https://mvsp.dev/ review

[jmanico]

Let's review this awesome project at https://mvsp.dev/ and see if we are missing anything before 5.0

[cmlh]

Any chance of creating a milestone to track @jmanico https://mvsp.dev/ and #1039, #317, PA-DSS and others?

[jmanico]

Any chance of creating a milestone to track @jmanico https://mvsp.dev/ and #1039, #317, PA-DSS and others?

For sure Christian. For now, I flagged the issues you cited as 5.0 so at the very least address your comments before the 5.0 release. I'll also assign these issues to myself (and you) as well.

[tghosth]

@cmlh are #1360, #1361 and #1365 the only things that are missing from ASVS compared to MSVP? If so, can we close this original issue?

[tghosth]

@set-reminder 2 weeks decide what to do depending on response

[octo-reminder]

⏰ Reminder
Wednesday, December 21, 2022 12:00 AM (GMT+01:00)

decide what to do depending on response

[cmlh]

@tghosth wrote:

@cmlh are #1360, #1361 and #1365 the only things that are missing from ASVS compared to MSVP? If so, can we close this original issue?

Nope, I took a sampling of the major differences so once we've selected what we want to integrate then I can raise the related MSVP Controls as additional GitHub issues.

[tghosth]

I am open to suggestions if you feel there are additional gaps

[tghosth]

@set-reminder 2 weeks decide what to do depending on response

[octo-reminder]

⏰ Reminder
Sunday, January 1, 2023 12:00 AM (GMT+01:00)

decide what to do depending on response

[octo-reminder]

🔔 @tghosth

decide what to do depending on response

[tghosth]

@cmlh are you going to go through and suggest items in msvp that do not exist in ASVS?

@set-reminder 4 weeks @tghosth to decide what to do if no response

[octo-reminder]

⏰ Reminder
Wednesday, January 18, 2023 12:00 AM (GMT+01:00)

@tghosth to decide what to do if no response

[elarlang]

I think he did already.

https://github.com/OWASP/ASVS/issues?q=is%3Aissue+mvsp

[octo-reminder]

🔔 @tghosth

decide what to do depending on response

[cmlh]

Nope, I haven't completed this yet due to lack of availability.

[tghosth]

So I am leaving it open for now so let me know

[octo-reminder]

🔔 @tghosth

@tghosth to decide what to do if no response

[tghosth]

I have moved this to non-blocker and @cmlh is welcome to revisit this when he gets time

[cmlh]

Below how I will track the inclusion of MSVP into ASVS as GitHub's Project isn't enabled.

• 👍 1.1 Vulnerability reports - Publish the point of contact for security reports on your website
• 👎 1.1 Vulnerability reports - Respond to security reports within a reasonable time frame
• 👎 1.2 Customer testing
• 👍 1.2 Customer testing - Test on a non-production environment if it closely resembles the production environment in functionality
• 👍 1.2 Customer testing - Ensure non-production environments do not contain production data
• 👍 1.3 Self-assessment
• 👍 1.4 External testing
• 👎 1.5 Training
• 🛑 1.6 Compliance
• 1.7 Incident Handling
• 🛑 1.8 Data handling
• 👍 2.1 Single Sign On
• 2.2 HTTPS-only
• 2.3 Security Headers
• 2.4 Password policy
• 2.5 Security libraries
• 🛑 2.6 Dependency Patching
• 2.8 Backup and Disaster recovery

CHANGELOG

5 April 2023 - Initial Draft
6 April 2023 - Insert "1.1 Vulnerability reports"
7 April 2023 - Insert "1.2 Customer testing"
8 April 2023 - Insert "1.3 Self assessment"
9 April 2023 - Insert "1.4 External testing" and "1.5 Training"
11 April 2023 - Insert "1.8 Data handling"
15 April 2023 - Insert "2.1 Single Sign On"
20 April 2023 - Insert "2.2 HTTPS-only:
13 July 2023 - Insert "2.3 Security Headers", "2.5 Security Headers" and "2.6 Dependency Patching"

[cmlh]

https://security.googleblog.com/2023/11/two-years-later-baseline-that-drives-up.html
https://mvsp.dev/mvsp.en/v2.0-20221012/

[jmanico]

I am closing this out since ASVS 5.0 is too busy as it is. Please open new individual issues for new requirements that we do not cover if you think we missed anything.