Welcome To The OWASP Application Security Verification Standard (ASVS) Web App - Release Name: Marbles
The OWASP Application Security Verification Standard (ASVS) is a community-effort to establish a framework of security requirements and controls that focus on normalising the functional and non-functional security controls required when designing, developing and testing modern web applications.
The ASVS is free to download as a PDF, but this is 2018 so we have taken the PDF and converted it into a web application (based on django). The key aim of the web application is to allow individuals or companies a quick and easy way to understand the ASVS controls, and where to find information on meeting those controls.
When we built Marbles, our aim was the following:
- Easy to update - the app is powered by two JSON files (asvs.json & category.json)
- Lightweight - The included Dockerfile builds a 89MB Docker image (size isn't everything)
- No frills - You don't want a web app that takes ages to load and has "extra" stuff in it
- Community-focused - The ASVS is built by you for you, and so should this application. We welcome requests and ideas from you, the community.
We decided to use Docker for virtualisation so that it's easier to run in the cloud and keep update. This assumes you have Docker installed and running on your host (be it on-prem or cloud)
Once you have cloned the repo, you can build and run the docker image with the following commands:
docker build -t asvs .
docker run -d -p 8000:8000 asvs
This will then map your local port 8000 to the running docker container.
NOTE: In this example we built the docker image using the tag (-t) asvs, however you can change this if you want.
If you want to run the web app on a "production" grade web server (such as Apache2) you can, django provides a WSGI file which you can find in the asvs folder. Individual installation guides for this are outside of the scope of this project, however because sharing is caring here is a link to the official django documentation.
This is the first release and we already have some new "features" in the planning stages. These are currently (and subject to change).
- Sharing projects between individuals
- Teams (maybe)
- Integration into JIRA (via an API)
This is the first release, as such we offer no warranties on the software and at present the following are known issues.
- We made the decision to turn off debugging, trying to abide by the 'ship secure defaults principle'. If you need debugging, you need to turn it back on.
- There is no nice error handling for missing routes.
- The secret key is static (you many want to change that if you release to production).
- We've only been using django for a couple of months, so yes there are probably better ways of doing things.
Adam Maxwell (@catalyst256) & Daniel Cuthbert (@dcuthbert) are part of the Santander Group Cyber Security Research Team. Daniel is one of the co-authors of the ASVS, and we use it within the group and felt this app would be better suited as a community release, rather than just another internal tool.