├── LICENSE ├── README.md └── STRIDE-vs-ASVS-4.0.csv /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 mllamazares 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 🖇️ STRIDE vs. ASVS 2 | 3 | ![](https://img.shields.io/badge/license-MIT-green) 4 | [![](https://img.shields.io/badge/LinkedIn-0077B5?logo=linkedin&logoColor=white)](https://www.linkedin.com/in/mllamazares/) 5 | [![Watch on GitHub](https://img.shields.io/github/watchers/mllamazares/STRIDE-vs-ASVS.svg?style=social)](https://github.com/mllamazares/STRIDE-vs-ASVS/watchers) 6 | [![Star on GitHub](https://img.shields.io/github/stars/mllamazares/STRIDE-vs-ASVS.svg?style=social)](https://github.com/mllamazares/STRIDE-vs-ASVS/stargazers) 7 | [![Tweet](https://img.shields.io/twitter/url/https/github.com/mllamazares/STRIDE-vs-ASVS.svg?style=social)](https://twitter.com/intent/tweet?text=Check%20out%20STRIDE-vs-ASVS%21%20https%3A%2F%2Fgithub.com%2Fmllamazares%2FSTRIDE-vs-ASVS) 8 | 9 | This [equivalence table](STRIDE-vs-ASVS-4.0.csv) bridges Threat Modeling with security control definitions by mapping the [STRIDE](https://en.wikipedia.org/wiki/STRIDE_(security)) model to the chapters of the [Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/). 10 | 11 | 👉 Check out the table here: [STRIDE-vs-ASVS-4.0.csv](STRIDE-vs-ASVS-4.0.csv) 12 | 13 | Here’s a high-level diagram of the mapping: 14 | 15 | ```mermaid 16 | graph LR 17 | subgraph STRIDE 18 | A[Spoofing] 19 | D[Tampering] 20 | G[Repudiation] 21 | I[Information disclosure] 22 | N[Denial of service] 23 | O[Elevation of privilege] 24 | end 25 | 26 | subgraph ASVS_Chapter 27 | B[V2 - Authentication] 28 | C[V3 - Session Management] 29 | E[V4 - Access Control] 30 | F[V5 - Validation, Sanitization and Encoding] 31 | H[V7 - Error Handling and Logging] 32 | J[V6 - Stored Cryptography] 33 | K[V8 - Data Protection] 34 | L[V9 - Communication] 35 | M[V14 - Configuration] 36 | end 37 | 38 | A --> B 39 | A --> C 40 | D --> E 41 | D --> F 42 | G --> H 43 | I --> J 44 | I --> H 45 | I --> K 46 | I --> L 47 | I --> M 48 | N --> M 49 | O --> M 50 | O --> E 51 | ``` 52 | 53 | ### ⚠️ Disclaimer 54 | 55 | This table is meant to be a simple reference to help connect these two resources. It does **NOT**: 56 | 1. Attempt to oversimplify the control selection process, as Security Requirement Engineering (SRE) is more complex and context-dependent. 57 | 2. Map all ASVS chapters, since the mapping to STRIDE isn’t always one to one due to: 58 | - Project-specific factors (e.g., *V12 - Files and Resources*). 59 | - Topics covered during the design phase (e.g., *V1 - Architecture & Design*). 60 | 61 | ## Table Format Overview 62 | 63 | Here’s a quick rundown of the columns in the STRIDE vs. ASVS table: 64 | 65 | 1. **STRIDE**: the threat category being mapped. 66 | 2. **ASVS Chapter**: the ASVS chapter that addresses the identified threat. 67 | 3. **Teams**: the teams typically involved in implementing the control (indicative). 68 | 4. **Notes**: additional context or comments, if applicable. 69 | 5. **References**: the three reference columns are summarized as: 70 | | Short Name | Reference | Author | Description | 71 | |------------|-----------|--------|-------------| 72 | | RTMP | [**HOWTO-Rapid Threat Model Prototyping** book](https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs/blob/master/18x26.Tutamen%20HOWTO-Rapid%20Threat%20Model%20Prototyping.pdf) | Geoffrey Hill, Tutamantic | Threat Modeling methodology | 73 | | STRIDE-OT10-CWE-OPC-ASVS | [**STRIDE-OT10-CWE-OPC-ASVS** excel](https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs/blob/master/19h20.mar.mapping%20table%20-%20STRIDE-OT10-CWE-OPC-ASVS.xlsx) | Mario Platt | Equivalence matrix between STRIDE and other standards | 74 | | ASVS | [**Application Security Verification Standard v4.0.3**](https://github.com/OWASP/ASVS/tree/v4.0.3/4.0) | OWASP | Standard for testing web applications | 75 | 76 | ## Sample Workflow 77 | 78 | Here’s a step-by-step guide to using this resource in the SRE process: 79 | 80 | 1. Understand the functional and technical requirements in their business context. 81 | 2. Apply Threat Modeling with STRIDE to identify threats. 82 | - The [RTMP methodology](https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs) is recommended for an agile-friendly approach. 83 | 3. Use the [STRIDE vs. ASVS](#equivalence-table) table to find which ASVS chapter addresses each threat. 84 | 4. Adapt the requirements to your project’s specific context. 85 | - Some controls may need modification, or may not apply. 86 | 5. Provide extra context using the [User Stories](https://en.wikipedia.org/wiki/User_story) format, following the [INVEST](https://en.wikipedia.org/wiki/INVEST_(mnemonic)) criteria. 87 | - Practical examples are available in the [project ASVS User Stories](https://github.com/OpenSecuritySummit/project-ASVS-User-Stories) by [@mario-platt](https://github.com/mario-platt). 88 | 6. Automate security controls where possible. 89 | - Level 1 controls are often easy to automate. 90 | - Check out the [OWASP ASVS 4.0 testing guide](https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide) by [@BlazingWind](https://github.com/BlazingWind) for practical examples. 91 | 7. Track the completion of security requirements to manage residual risk. 92 | 93 | ## Rationale & Acknowledgement 94 | 95 | This repository was inspired by [@mario-platt](https://github.com/mario-platt), who contributed to the Rapid Threat Modeling Prototyping (RTMP) repo with the [STRIDE-OT10-CWE-OPC-ASVS](https://github.com/geoffrey-hill-tutamantic/rapid-threat-model-prototyping-docs/blob/master/19h20.mar.mapping%20table%20-%20STRIDE-OT10-CWE-OPC-ASVS.xlsx) comparison table. This table maps STRIDE to ASVS, CWE, OWASP Proactive Controls, and OWASP Top 10. 96 | 97 | This repository addresses key areas that needed improvement in the RTMP whitepaper, such as the additional step required to select the associated security controls (from OWASP Top 10 to ASVS). 98 | 99 | However, the creation of this repo was driven by the following concerns: 100 | 1. The OWASP Top 10 reference is outdated (2017 version instead of 2021). 101 | 2. The ASVS reference is outdated (v3.0 instead of v4.0). 102 | 3. Minor disagreements with some of the proposed categorizations. 103 | 104 | ## TODO 105 | 106 | - [ ] Identify additional references to support the categorization. 107 | - [ ] Break down ASVS chapters into more specific sections. 108 | - [ ] Create a [SecurityRAT](https://owasp.org/www-project-securityrat/) requirement set using this format. 109 | 110 | [^1]: HOWTO-Rapid Threat Model Prototyping, page 17 111 | -------------------------------------------------------------------------------- /STRIDE-vs-ASVS-4.0.csv: -------------------------------------------------------------------------------- 1 | STRIDE,ASVS chapter,Teams,Notes,RTMP Reference,STRIDE-OT10-CWE-OPC-ASVS Reference,ASVS Reference 2 | Spoofing,V2 - Authentication,Development,,A2 Broken Authentication - SRI,S, 3 | Spoofing,V3 - Session Management,Development,,A2 Broken Authentication - SRI,S, 4 | Tampering,V4 - Access Control,Development,,A5 Access Control - ERT,E,page 36 - TE 5 | Tampering,"V5 - Validation, Sanitization and Encoding",Development,,A1 Injection - TED,T, 6 | Repudiation,V7 - Error Handling and Logging,Development,,A10 Insufficient Logging & Monitoring - TRI,RID,page 44 - RI 7 | Information disclosure,V6 - Stored Cryptography,"Development, Infrastructure",,,I, 8 | Information disclosure,V7 - Error Handling and Logging,Development,,A10 Insufficient Logging & Monitoring - TRI,RID,page 44 - RI 9 | Information disclosure,V8 - Data Protection,Development,,,I, 10 | Information disclosure,V9 - Communication,"Development, Infrastructure",,,Scoping and Design, 11 | Information disclosure,V14 - Configuration,"Development, Infrastructure",,A6 Security Misconfiguration - ESI,IDE, 12 | Denial of service,V14 - Configuration,"Development, Infrastructure",,A9 Using Components with know Vuln - ESD,IDE, 13 | Elevation of privilege,V14 - Configuration,"Development, Infrastructure",,A6 Security Misconfiguration - ESI & A9 Using Components with know Vuln - ESD ,IDE, 14 | Elevation of privilege,V4 - Access Control,Development,,A5 Access Control - ERT,E,page 36 - TE 15 | ,V1 - Architecture & Design,Design,,,Scoping and Design, 16 | ,V10 - Malicious Code,"Development, Infrastructure",,,Scoping and Design, 17 | ,V11 - Business Logic,"Design, Development",Depends if the service has this feature,,Scoping and Design, 18 | ,V12 - Files and Resources,Development,Related to V1 - Architecture & Design,,Scoping and Design,page 56 - DI 19 | ,V13 - API and Web Service,Development,Depends if the service has this feature,,Scoping and Design, 20 | --------------------------------------------------------------------------------