AppSec: From the OWASP Top Ten(s) to the OWASP ASVS
Jim Manico at GOTO Chicago 2019
Some people are under the misconception that if they follow the OWASP top 10 that they will have secure web applications. But in reality the OWASP Top Ten (and other top ten lists) are just the bare minimum that at best provide entry-level general awareness. A more comprehensive understanding of Application Security is needed.
This talk will review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and compare them to a more comprehensive standard: the OWASP Application Security Verification Standard (ASVS) v4.0. OWASP's ASVS contains over 180 requirements that can provide a basis for defining what secure software really is. The OWASP ASVS can be used to help test technical security controls of web and API applications. It can also be used to provide developers with a list of requirements for secure development with much more nuance and detail than a top ten list! You cannot base a security program ...
Jim Manico - OWASP Project Leader, AppSec Enthusiast and Java Champion
Download slides and read the full abstract here:
https://gotochgo.com/2019/sessions/709
This talk will review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and compare them to a more comprehensive standard: the OWASP Application Security Verification Standard (ASVS) v4.0. OWASP's ASVS contains over 180 requirements that can provide a basis for defining what secure software really is. The OWASP ASVS can be used to help test technical security controls of web and API applications. It can also be used to provide developers with a list of requirements for secure development with much more nuance and detail than a top ten list! You cannot base a security program ...
Jim Manico - OWASP Project Leader, AppSec Enthusiast and Java Champion
Download slides and read the full abstract here:
https://gotochgo.com/2019/sessions/709