Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mapping 1.0->2.0->2.1 table required #29

Closed
vanderaj opened this issue Mar 3, 2015 · 2 comments
Closed

Mapping 1.0->2.0->2.1 table required #29

vanderaj opened this issue Mar 3, 2015 · 2 comments
Assignees
@vanderaj
Labels
enhancement
Milestone
3.0

Comments

@vanderaj
Copy link
Member

vanderaj commented Mar 3, 2015

Hey folks,
Maybe I’ve missed this, but I’ve combed the list looking for an answer and haven’t come up with much. I’ve been trying to update a bunch of my stuff to align with the the new 2.0 document and I’m noticing that the numbering system is off. For example, There is no requirement V1, V6, V12, V14. And within most of the other ones, there are individual requirements missing, V2.3, V2.10, V2.11, and so forth in the other sections too.

I could understand if this was done to keep the requirements in the same slots, as the previous published versions, but even then, from version to version, the same requirements have moved, old V1.5 is now V2.17…

Was there a reason for all of this? On a side note, I’m also happy to help contribute to this project, as I’ve been using this standard for a while, and think it’s important, just let me know how I can help out.

Best Regards,
Gerrit Padgham
@vanderaj vanderaj self-assigned this Mar 3, 2015
@vanderaj vanderaj modified the milestone: 2.1 Mar 3, 2015
@relaxnow
Copy link

relaxnow commented Mar 4, 2015

Very much agree that the numbering is odd. It's a new major version, the whole point is to break with the old and introduce the new.

The reply I got at the time from @vanderaj was:

I think the missing gaps are v1.0 -> 2.0 mapping related - i.e. issues that are no longer inspected. I originally had "Deleted" or something there, but I think it may be important to declare why there are gaps (it makes translating v1.0 reports to ASVS 2.0 requirements much easier!).

My reply still stands I think:

Don't really agree with the reason, ASVS 2014 shouldn't be saddled with the burden of 2009 to make a one time thing easier for a few 2009 users IMHO.
Now I can no longer easily verify if a verification contains everything required for that level (instead of checking is 1.1 through 1.7 there, I have to memorise all the numbers per level). Making it easier for an auditor to sneakily leave off 'difficult' requirements or simply forget.

@vanderaj
Copy link
Member Author

We are adding the missing requirements back, and then putting in a small amount of detail as to what happened to them including when the issues were retired. This will hopefully answer this issue and make it easier for tool users to keep faith with ASVS as we don't change the numbering scheme.

@vanderaj vanderaj modified the milestones: 2.1, 3.0 Jul 10, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vanderaj vanderaj

Labels
enhancement
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
2 participants
@relaxnow @vanderaj