-1

I am trying to create a security checklist for developers/testers of web applications to make sure that the web app is compliant with all the security guidelines.

When looking at the different standards available, I found OWASP top 10, OWASP ASVS, OWASP WSTG, and OWASP cheatsheets.

I skimmed through them all, and each standard goes over the main security points but from a different perspective.

Example: authorization

  • OWASP top 10 mentions it as the number 1 risk and names it broken access control and it only explains this risk (I cant derive security checklist from it)
  • OWASP ASVS: it mentions a list of Access Control requirements but they are very generic and they are almost all the same. For example it mentions to verify that least privilege is applied, I don't see this as a security checklist.
  • OWASP WSTG: focuses more on how to test the web application for authorization
  • OWASP cheatsheets: seems a better option

Which one of these can be used as a security checklist? or there is another standard that I am not aware of?

Improve this question
2
  • This question is backwards. If you want a checklist to ensure that guidelines are met, then you need guidelines. Are you asking for guidelines or a checklist for a specific guideline? The OWASP Top 10 is not meant to be a guideline or a checklist. Please read its documentation to see what it is for. ASVS is literally "a list of requirements for secure development", so I'm not sure why you are rejecting it. What exactly are you looking for? What does "good" look like?
    – schroeder
    Commented Oct 25, 2023 at 9:49
  • If cheetsheets are more in line with your requirements, then perhaps what you are looking for is a "technical standard". That is, "when programming a function like this, then program it this way". Is that what you are looking for?
    – schroeder
    Commented Oct 25, 2023 at 9:55

2 Answers 2

Reset to default
0

The Top 10 usage is to raise awareness of common security problems. It is not detailed to give those people a few notions of security they lack. If the devs know already about security topics, Top 10 is not going to be a surprise for them, so it is not enough.

WSTG target audience is pentesters.

ASVS is built around the WSTG control points but not targeted towards testing.

Cheatsheets usage is targeted towards developers. This helps them build software with prior control/ knowledge of the architecture or technology. Then they can choose appropriate countermeasures.

For developers, they will be more comfortable with cheatsheets, and eventually the Top 10 prior if there is no security knowledge. ASVS also gives additional control points if the software is considered critical.

Improve this answer
0

Each of the OWASP resources you mentioned serves a different purpose and can be valuable in creating a comprehensive checklist, but you may need to combine elements from them to create a customized checklist that suits your specific web application's needs.

To create a security checklist, you can start by:

  1. Combining the high-level concerns from the OWASP Top 10.
  2. Adapting and customizing the requirements from the ASVS to your application's specific context.
  3. Incorporating the testing methodologies and procedures from the WSTG.
  4. Referring to the actionable items and best practices in the OWASP Cheatsheets.

Additionally, consider other industry-specific security standards or regulations that may apply to your web application. You might need to tailor your checklist to meet those requirements as well.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .