Roadmap to version 5.0
This document states the leadership team's objectives for ASVS 5.0.
Note that the original planned timescales were not possible and we are currently looking at sponsorship options to accelerate progress.
We want to publish this publicly so that our direction is clear. All changes/issues to be handled for 5.0 should be mapped to one of these objectives.
Our driving philosophy for 5.0 is to increase usability and lower the barrier to entry.
The following sections will highlight our key objectives together with basic actions for each.
- Deduplicate existing requirements
- Clarify or correct existing requirements
- Add new requirements but only if we specifically feel they are important or someone in the community is prepared to provide us with a good draft.
- Make level rationale clearer (maybe use AAL as inspiration) and focus this on risk rather than testability.
- Move level 1 items into level 2 to make a lower barrier to entry.
- Be clear that level 1 does not prove compliance, only level 2 and 3.
- Have an export option and an export artefact for “ASVS lite”
- Move all mappings including CWE and NIST to a separate location.
- Make clear that we do not maintain mappings other than CWE and NIST and any others are community contributed/maintained.
- We should make sure this is clearly documented in ASVS and in the README?
- Move explanatory text to the end of the document.
- Remove or reduce as much explanatory text as possible from around the requirements in the individual chapters as we don’t think anyone is reading it. References we should keep.
- Where requirements are too detailed, we should abstract them and refer to relevant cheat-sheets or other materials in the explanatory text.
All issues should be marked with one of the following labels:
The following link should therefore show no issues:
The aim is to move all "_5.0 - prep" issues to be either closed or to have the "4b Major-rework" status. All items with the "4b Major-rework" status should also have a section label applied to them.
As such, the list of issues to focus on is: https://github.com/OWASP/ASVS/issues?q=is%3Aopen+is%3Aissue+-label%3A%224b+Major-rework%22+label%3A%22_5.0+-+prep%22 (Need to continue from #1420)
Breakdown of issues:
| Chapter | Open Issues | Status |
|---|---|---|
| V1 |  |
|
| V2 |  |
|
| V3 |  |
|
| V4 |  |
Assigned to Shanni |
| V5 |  |
|
| V6 |  |
Assigned to Daniel |
| V7 |  |
Rework / Refresh already done |
| V8 |  |
|
| V9 |  |
Rework / Refresh already done |
| V10 |  |
|
| V11 |  |
Completed by Jim (1 issue left) |
| V12 |  |
|
| V13 |  |
Rework / Refresh already done |
| V14 |  |
|
| V50 |  |
Assigned to Elar |
| V51 |  |
Assigned to Ralph |