v5.0.0: Outdated references to PCI standards

[narfbg]

Appendix B: References / Others links to PCI-DSS 3.2.1, PCI-SSS 1.0, and PCI-SSLC 1.0, but all of these standards have newer versions (including a major DSS 4) predating ASVS 5 by at least a year.

Should be a simple matter of updating links, but this also makes me wonder - has meaningful effort been put into aligning ASVS to PCI standards? And if not, was that an intentional choice or just lack of contributions?

[elarlang]

has meaningful effort been put into aligning ASVS to PCI standards?

I think it is fair to say "no". At least not in detail, although there have been some issues opened related to the topic.

And if not, was that an intentional choice or just lack of contributions?

A combination of both, one due to the other.

To be clear - we don't need to be aligned with anything just because of "to be aligned". At the same time, if there is a requirement somewhere else, most likely there have been some research behind that and a good reason for the requirement to exists there. For us, it would be a validation point - do we have the principle covered and if not, should we cover that.

---

To just fix the issue, I prefer we:

• a) have just a one link to PCI SSC - as the current link 3 and remove project specific links
• b) update links 4, 5, 6 to general links to the projects (not a links to version-specific pdf's)

[elarlang]

Sidenote - if we going to update it, I think we should remove the link:
OWASP ASVS 4.0 Testing Guide https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide

It is outdated for ASVS v5.0.0 and it is a bit too selective even for v4.0.*

[narfbg]

To be clear - we don't need to be aligned with anything just because of "to be aligned". At the same time, if there is a requirement somewhere else, most likely there have been some research behind that and a good reason for the requirement to exists there. For us, it would be a validation point - do we have the principle covered and if not, should we cover that.

Right, completely agree. However, I would also add that alignment with other established standards for compliance purposes is a big selling point. I've successfully leveraged that to get buy-in for ASVS in the past, and would very much like to be able to do it again. :)
Within reason of course, but at least making sure there's no conflict is usually worth it on its own.

I'll submit a PR tomorrow with what you suggested.

[elarlang]

For PR please wait for the label "awaiting PR", maybe @tghosth has an opinion here.

[tghosth]

@narfbg do you think you could spend a few minutes checking what is different in the updated PCI versions to see if we can still legitimately claim the coverage and to what extent? If it is going to be a lot of effort then maybe better we remove it.

[narfbg]

Yes, it will take more than just a few mins since even the summary of changes is 36 pages long, but I meant to do that already.

[tghosth]

So if I remember correctly, ASVS doesn't (and cannot) cover all of PCI, it can only cover specific sections so maybe focus on those @narfbg?

[narfbg]

Unfortunately PCI-DSS is organized more around who a particular part of it may apply to (e.g. payment card issuers vs merchants, different risk profiles), and not so much tech. domains like ASVS, so relevant details can be scattered all over.

I do know both standards fairly well and can't immediately think of incompatibilities, but it's really a fine-tooth comb that's missing. I don't mind the effort and it will be a fun project for me, just not a quick one. :)

Either way though, I don't think ASVS claims PCI standards coverage anywhere. Appendix B only links to them as useful resources, which will always make sense.

[elarlang]

Whoa, that escalated quickly (from updating outdated links to a full analysis of PCI).

Let's leave this issue for correcting the links; the entire (potential) PCI alignment is a full new development and should be in a separate issue (if needed).

[narfbg]

Haha, yea, I didn't mean for that to be the outcome of this particular issue, it's just a few outdated links.

[tghosth]

Ah ok, I was reacting to @narfbg's point about compliance being a bonus, having taken a quick look I can see that we don't seem to claim PCI compliance so let's ignore that for now and just get a PR to update the links please :)

[elarlang]

@tghosth

• v5.0.0: Outdated references to PCI standards #3307 (comment) - option "a" or option "b"?
• v5.0.0: Outdated references to PCI standards #3307 (comment) - do you agree to remove this link?

[narfbg]

I personally prefer option "a" (single link to PCI standards), and would propose this one: https://www.pcisecuritystandards.org/standards/

There are many of them, with varying implications for application security.