I am trying to create a security checklist for developers/testers of web applications to make sure that the web app is compliant with all the security guidelines.
When looking at the different standards available, I found OWASP top 10, OWASP ASVS, OWASP WSTG, and OWASP cheatsheets.
I skimmed through them all, and each standard goes over the main security points but from a different perspective.
Example: authorization
- OWASP top 10 mentions it as the number 1 risk and names it broken access control and it only explains this risk (I cant derive security checklist from it)
- OWASP ASVS: it mentions a list of Access Control requirements but they are very generic and they are almost all the same. For example it mentions to verify that least privilege is applied, I don't see this as a security checklist.
- OWASP WSTG: focuses more on how to test the web application for authorization
- OWASP cheatsheets: seems a better option
Which one of these can be used as a security checklist? or there is another standard that I am not aware of?