Use a story tree to make the requirements more accessible to non-techies.

[gobrtg]

Ok, so while driving home tonight I listened to an earlier Application Security Weekly episode and learned about the thoughts for the new version from the interview with Josh Grossman. It got me thinking of how to make the asvs more accessible to orgs in general, and more people in general. One idea I had was to have a tree of day-to-day user stories that all lead to different asvs requirements. I couldn't find that this suggestion had already been made, but if so my apologies.

Anyway, with a little help from ChatGPT I made a quick example, and I think it turned out pretty good. This one is based on 2.2.1, which is pretty dense and ridden with sec lingo. The point here isn't that it is the most technical requirement, but it reads kind of "esoteric", if you're not into security and/or authentication in the first place.

--- 8< --- Protecting Against Unauthorized Access Attempts (Making Sure Only You Can Access Your Account) ├── Story: Jane Notices Suspicious Activity on Her Account │ ├── Mini-Story: Jane Receives Multiple "Incorrect Password" Notifications │ │ └── Why It Matters: These Alerts Mean Someone Is Trying to Break into Her Account. The Service Should Limit How Many Wrong Tries Are Allowed (Part of ASVS 2.2.1: Rate Limiting) │ ├── Mini-Story: After Several Failed Attempts, the Service Asks for a CAPTCHA │ │ └── Why It Matters: This Extra Step Makes It Harder for Automated Programs to Guess Her Password (Part of ASVS 2.2.1: CAPTCHA) │ ├── Mini-Story: Jane Can't Log In and Realizes Her Account Is Temporarily Locked │ │ └── Why It Matters: Temporarily Locking the Account After Wrong Tries Keeps Her Account Safe (Part of ASVS 2.2.1: Soft Lockouts) │ └── Mini-Story: Jane Finally Unlocks Her Account but Sees Restrictions on Her Login Attempts │ └── Why It Matters: These Restrictions Prevent Too Many Attempts in a Short Period, Keeping Her Account Secure (Part of ASVS 2.2.1: No More Than 100 Failed Attempts Per Hour) --- >8 ---

It was just a thought I think it was worth mentioning. I would love to help. So let me know if this tickles anyones fancy.