What is new in OWASP ASVS v4.0.1?
OWASP recently announced the new iteration of their gold standard Application Security Verification Standard and we have worked tirelessly to include OWASP ASVS v4.0.1 in IriusRisk for you to leverage in your threat models.
For this new content, it was felt there was no need to create a brand new library or question groups for component questionnaires, therefore, all of the new requirements are included within the existing Risk Pattern Library: "CS-Default"
This library already included the Risk Pattern Library of the older standard: OWASP ASVS v3.0.1 and now also has OWASP ASVS v4.0.1. The differences between both versions are related to the number of countermeasures and to the structure of requirements, as listed below:
- OWASP ASVS v3.0.1 has 19 chapters with 182 requirements.
- OWASP ASVS v4.0.1 has 14 chapters and 69 subchapters, with 286 requirements.
The new ASVS standard has a mix of different and similar countermeasures from the version 3.0.1. And we added new components, to reflect new areas covered by the standard, as shown below:
- GraphQL Web Service
- RESTful Web Service
- SOAP Web Service
We also added the following levels for this standard:
- OWASP ASVS v4 Level 1
- OWASP ASVS v4 Level 2
- OWASP ASVS v4 Level 3
Shown below are ASVSv3 countermeasures for a Web Application component:
And shown below are ASVSv4 countermeasures for a Web Application component:
What if I don’t want to use the new version 4.0.1 and wish to keep working with version 3.0.1?
By default, the upgrade for content for OWASP ASVS v4.0.1 is activated. To deactivate it, follow these steps:
- Log in with admin user rights (to be able to access the Settings section).
- Navigate to the Settings section.
- Deselect the checkbox option “Use version 4 of ASVS Standard”
- Click the “Save” button.
What should I do if I do want to use ASVSv4.0.1?
After the upgrade to IriusRisk 3.1, the new version of OWASP ASVS v4.0.1 is activated by default, and no action is needed. To verify that IriusRisk uses this new version, follow the steps below:
- Log in with admin user rights (to be able to access the Settings section).
- Navigate to the Settings section.
- Ensure the checkbox with the option “Use version 4 of ASVS Standard” is activated.
Why do I see duplicated countermeasures in the CS-Default library?
You may see countermeasures with similar or the same names, descriptions, etc where the only difference is the set of standards applied. This is because that is how we maintain backward compatibility with both ASVS3 and ASVS4. When you import a risk pattern into your model you will only see countermeasures related to ASVS3 or ASVS4 depending on how you have marked the checkbox mentioned above.
CS-Default countermeasures can be of four types:
- Native ASVSv3: countermeasures that belong to ASVSv3 standard but not to ASVSv4 standard.
Example: INPUT-VAL
- Native ASVSv4: countermeasures that belong to ASVSv4 standard but not to ASVSv3 standard.
Example: ENV-USE
- Non-ASVS: countermeasures that don't belong to either ASVSv3 nor ASVSv4 standards.
Example: security-logging
- Mixed ASVS: countermeasures that belong to ASVSv3 and ASVSv4 standards.
Example: PROPER-REVOCATION-CERTIFICATE
To see the different types of countermeasures in a visual way:
If ASVSv4 setting is ON in IriusRisk:
Countermeasures included in the models:
- Native ASVSv4 countermeasures.
- Non-ASVS countermeasures.
- Mixed ASVS countermeasures.
If ASVSv4 setting is OFF in IriusRisk:
Countermeasures included in the models:
- Native ASVSv3 countermeasures.
- Non-ASVS countermeasures.
- Mixed ASVS countermeasures.
A threat is not imported as expected when using ASVS4
If you marked the option to use ASVS4 countermeasures and all countermeasures of a certain risk pattern have only native ASVS3 standards, you will not see the threats of that risk pattern included in your product. That's because we automatically remove all those countermeasures that are native ASVS3 when importing the risk pattern in the model. This behaviour leads to empty threats (threats without any countermeasures) that are not shown in the model. The same logic applies if you didn't mark the ASVS4 option (threats with native ASVS4 countermeasures are not shown in the model).
For example, suppose that the option to use ASVS4 is marked and you create a risk pattern as follows:
In this case, the only countermeasure in the risk pattern has only ASVS3 standards (is a native ASVSv3 countermeasure). If you create a component that imports that risk pattern you won't see anything in the model:
In summary, the ASVS standard version (3 or 4) you select to create your models influences the number of threats and the countermeasures included in the generated models. It is a global setting that applies to your entire IriusRisk instance.
What happens to my existing threat models?
Components from existing models will be treated as ASVS v3 components. Countermeasures that will be included for these components are:
- Native ASVSv3 countermeasures.
- Non-ASVS countermeasures.
- Mixed ASVS countermeasures.
Updating existing components as part of existing products (with OWASP ASVS v3.0.1) to the new standard 4.0.1 cannot be achieved automatically. To update a component to the new version, remove the existing component and create a new one answering the questions exactly the same as the removed component.
Comments
0 comments
Article is closed for comments.