OWASP Application Security Validation Mapped to BDD-Security Security Requirements

[lfatty]

I was thinking about way we could map OWASP Application Security Verification Standards to BDD-Security security requirements in each story.

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

[iriusrisk]

Yes, very easy to do, just add a new meta tag to the story, e.g.:

Scenario: Transmit authentication credentials over HTTPS Meta: @id auth_https @cwe-319-auth @ASVS-2014-1.23 ...

[tarciziovn]

ifatty, I had the same idea about create BDD requirements for ASVS. I would like to know if someone are working on this task because I have interest in start this activity in the next days. My idea is create something like a set of BDD stories that could be used as a model or for inspire developers and security teams when creating BDDs focused in security.

[iriusrisk]

@tarciziovn you are very welcome to start working on this! Note that the new v2.0 version was released yesterday which is 100% Cucumber and not JBehave. The only change to the meta tags is that there is no longer an "ID" tag, they are just free form, e.g.: @cwe-319-auth @ASVS-2014-1.23