Skip to content

mllamazares/auto-abuse-asvs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

auto_abuse_asvs_poc.ipynb

auto_abuse_asvs_poc.ipynb

 
 

Repository files navigation

Disclaimer: this was created in the pre-GPT era. :)

auto-abuse-asvs

Watch on GitHub Star on GitHub Tweet

Automatically select the top Application Security Verification Standard (ASVS) security controls for a given Abuse Case using Natural Language Processing (NLP).

Check the Jupyter Notebook PoC here: 👉 auto_abuse_asvs_poc.ipynb 👈

Rationale

In order to build a secure application, from a pragmatic point of view, it is important to identify the attacks that the application must defend against, according to its business and technical context. 1

A common practice in Security Requirement Engineering is to define Abuse Cases, that is, a way to use a feature that was not expected by the implementer, allowing an attacker to influence the feature or outcome of the use of the feature based on the attacker action (or input).

Once we've defined a list of Abuse Cases using the business requirements as a reference, is time to mitigate those risks by designing the corresponding countermeasures. Application Security Verification Standard (ASVS) provides an excellent blueprint of security controls organized in the following chapters:

  • V1 - Architecture, Design and Threat Modeling
  • V2 - Authentication
  • V3 - Session Management
  • V4 - Access Control
  • V5 - Validation, Sanitization and Encoding
  • V6 - Stored Cryptography
  • V7 - Error Handling and Logging
  • V8 - Data Protection
  • V9 - Communication
  • V10 - Malicious Code
  • V11 - Business Logic
  • V12 - Files and Resources
  • V13 - API and Web Service
  • V14 - Configuration

Why do we need this script?

Selecting the corresponding security controls can be a tedious task, considering that could be 1 to N Abuse Cases by each User Story, and there are nearly 300 ASVS controls available.

Given an input Abuse Case, this script will automatically select the top 10 ASVS security controls by matching the descriptions using NLP. The output is ranked by similarity score.

For testing purposes, I've selected 14 Abuse Cases from MITRE ATT&CK Enterprise Tactics (one per section).

Note that this script is just a Proof Of Concept, it will not completely replace the security control selection. I strongly encourage you to double-check the output. However, it can help you to identify the most related to your Abuse Case.

TODO

  • Create an REST API with FastAPI.
  • Create a nice UI with TailwindUI.
  • Include other ASVS languages.
  • Dockerize.
  • Let the user edit the list of security controls.
  • Export the output to CSV, JSON or Jira.

Footnotes

  1. Extracted from https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html ↩

About

🤹 Automatically select the top ASVS security controls for a given Abuse Case using NLP.

Topics

nlp security-tools asvs security-requirements

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages