This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
How to bootstrap the NIST risk management framework with verification activities
From OWASP
OWASP Application Security Verification Standard (ASVS) can be used in support of the NIST risk management framework. This article describes one possible way to bootstrap the NIST risk management framework security life cycle with verification activities.
The NIST risk management framework security life cycle activities can be summarized as follows:
- Categorize the information system
- Select an initial set of security controls
- Supplement the initial set of tailored security controls
- Document the agreed-upon set of security controls
- Implement the security controls
- Assess the security controls
- Authorize information system operation
- Monitor and assess selected security controls
The NIST risk management framework security life cycle activities can be strengthened with verification activities using OWASP ASVS as follows:
NIST framework activity | Can ASVS be used? | Notes |
Categorize the information system | No | |
Select an initial set of security controls | No | |
Supplement the initial set of tailored security controls | Yes | OWASP ASVS is an easy way to add web application and web service-specific security requirements, to guard against threats that are specific to web applications and web services. |
Document the agreed-upon set of security controls | Yes | OWASP ASVS security architecture analyses can be used as input to system security plans. |
Implement the security controls | Yes | OWASP ASVS verification requirements can be used to ensure security controls called by web applications and web services are designed, implemented, and called securely. |
Assess the security controls | Yes | OWASP ASVS verifications can be performed to assess supplemented web application and web service technical security control requirements. |
Authorize information system operation | No | |
Monitor and assess selected security controls | Yes | OWASP ASVS verifications can be performed during the life cycle at regular intervals, as a new on-going activity introduced into the existing life cycle. |