The Open Web Application Security Project (OWASP) has published the third version of its developer security bible trimming the fat and offering peer-reviewed and tested means of building more secure apps.

The Application Security Verification Standard Project (ASVS) is the carrot to OWASP's much-cited stick that is the Top 10 web app security flaws.

It promises acolytes harder, better-assured software that will keep user data safe and company names out of the data breach press cycle.

"The Top Ten are the things not to do," says OWASP veteran and security boffin Andrew van der Stock. "The ASVS says to developers that 'if you do these 20 things well, you won't have problems'".

Van der Stock, of Victoria, is co-project leader of the 2015 ASVS edition (PDF) along Daniel Cuthbert, both whom have worked with the OWASP machine from its infancy.

"It goes beyond [the Top Ten] covering things like access controls, business logic flaws, a new topic on web services, and number of critical areas," he says.

Developers who consume the document's 20 sections before building are in good stead to succeed in penetration tests, and to satisfy payment card industry data security standards.

Laws and sausages

The OWASP's guide has grown larger over time from its foundations as a detailed checklist to a peer-reviewed guide build on the lessons of those who use it.

Andrew van der Stock.

The Netherlands Tax Office is a fully-fledged ASVS house. For the 2015 edition it answered the OWASP call and offered a scattering of ASVS checks that were not specifically security-related which it as a result passed over.

Those and others like it have been trimmed from the latest edition." We're not talking about 10 year old java libraries anymore," Van der Stock says. "We're talking modern application development, AngularJS, RESTful - all of that's in there"

Van der Stock says best practice has moved security earlier into the development process; three to four years ago he and others in the industry were doing penetration testing at the end of a build. Now, the best work with builders from the start.

"It's a huge change," he says. "Developers are responsible for insecurity."

That notion lies at the heart of the ASVS.

The work was like other industry standards a marathon of endurance (Van der Stock says standards, along with laws and sausages, should be made behind curtains) but the race is not over.

OWASP is seeking volunteers to translate the ASVS into several Asian languages in countries where English is not universal. Japanese, Vietnamese, Malaysian, and Chinese are among those being actively sought. ®