ASVS v4 has been part of IriusRisk since version 3.1.0, enabling our users to ensure compliance with the latest version of the ASVS standard. So as to not disrupt any of our user’s work within their threat models, the previous version remained within the platform so as to prevent any detrimental or unintended effects.
As the majority of our users are now using only the current version (v4) of the ASVS standard, we are intending to deprecate the v3 standard on the v4.0.0 release to ensure that no users use the old standard unintentionally. In this document, we’ll try to explain the impact of this change and we’ll answer some common questions that could arise in the process.
Impact of the change
Before doing the update to version 4.0.0, you should check if the ASVS version 4 setting is enabled for your IriusRisk instance. To do so you should take the following steps:
- Log in with admin user rights (to be able to access the Settings section).
- Navigate to the Settings section.
- See if the checkbox option “Use version 4 of ASVS Standard” is enabled.
If you are already using version 4 of the ASVS Standard
If the checkbox option “Use version 4 of ASVS Standard” is enabled you are already working with the latest version of the ASVS standard and there should not be any impact on your models after the v4.0.0 update. You can continue working as usual.
If you are using version 3 of the ASVS Standard
If the checkbox option “Use version 4 of ASVS Standard” is disabled, you’re still working with version 3 of the ASVS Standard, and your workflow could be affected after the IriusRisk update to version 4.0.0. To ensure we minimize any potential negative impact of this change, we would like to highlight what this change actually means:
- Once you update IriusRisk to version 4.0.0, you won’t be able to create new products based on the ASVS version 3 security content. Additionally, the ASVS version 3 standards (level1, level2, and level3, as shown in the following figure) won’t be available.
- New products will automatically use the ASVS version 4 security content. The “Use version 4 of ASVS Standard” flag in the settings will no longer appear, and IriusRisk will behave as if this is enabled, as there will no longer be a v3 standard.
- The new components for old products will automatically use the ASVS version 4 security content.
- Updating existing components as part of existing products (with OWASP ASVS v3.0.1) to the new standard 4.0.1 cannot be achieved automatically. To create an equivalent component with the new version, you should remove the existing component and create a new one answering the questions exactly the same as the removed component.
- Once the v3 standard is removed, ASVS v3 threats and countermeasures may be removed when a threat model is updated, if any v3 content exists in that threat model. However, you can take any of the following steps if you wish to keep some of these threats and countermeasures:
- Create a new version of the product (see figures below).
- Lock your threat model (see figure below).
- Uncheck the option "Automatically remove threats and countermeasures that no longer apply" in the product settings section (see figures below).