Support "1.2 Customer testing" from MVSP

[cmlh]

"1.2 Customer testing" of MVSP is reproduced below:

1.2 Customer testing * On request, enable your customers or their delegates to test the security of your application * Test on a non-production environment if it closely resembles the production environment in functionality * Ensure non-production environments do not contain production data

Should we include this in the next major release of ASVS and/or be governed upstream by CREST OVS instead?

The parent of this issue is #1151.

[danielcuthbert]

I'm not a fan if I'm honest. Firstly, what anyone does with the standard is their choice, we are not governed by anyone let alone CREST. Telling people to allow testing of their product goes over what I feel is useful

[tghosth]

@set-reminder 5 weeks @tghosth to look at this

[octo-reminder[bot]]

⏰ Reminder Wednesday, January 11, 2023 12:00 AM (GMT+01:00)

@tghosth to look at this

[elarlang]

As we move with scope more towards "strictly only application", then mentioned customer testing things are out of scope.

Josh can recheck, recommendation to close it.

[tghosth]

Thanks @cmlh but I agree with @danielcuthbert and @elarlang in this instance that this item is out of scope.

[octo-reminder[bot]]

🔔 @tghosth

@tghosth to look at this

[cmlh]

ASVS states "... to a test application with non-production data, is required ..." which integrates with * Ensure non-production environments do not contain production data of MVSP

[cmlh]

ASVS states "Test on a non-production environment if it closely resembles the production environment in functionality ..." which integrates with * Test on a non-production environment if it closely resembles the production environment in functionality of MVSP