Camille Fournier @skamille GOTO Chicago 2014 We were failing to support our

838 views • 54 slides
Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret

Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret

Asymmetric crypto Symmetric Source: Wikipedia Before cryptography: exchanging keys Secret key Only Alice and Bob know the secret key Private key Only Alice's knows Alice's private key (Bob doesn't know and never finds out)

1.07k views • 35 slides

More recommend