Application security requires a systematic and holistic approach. However, organizations typically struggle in creating an effective application security (AppSec) program. They often end up in the rabbit hole of fixing security tool-generated vulnerabilities. We believe that leveraging ASVS as a security requirements framework as well as a guide to unit and integration testing is amongst the highest added value security practices. By turning security requirements into “just requirements” organizations can enable a common language shared by all stakeholders involved in the SDLC.
In this talk, we would like to present the case of ASVS-driven development. Firstly, we have analyzed the completed ASVS to determine how much of it could be transformed into security test cases. Our analysis indicates that 162 ASVS requirements (58%) can be automatically verified using unit, integration and acceptance tests. Secondly, we have designed an empirical study where we have added 98 ASVS requirements to the sprint planning of a relatively large web application. We have implemented unit and integration tests for 90 ASVS requirements in 10 man-days that are now part of the security regression test suites.
Our study demonstrates that leveraging ASVS for deriving security test cases can create a common theme across all stages of the software development lifecycle making security everyone’s responsibility.
Speakers
Founder and CEO, Codific
Aram is the founder and CEO of Codific - a Flemish cybersecurity product firm. With over 15 years of experience, he jas a proven track record in building complex software systems by explicitly focusing on software security. Codific’s flagship product, Videolab, is a secure multimedia...
Read More →
Feedback form is now closed.
Feedback Submitted