How to bootstrap the NIST risk management framework with verification activities

From OWASP
Revision as of 13:15, 16 February 2009 by Mike.boberski (Talk | contribs)

Jump to: navigation, search

OWASP Application Security Verification Standard (ASVS) can be used in support of the NIST risk management framework. This article describes one possible way to bootstrap the NIST risk management framework security life cycle with verification activities.


NIST SP 800-53

The NIST risk management framework security life cycle activities can be summarized as follows:


  • Categorize the information system
  • Select an initial set of security controls
  • Supplement the initial set of tailored security controls
  • Document the agreed-upon set of security controls
  • Implement the security controls
  • Assess the security controls
  • Authorize information system operation
  • Monitor and assess selected security controls


The NIST risk management framework security life cycle activities can be augmented with verification activities using OWASP ASVS as follows:


NIST framework activity Can ASVS be used? Notes
Categorize the information system Yes OWASP ASVS is an easy way to perform an initial review of a web service or web application, to determine its security posture.
Select an initial set of security controls No
Supplement the initial set of tailored security controls Yes OWASP ASVS is an easy way to add web application and web service-specific security requirements, to guard against threats that are specific to web applications and web services.
Document the agreed-upon set of security controls Yes OWASP ASVS reports can be used as input to system security plans, since they include not just findings, but also security architecture analysis.
Implement the security controls Yes OWASP ASVS verification requirements can be used to design technical security controls for web applications and web services.
Assess the security controls Yes OWASP ASVS verifications can be used to assess supplemented web application and web service technical security controls.
Authorize information system operation No
Monitor and assess selected security controls Yes OWASP ASVS verifications can be performed during the life cycle at regular intervals, as a new activity introduced into the life cycle.