Santandersecurityresearch / Asvs
Projects that are alternatives of or similar to Asvs
Welcome To The OWASP Application Security Verification Standard (ASVS) Web App - Release Name: Marbles
The OWASP Application Security Verification Standard (ASVS) is a community-effort to establish a framework of security requirements and controls that focus on normalising the functional and non-functional security controls required when designing, developing and testing modern web applications.
You can access the ASVS via Github, but we wanted to make this more accessible to all as a web application (based on django). The key aim of the web application is to allow individuals or companies a quick and easy way to understand the ASVS controls, and where to find information on meeting those controls.
When we built Marbles, our aim was the following:
- [x] Easy to update - the app is powered by two JSON files (asvs.json & category.json)
- [X] Lightweight - The included Dockerfile builds a 89MB Docker image (size isn't everything)
- [X] No frills - You don't want a web app that takes ages to load and has "extra" stuff in it
- [X] Community-focused - The ASVS is built by you for you, and so should this application. We welcome requests and ideas from you, the community.
Installing
We decided to use Docker for virtualisation so that it's easier to run in the cloud and keep update. This assumes you have Docker installed and running on your host (be it on-prem or cloud)
Docker
Once you have cloned the repo, you can build and run the docker image with the following commands:
docker build -t asvs .
docker run -d -p 8000:8000 asvs
This will then map your local port 8000 to the running docker container.
NOTE: In this example we built the docker image using the tag (-t) asvs, however you can change this if you want.
Other
If you want to run the web app on a "production" grade web server (such as Apache2) you can, django provides a WSGI file which you can find in the asvs folder. Individual installation guides for this are outside of the scope of this project, however because sharing is caring here is a link to the official django documentation.
Roadmap
This is the second release and we already have some new "features" in the planning stages. These are currently (and subject to change).
- Sharing projects between individuals
- Teams (maybe)
- Integration into JIRA (via an API)
Screenshots
Who Are We?
Adam Maxwell (@catalyst256) & Daniel Cuthbert (@dcuthbert) are part of the Santander Group Cyber Security Research Team. Daniel is one of the co-authors of the ASVS, and we use it within the group and felt this app would be better suited as a community release, rather than just another internal tool.