A philosophy of sharing with the security community has always underpinned Continuum Security as exemplified in our open source BDD Security tool.
In our view it is imperative to share knowledge and tools where possible with the wider community for the benefit of all.
And it is in this spirit that Continuum Security in partnership with Toreon worked on a mapping between the OWASP Application Security Verification Standard (ASVS) and NIST 800-53 and have donated this work to the OWASP ASVS project.
Here’s a little about these two important security standards:
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.
Provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”). The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. (Source)
Mapping these two standards was not an exact science as ASVS requirements are oriented for secure development of Web applications and NIST is oriented to cover all types of security controls, for example, physical security, training, incident response and so on.
In those cases in which NIST controls could not be mapped to ASVS we were careful to note these.
There are some ASVS controls that are due to be deprecated in the near future and we have compiled a list of these which are also not mapped.
This body of work has been incorporated into the OWASP knowledge base and you can find it on the OWASP Github in HTML format for easy viewing.
You can also find the mapping in Google Sheets.
The mapping has been incorporated into our IriusRisk threat modeling platform and will be available in our upcoming 2.0 release (more information next week) which gives you to the ability to filter on the NIST 800-53 standard and have a visual overview of where you stand in terms of security compliance at any stage during the SDLC lifecycle:
We hope the community finds this useful and if you would like to be one of the first to take a tour of IriusRisk 2.0 contact us today to arrange a demo.