Skip to content

🥊 Automagically select the top ASVS security controls for a given Abuse Case using NLP.

License

Notifications You must be signed in to change notification settings

mllamazares/auto-abuse-asvs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 

Repository files navigation

🥊 auto-abuse-asvs

Watch on GitHub Star on GitHub Tweet

Automagically selecting the top Application Security Verification Standard (ASVS) security controls for a given Abuse Case leveraging Natural Language Processing (NLP).

Check out the Jupyter Notebook proof of concept here: auto_abuse_asvs_poc.ipynb

⚠️ Disclaimer: This project was created before the ChatGPT era.

Rationale

To build a secure application, it's crucial to identify the potential attacks the application must defend against, based on its business and technical context. 1

In Security Requirement Engineering, a common practice is to define Abuse Cases. These describe how a feature can be exploited in ways the implementer did not anticipate, allowing an attacker to manipulate the feature or its outcome based on their actions or inputs.

Once we've defined a list of Abuse Cases using the business requirements as a reference, it’s time to mitigate those risks by designing the appropriate countermeasures. The Application Security Verification Standard (ASVS) provides an excellent framework of security controls, organized into the following chapters:

  • V1 - Architecture, Design, and Threat Modeling
  • V2 - Authentication
  • V3 - Session Management
  • V4 - Access Control
  • V5 - Validation, Sanitization, and Encoding
  • V6 - Stored Cryptography
  • V7 - Error Handling and Logging
  • V8 - Data Protection
  • V9 - Communication
  • V10 - Malicious Code
  • V11 - Business Logic
  • V12 - Files and Resources
  • V13 - API and Web Services
  • V14 - Configuration

Why use this script?

Selecting the appropriate security controls can be a tedious task, considering there could be multiple Abuse Cases for each User Story, and nearly 300 ASVS controls to choose from.

Given an Abuse Case as input, this script automatically selects the top 10 ASVS security controls by matching descriptions using NLP. The output is ranked by similarity score.

For testing purposes, I’ve selected 14 Abuse Cases from the MITRE ATT&CK Enterprise Tactics (one per section).

Please note that this script is just a Proof of Concept and should not be relied upon for the complete selection of security controls. I strongly recommend double-checking the output. However, it can assist in identifying the most relevant controls for your Abuse Case.

TODO

  • Create a REST API using FastAPI.
  • Develop a user-friendly UI with TailwindUI.
  • Include support for other ASVS languages.
  • Dockerize the project.
  • Allow users to edit the list of security controls.
  • Enable export of the output to CSV, JSON, or Jira.

Footnotes

  1. Extracted from https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html

About

🥊 Automagically select the top ASVS security controls for a given Abuse Case using NLP.

Topics

Resources

License

Stars

Watchers

Forks