OWASP ASVS: Checklist or Catalog of Controls

[ohsh6o]

This has come up before, but there appears to be a growing need for showing the promise of OSCAL outside just US governmental control sets. One discussed before in previous meetings is OWASP ASVS. For reference, community interest in this idea: OWASP/ASVS#817.

OSCAL aside, I can see some of this set of advisories as a tactical checklist. They themselves define individual items as controls. For reference, the example below is the final product of the current 4.0.2.

Given that OSCAL defines controls in catalogs to be more complex with parameters, objectives, and assessments, sub-controls, and references, does this warrant a separate model outside of catalogs of controls, and we make an issue for "checklist" or something analogous as a first-order concern in OSCAL?

I do not have a set opinion, and thought community feedback is warranted.

[GaryGapinski]

The ASVS can be cast as an OSCAL Catalog with an OSCAL Profile for each of its levels. I do not think it is necessary to create an additional OSCAL not-a-catalog element. An admittedly partial fidelity transform would be straightforward (using this as input).

The ASVS contains front matter (not yet accommodated by OSCAL and worthy of an additional OSCAL element), groups of controls, controls, subordinate controls, and back matter (the ASVS back matter appears to be only partially accommodated by the OSCAL <back-matter> element: only Appendix B is a good fit). The ASVS prose can be used to construct control requirement statements, control objectives, control-specific parameters (e.g. V3.3.2), and assessment methods. There are intra-control references to other documents.

The ASVS CONTRIBUTING.md mandates control identifier preservation in successive revisions. While that seems to be a popular fashion it is not universally practiced.

There is internationalization but it is not driven by a single set of proto-document fragments (the English and French markdown documents are separate, and additional translations have no apparent markdown counterparts).

[GaryGapinski]

ASVStoOSCAP.zip
(archived to appease a prissy attachment gate) will transform the ASVS XML to OSCAL Catalog and Profiles. It's rather bare bones: the XML is lacking as is the transform. The ASVS prose is essentially assessment imperatives which would require non-trivial manipulation to create corresponding objectives and statements.

[ohsh6o]

@GaryGapinski, you do not mess around! I will definitely want to review this in the next week or so, because I believe what is suggested there is to shift to an OSCAL-based pipeline to manage artifacts and make that the primary mode of publication, if they will indulge it, but your front matter comment and others made suggest that might be a tad ambitious. I will play around with this soon, thanks!