Roadmap to version 5.0 of the OWASP ASVS project

image

Josh Grossman

Sunday, May 15, 2022

On behalf of the OWASP ASVS leadership team, we are excited to publicise the objectives and roadmap for the upcoming version 5.0 of the flagship OWASP Application Security Project. We are hoping to be able to release a final version by the end of the year but there is a lot to do and we need your help!

Our first milestone is the end of May by when we would like to have as much feedback as possible on the current standard so as to start planning how the next version will look.

You may wish to read through the full objectives and roadmap document (or keep reading this post), review the current “bleeding edge” version of the ASVS document, and check out our guide to contributing which also includes guidance of the process to go through to provide feedback.

Whilst following that guidance, you are then welcome to respond to existing issues or open a new issue if your topic has not previously been raised.

Background

As the primary application security standard in the industry, it is important that the ASVS does not change too often to make it easier to standardize against and monitor.

On the other hand, with version 4 released back in 2019 we believe that it is time for an update to take into account more recent developments and act on feedback we have received. As such, it is our intention to release a new version around the end of this calendar year.

Plotting a course

In order to be able to release a new major version, obviously we need to plan ahead so that we have enough time to gather feedback, enough time to discuss the feedback, and enough time to write the new version and get feedback on a draft.

For this reason, we are hoping to get as much feedback as possible on the current ASVS version within the next few weeks, via our GitHub repository.

That should allow us to discuss and conclude on the feedback during June and July, prepare a new draft version during August through to October (we too have to take holidays 😃), discuss the draft in November, and finalise the release in December.

Vision for version 5.0

At this point, we don’t necessarily want a complete “from the ground up” rewrite. Our main goal is to take the existing standard and update it with the latest guidance but our guiding star for the release will be usability.

Barrier to entry

We are seeing plenty of interest and engagement around the ASVS but it still has a relatively high barrier to entry, with just level 1 having around 130 requirements. Our aim is to make it easier to start with the standard, without lowering its integrity or making it less comprehensive.

For example, we would rather reduce the number of requirements needed to get to the first level if it means that more organizations can get to that starting level. In time, this will lead them to attempt higher levels as well.

Clarity in the standard

We want to make sure that all requirements are as easily understandable as possible so that users with varying levels of knowledge are able to use the status effectively.

We’ll also be taking a critical look at the text surrounding the requirements. There is a lot of explanatory text within the standard which is helpful to better understand the requirements and application security in general. However, it is not clear how many people are really using this. From what we have seen, the main value comes from the requirements themselves and it is likely that we will try and streamline the overall document to keep the requirements front and centre.

Mappings

There are a lot of requests for mappings and various mapping currently being maintained. Our aim is only to maintain the CWE and NIST mappings with other mappings being maintained by the community on a best efforts basis. This is to allow us to focus on the requirements themselves.

Similarly, our aim is to move mappings to a separate location within the repository/document to reduce the noise on the page of the standard and again make sure that we are keeping the requirements front and center.

Summary

We are very grateful to everyone who has spent time providing feedback and contributions to the standard and we hope that you will continue to do so over the coming months. The ASVS is a crucial standard for helping organizations to build secure applications and we are excited to continue its development.

On Behalf of the OWASP ASVS Project Leaders:

  • Daniel Cuthbert
  • Andrew Van der Stock
  • Jim Manico
  • Elar Lang
  • Josh Grossman