Skip to content

Roadmap to version 5.0

Josh Grossman edited this page Nov 5, 2024 · 28 revisions

Introduction

This document states the leadership team's objectives for ASVS 5.0.

We want to publish this publicly so that our direction is clear. All changes/issues to be handled for 5.0 should be mapped to one of these objectives.

Our driving philosophy for 5.0 is to increase usability and lower the barrier to entry.

Timescales

We are now in the final countdown to ASVS 5.0.

We are finishing the rework of existing chapters over the next couple of weeks culminating in an intensive effort to finalize requirement content during the OWASP Project Summit 4-8th November,

We will then work on finishing the other content with a view to releasing by the end of the year.

What will be finalised during the Project Summit

  • Requirement wording
  • Requirement location (chapter and section)
  • Chapter text
  • Level definitions. See the discussions here.

What will remain afterwards

  • Renumbering (including chapter numbering)
  • Setting levels.
  • Changing the current change tagging into a separate change log.
  • Mapping to OWASP CRE.
  • Introductory text separate to the chapters
  • The appendix sections.

Key Objectives

The following sections will highlight our key objectives together with basic actions for each.

Basic/Standard objectives

  • Deduplicate existing requirements
  • Clarify or correct existing requirements
  • Add new requirements but only if we specifically feel they are important or someone in the community is prepared to provide us with a good draft.

Clearer levels

  • Make level rationale clearer (maybe use AAL as inspiration) and focus this on risk rather than testability.
  • Move level 1 items into level 2 to make a lower barrier to entry.
  • Be clear that level 1 does not prove compliance, only level 2 and 3.
  • Have an export option and an export artefact for “ASVS lite”

Mappings

  • Move all mappings including CWE and NIST to a separate location.
  • Make clear that we do not maintain mappings other than CWE and NIST and any others are community contributed/maintained.
  • We should make sure this is clearly documented in ASVS and in the README?

Streamlined document:

  • Move explanatory text to the end of the document.
  • Remove or reduce as much explanatory text as possible from around the requirements in the individual chapters as we don’t think anyone is reading it. References we should keep.
  • Where requirements are too detailed, we should abstract them and refer to relevant cheat-sheets or other materials in the explanatory text.

Notes for the road to 5.0

Uncategorized Issues

All issues should be marked with one of the following labels:

The following link should therefore show no issues:

https://github.com/OWASP/ASVS/issues?q=is%3Aopen+is%3Aissue+-label%3A%22_5.0+-+draft%22+-label%3A%22_5.0+-+Not+blocker%22+-label%3A%22_5.0+-+prep%22

Move to rework stage

The aim is to move all "_5.0 - prep" issues to be either closed or to have the "4b Major-rework" status. All items with the "4b Major-rework" status should also have a section label applied to them.

As such, the list of issues to focus on is: https://github.com/OWASP/ASVS/issues?q=is%3Aopen+is%3Aissue+-label%3A%224b+Major-rework%22+label%3A%22_5.0+-+prep%22 (Need to continue from #1420)

Breakdown of issues:

  • GitHub issue custom search
  • GitHub issue custom search
  • GitHub issue custom search
  • GitHub issue custom search
  • GitHub issue custom search

Chapter progress

Chapter Open Issues Status
V1 GitHub issue custom search
V2 GitHub issue custom search Assigned to Josh
V3 GitHub issue custom search Assigned to Ryan
V4 GitHub issue custom search Assigned to Shanni
V5 GitHub issue custom search Rework / Refresh already done
V6 GitHub issue custom search Assigned to Daniel
V7 GitHub issue custom search Rework / Refresh already done, Eden reviewing
V8 GitHub issue custom search
V9 GitHub issue custom search Rework / Refresh already done
V10 GitHub issue custom search Assigned to Iman, done for now?
V11 GitHub issue custom search Completed by Jim
V12 GitHub issue custom search Assigned to Jim
V13 GitHub issue custom search Rework / Refresh already done, Assigned to Iman
V14 GitHub issue custom search Assigned to Meghan (Daniel might also take a look)
V50 GitHub issue custom search Assigned to Elar
V51 GitHub issue custom search Assigned to Tobias