From 9bcffba3f05f5c459f312da978eeb6f64d7eb1ad Mon Sep 17 00:00:00 2001 From: Arne Babenhauserheide Date: Tue, 30 Dec 2025 13:21:56 +0100 Subject: [PATCH] =?UTF-8?q?Reduce=20duplication=20in=20=E2=80=9EWhat=20is?= =?UTF-8?q?=20the=20ASVS=E2=80=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 5.0/en/0x03-What-is-the-ASVS.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/5.0/en/0x03-What-is-the-ASVS.md b/5.0/en/0x03-What-is-the-ASVS.md index 1c3af2f611..3709ed0157 100644 --- a/5.0/en/0x03-What-is-the-ASVS.md +++ b/5.0/en/0x03-What-is-the-ASVS.md @@ -136,9 +136,13 @@ The above specifically relates to the requirements in the ASVS. Changes to surro Several of the points described above, such as documentation requirements and the levels mechanism, provide the ability to use the ASVS in a more flexible and organization-specific way. -Additionally, organizations are strongly encouraged to create an organization- or domain-specific fork that adjusts requirements based on the specific characteristics and risk levels of their applications. However, it is important to maintain traceability so that passing requirement 4.1.1 means the same across all versions. +Additionally, organizations are strongly encouraged to create an organization- or domain-specific fork. -Ideally, each organization should create its own tailored ASVS, omitting irrelevant sections (e.g., GraphQL, WebSockets, SOAP, if unused). An organization-specific ASVS version or supplement is also a good place to provide organization-specific implementation guidance, detailing libraries or resources to use when complying with requirements. +### Forking the ASVS + +Organizations can benefit from adopting ASVS by choosing one of the three levels or by creating a domain-specific fork that adjusts requirements per application risk level. This type of fork is encouraged, provided that it maintains traceability so that passing requirement 4.1.1 means the same across all versions. + +Ideally, each organization should create its own tailored ASVS, omitting irrelevant sections (e.g., GraphQL, Websockets, SOAP, if unused). Forking should start with ASVS Level 1 as a baseline, advancing to Levels 2 or 3 based on the application’s risk. ### How to Reference ASVS Requirements @@ -158,12 +162,6 @@ If identifiers are used without including the `v` element then they sho ASVS requirement lists are made available in CSV, JSON, and other formats which may be useful for reference or programmatic use. -### Forking the ASVS - -Organizations can benefit from adopting ASVS by choosing one of the three levels or by creating a domain-specific fork that adjusts requirements per application risk level. This type of fork is encouraged, provided that it maintains traceability so that passing requirement 4.1.1 means the same across all versions. - -Ideally, each organization should create its own tailored ASVS, omitting irrelevant sections (e.g., GraphQL, Websockets, SOAP, if unused). Forking should start with ASVS Level 1 as a baseline, advancing to Levels 2 or 3 based on the application’s risk. - ## Use cases for the ASVS The ASVS can be used to assess the security of an application and this is explored in more depth in the next chapter. However, several other potential uses for the ASVS (or a forked version) have been identified.