ASVS

ASVS stands for Application Security Verification Standards released by OWASP which provides a set of controls that need to be implemented for building secure applications.

On Kondukto, ASVS is enabled under projects only after a business criticality is selected after clicking the Edit button next to each project name, as seen in the view below.

The mapping between the business criticality on Kondukto and security verification levels in ASVS is as follows;

High: ASVS Level 3
Medium: ASVS Level 2
Low: ASVS Level 1

Based on the selection, some controls in the ASVS list automatically disappear from the list as they are not applicable for the selected business criticality.

For the remaining controls, two options can be seen in the dropdown menu next to each control: Valid and Not Valid.

Since almost every control in ASVS that mapped with a CWE ID, if there is a vulnerability with the relevant CWE ID in the project, Kondukto automatically marks the control as Not Valid, and the user can not change this unless one of the below scenarios take place;

• The related vulnerabilities are marked as Won't Fix or False Positive
• Fixed vulnerability and the status of the related vulnerabilities are transitioned to Closed on Kondukto in the following scan.

For other controls, the user can manually make a selection of Valid or Not Valid.

The radar chart in the project dashboard displays the ratio of Valid controls to the Applicable (sum of Valid and Not Valid) controls under each title.