ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

10.1.1 asks for basic SAST but is l3 should this be l1?

Open jmanico opened this issue 3 years ago • 9 comments

10.1.1 Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections.

jmanico avatar Feb 02 '22 12:02 jmanico

for me L3 seems more correct

elarlang avatar Feb 02 '22 12:02 elarlang

Taking into account development world moving more and more into DevOps and highlighting automation (also security-wise) I find it incomprehensible that a SAST tool is a requirement only for L3 i.e. "the most critical applications" as per definition in the ASVS.

If the penetration testable approach needs to be maintained for L1, how about putting the requirement 10.1.1 mandatory beginning from L2?

mascotter avatar Mar 08 '22 20:03 mascotter

Absolutely I agree this should be a level 1 or 2 requirement. Lack of a static analysis tool during development is close to security negligence these days. +1

jmanico avatar Mar 09 '22 02:03 jmanico

I would make this a L2 requirement. L1 claims to be completely penetration testable and I would say that this requirement asks for attestation instead.

vdbaan avatar Mar 21 '22 11:03 vdbaan

We are dropping the "testing" designation for each ASVS level and are just moving it to risk levels. We may mimic MASVS where Level 1 is the low baseline for secure apps and level 2 is for advanced apps and drop the three levels.

So if the current three levels were risk levels, would that change your opinion?

Loosely today, level 1 is for public apps and provides low security, level 2 is for sensitive apps and level 3 is for critical infrastructure....

jmanico avatar Mar 21 '22 14:03 jmanico

I like to hear that the ASVS is moving to risk levels.

If that is the case I would recommend it for Level 1 Even a SAST that is not tuned optimally will provide insight. Perhaps add that the findings of SAST should be blocking from Level 2 onwards.

vdbaan avatar Mar 21 '22 14:03 vdbaan

I agree that using SAST should be a requirement at the most basic levels of ASVS. +1

jmanico avatar Mar 21 '22 16:03 jmanico

I would like to clarify that the purpose of SAST for Level 1 is awareness, especially if the tool is not tuned for the application. For higher levels the tool needs to be tuned to reduce FP as those findings are more of a hindrance than help raise awareness.

vdbaan avatar Mar 22 '22 14:03 vdbaan

I agree that everyone should run SAST to detect security bugs. But is that what this requirement says?

that can detect potentially malicious code

Not security bugs, but actively malicious code.

Sjord avatar Aug 13 '22 13:08 Sjord

This item has been removed as per #1507, the issue can be closed

vdbaan avatar Jan 15 '23 12:01 vdbaan