ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Secure development environments

Open coderpatros opened this issue 3 years ago • 11 comments

Not sure this type of thing would be considered in scope or not.

But containerised, reproducible, ephemeral, development environments are now becoming more commonplace. i.e. Gitpod and GitHub Codespaces.

A see them as a natural next step after doing the same for build environments. i.e. the current requirements for V14.1 Build cover.

Any opinions on this?

coderpatros avatar Oct 28 '21 07:10 coderpatros

Looking to ASVS v5.0, the scope question is at the moment really valid for myself - from what step starts application and what is the scope for ASVS.

Also, need to think with larger view and avoid complete overlap with other standards, like for example: https://github.com/OWASP/Software-Component-Verification-Standard

elarlang avatar Oct 28 '21 11:10 elarlang

Welcome to the Application Security Verification Standard (ASVS) version 4.0. The ASVS is a community-driven effort to establish a framework of security requirements and controls that focus on defining the functional and non-functional security controls required when designing, developing and testing modern web applications and web services.

From the preface, I see this as a control as part of developing modern applications. And, IMHO, isn't that different to controls being specified for build pipelines. If anything, I think it could be an evolution and extension of those controls.

coderpatros avatar Oct 28 '21 11:10 coderpatros

For my taste "Secure development environment" is away from ASVS scope. Where is that line between "in scope" and "not in scope" is question of discussion.

From pen-test point of view, what could be the list of requirements, are they actually testable? Verify that development environment is secure" is not reasonable, but if to start verifying piece by piece from development environment, if feels too far away from application itself. For sure, it's important part of secure application as final product, but this scope...

elarlang avatar Oct 28 '21 12:10 elarlang

I think expanding build and deployment by adding something like these as L3 requirements would be reasonable.

Verify that the application development environment is sandboxed.

Verify that the application development environment is restored from a known good state between units of work.

But completely understand that this might be crossing the line to out of scope.

coderpatros avatar Oct 28 '21 21:10 coderpatros

Should we deprecate https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v142-dependency for the https://github.com/OWASP/Software-Component-Verification-Standard then?

cmlh avatar Oct 28 '21 22:10 cmlh

Should we deprecate master/4.0/en/0x22-V14-Config.md#v142-dependency for the OWASP/Software-Component-Verification-Standard then?

I don't understand what that has to do with these controls?

This is about the environment a developer is using to work on the software. i.e. sandboxing your code, IDE, and local build tools, from other activities like browsing the internet, etc.

It drastically reduces the blast radius of something like the recent ua-parser-js issue.

coderpatros avatar Oct 28 '21 22:10 coderpatros

If I was still preforming https://www.cyber.gov.au/acsc/view-all-content/programs/australian-information-security-evaluation-program and therefore is what Mike Boberski based ASVS ToV on (i.e. Common Criteria) then I'd inspect https://github.com/OWASP/Software-Component-Verification-Standard in addition to https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v142-dependency

I'll raise a separate issue to explore the differences between https://github.com/OWASP/Software-Component-Verification-Standard to that of https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v142-dependency (if any) as the first step before a PR unless @coderpatros knows this already and therefore I'll support his Pull Request to list these requirements as L3 too.

cmlh avatar Oct 31 '21 01:10 cmlh

For ASVS scope discussion we have #1127 now.

elarlang avatar Nov 09 '21 16:11 elarlang

I think this is a good question which will really depend on the outcome of #1127

tghosth avatar Apr 26 '22 18:04 tghosth

In the meantime, @coderpatros what sort of requirements would you expect to see in relation to this?

tghosth avatar Apr 26 '22 18:04 tghosth

Note that I made another comment on https://github.com/OWASP/ASVS/issues/1127#issuecomment-1193352560

tghosth avatar Jul 24 '22 16:07 tghosth

Hi @coderpatros, this was also mentioned in #1315, do you have any opinions on what is written there?

@set-reminder 3 weeks close if no response

tghosth avatar Dec 07 '22 15:12 tghosth

Reminder Wednesday, December 28, 2022 12:00 AM (GMT+01:00)

close if no response

octo-reminder[bot] avatar Dec 07 '22 15:12 octo-reminder[bot]

@tghosth I think the comments about this being out of scope for ASVS make sense.

coderpatros avatar Dec 14 '22 12:12 coderpatros

Thank you for ideas and feedback, I'm closing this one.

elarlang avatar Dec 14 '22 15:12 elarlang

🔔 @tghosth

close if no response

octo-reminder[bot] avatar Dec 27 '22 23:12 octo-reminder[bot]