The purpose of this repository is to set a bridge between Threat Modeling and the security controls definition by providing an equivalence table that maps the STRIDE model against the Application Security Verification Standard (ASVS) chapters.
This article provides an overview of the STRIDE vs ASVS equivalence table, which is a bridge between Threat Modeling and the security controls definition. The table maps the STRIDE model against the Application Security Verification Standard (ASVS) chapters. STRIDE is a model for identifying computer security threats developed by Praerit Garg and Loren Kohnfelder at Microsoft. It provides a mnemonic for security threats in six categories, and is used in conjunction with a model of the target system. The ASVS Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The article provides a table that lists the elements of the OWASP Top 10 (OT10) mapped to STRIDE elements. Mario Platt contributed to the repository by creating an Excel called STRIDE-OT10-CWE-OPC-ASVS, which maps STRIDE against ASVS, CWE, OWASP Proactive Controls and OWASP Top 10. The article also provides an equivalence table between STRIDE threats and ASVS chapters. The table format includes STRIDE, ASVS Chapter, Teams, Notes and References. The article provides guidance on how to use the table, including understanding the functional and technical requirements and their business context, using Threat Modeling with STRIDE to identify the threats, accommodating the requirements to the specific context of the project, providing extra context using the User Stories format, trying to automate security controls as much as possible, and tracking the completion of the security requirements to handle residual risk. The article also provides a list of potential improvements and a TODO list.
👉🏽 The purpose of this repository is to set a bridge between Threat Modeling and the security controls definition by providing an equivalence table that maps the STRIDE model against the Application Security Verification Standard (ASVS) chapters. 👉🏽 Overview of the STRIDE vs ASVS equivalence table bridging Threat Modeling and security controls. 👉🏽 Mapping of STRIDE model against ASVS chapters for identifying security threats. 👉🏽 Explanation of STRIDE mnemonic for security threats and its use with target system model. 👉🏽 ASVS Project basis for testing web app security controls and providing secure development requirements. 👉🏽 Table listing OWASP Top 10 elements mapped to STRIDE elements. 👉🏽 Contribution of Mario Platt includes Excel mapping STRIDE, ASVS, CWE, and OWASP. 👉🏽 Equivalence table showing STRIDE threats and ASVS chapters with format including Teams and References. 👉🏽 Guidance on using the table, understanding requirements, identifying threats, and automating controls. 👉🏽 Tracking completion of security requirements for handling residual risk. 👉🏽 List of potential improvements and TODO list provided.
🔗 source link: https://github.com/mllamazares/STRIDE-vs-ASVS
#STRIDEvsASVS #ThreatModeling #SecurityControls #OWASPTop10 #EquivalenceTable