This equivalence table bridges Threat Modeling with security control definitions by mapping the STRIDE model to the chapters of the Application Security Verification Standard (ASVS).
👉 Check out the table here: STRIDE-vs-ASVS-4.0.csv
Here’s a high-level diagram of the mapping:
graph LR
subgraph STRIDE
A[Spoofing]
D[Tampering]
G[Repudiation]
I[Information disclosure]
N[Denial of service]
O[Elevation of privilege]
end
subgraph ASVS_Chapter
B[V2 - Authentication]
C[V3 - Session Management]
E[V4 - Access Control]
F[V5 - Validation, Sanitization and Encoding]
H[V7 - Error Handling and Logging]
J[V6 - Stored Cryptography]
K[V8 - Data Protection]
L[V9 - Communication]
M[V14 - Configuration]
end
A --> B
A --> C
D --> E
D --> F
G --> H
I --> J
I --> H
I --> K
I --> L
I --> M
N --> M
O --> M
O --> E
This table is meant to be a simple reference to help connect these two resources. It does NOT:
- Attempt to oversimplify the control selection process, as Security Requirement Engineering (SRE) is more complex and context-dependent.
- Map all ASVS chapters, since the mapping to STRIDE isn’t always one to one due to:
- Project-specific factors (e.g., V12 - Files and Resources).
- Topics covered during the design phase (e.g., V1 - Architecture & Design).
Here’s a quick rundown of the columns in the STRIDE vs. ASVS table:
- STRIDE: the threat category being mapped.
- ASVS Chapter: the ASVS chapter that addresses the identified threat.
- Teams: the teams typically involved in implementing the control (indicative).
- Notes: additional context or comments, if applicable.
- References: the three reference columns are summarized as:
Short Name Reference Author Description RTMP HOWTO-Rapid Threat Model Prototyping book Geoffrey Hill, Tutamantic Threat Modeling methodology STRIDE-OT10-CWE-OPC-ASVS STRIDE-OT10-CWE-OPC-ASVS excel Mario Platt Equivalence matrix between STRIDE and other standards ASVS Application Security Verification Standard v4.0.3 OWASP Standard for testing web applications
Here’s a step-by-step guide to using this resource in the SRE process:
- Understand the functional and technical requirements in their business context.
- Apply Threat Modeling with STRIDE to identify threats.
- The RTMP methodology is recommended for an agile-friendly approach.
- Use the STRIDE vs. ASVS table to find which ASVS chapter addresses each threat.
- Adapt the requirements to your project’s specific context.
- Some controls may need modification, or may not apply.
- Provide extra context using the User Stories format, following the INVEST criteria.
- Practical examples are available in the project ASVS User Stories by @mario-platt.
- Automate security controls where possible.
- Level 1 controls are often easy to automate.
- Check out the OWASP ASVS 4.0 testing guide by @BlazingWind for practical examples.
- Track the completion of security requirements to manage residual risk.
This repository was inspired by @mario-platt, who contributed to the Rapid Threat Modeling Prototyping (RTMP) repo with the STRIDE-OT10-CWE-OPC-ASVS comparison table. This table maps STRIDE to ASVS, CWE, OWASP Proactive Controls, and OWASP Top 10.
This repository addresses key areas that needed improvement in the RTMP whitepaper, such as the additional step required to select the associated security controls (from OWASP Top 10 to ASVS).
However, the creation of this repo was driven by the following concerns:
- The OWASP Top 10 reference is outdated (2017 version instead of 2021).
- The ASVS reference is outdated (v3.0 instead of v4.0).
- Minor disagreements with some of the proposed categorizations.
- Identify additional references to support the categorization.
- Break down ASVS chapters into more specific sections.
- Create a SecurityRAT requirement set using this format.