Automagically selecting the top Application Security Verification Standard (ASVS) security controls for a given Abuse Case leveraging Natural Language Processing (NLP).
Check out the Jupyter Notebook proof of concept here: auto_abuse_asvs_poc.ipynb
To build a secure application, it's crucial to identify the potential attacks the application must defend against, based on its business and technical context. 1
In Security Requirement Engineering, a common practice is to define Abuse Cases. These describe how a feature can be exploited in ways the implementer did not anticipate, allowing an attacker to manipulate the feature or its outcome based on their actions or inputs.
Once we've defined a list of Abuse Cases using the business requirements as a reference, it’s time to mitigate those risks by designing the appropriate countermeasures. The Application Security Verification Standard (ASVS) provides an excellent framework of security controls, organized into the following chapters:
- V1 - Architecture, Design, and Threat Modeling
- V2 - Authentication
- V3 - Session Management
- V4 - Access Control
- V5 - Validation, Sanitization, and Encoding
- V6 - Stored Cryptography
- V7 - Error Handling and Logging
- V8 - Data Protection
- V9 - Communication
- V10 - Malicious Code
- V11 - Business Logic
- V12 - Files and Resources
- V13 - API and Web Services
- V14 - Configuration
Selecting the appropriate security controls can be a tedious task, considering there could be multiple Abuse Cases for each User Story, and nearly 300 ASVS controls to choose from.
Given an Abuse Case as input, this script automatically selects the top 10 ASVS security controls by matching descriptions using NLP. The output is ranked by similarity score.
For testing purposes, I’ve selected 14 Abuse Cases from the MITRE ATT&CK Enterprise Tactics (one per section).
Please note that this script is just a Proof of Concept and should not be relied upon for the complete selection of security controls. I strongly recommend double-checking the output. However, it can assist in identifying the most relevant controls for your Abuse Case.
- Create a REST API using FastAPI.
- Develop a user-friendly UI with TailwindUI.
- Include support for other ASVS languages.
- Dockerize the project.
- Allow users to edit the list of security controls.
- Enable export of the output to CSV, JSON, or Jira.