-
-
Notifications
You must be signed in to change notification settings - Fork 669
Roadmap to version 5.0
This document states the leadership team's objectives for ASVS 5.0.
We want to publish this publicly so that our direction is clear. All changes/issues to be handled for 5.0 should be mapped to one of these objectives.
Our driving philosophy for 5.0 is to increase usability and lower the barrier to entry.
We are now in the final countdown to ASVS 5.0.
We are finishing the rework of existing chapters over the next couple of weeks culminating in an intensive effort to finalize requirement content during the OWASP Project Summit 4-8th November,
We will then work on finishing the other content with a view to releasing by the end of the year.
- Requirement wording
- Requirement location (chapter and section)
- Chapter text
- Level definitions. See the discussions here.
- Renumbering (including chapter numbering)
- Setting levels.
- Changing the current change tagging into a separate change log.
- Mapping to OWASP CRE.
- Introductory text separate to the chapters
- The appendix sections.
The following sections will highlight our key objectives together with basic actions for each.
- Deduplicate existing requirements
- Clarify or correct existing requirements
- Add new requirements but only if we specifically feel they are important or someone in the community is prepared to provide us with a good draft.
- Make level rationale clearer (maybe use AAL as inspiration) and focus this on risk rather than testability.
- Move level 1 items into level 2 to make a lower barrier to entry.
- Be clear that level 1 does not prove compliance, only level 2 and 3.
- Have an export option and an export artefact for “ASVS lite”
- Move all mappings including CWE and NIST to a separate location.
- Make clear that we do not maintain mappings other than CWE and NIST and any others are community contributed/maintained.
- We should make sure this is clearly documented in ASVS and in the README?
- Move explanatory text to the end of the document.
- Remove or reduce as much explanatory text as possible from around the requirements in the individual chapters as we don’t think anyone is reading it. References we should keep.
- Where requirements are too detailed, we should abstract them and refer to relevant cheat-sheets or other materials in the explanatory text.
All issues should be marked with one of the following labels:
The following link should therefore show no issues:
The aim is to move all "_5.0 - prep" issues to be either closed or to have the "4b Major-rework" status. All items with the "4b Major-rework" status should also have a section label applied to them.
As such, the list of issues to focus on is: https://github.com/OWASP/ASVS/issues?q=is%3Aopen+is%3Aissue+-label%3A%224b+Major-rework%22+label%3A%22_5.0+-+prep%22 (Need to continue from #1420)
Breakdown of issues: