From Application Security Verification Standard (ASVS) to Regulation Compliance: A Case Study in Financial Services Sector

Abstract

The OWASP Application Security Verification Standard (ASVS) is a widely used web application development guideline regarding the technical security controls and secure development requirements. While software development teams refer to ASVS to secure their applications and development process, they also need to ensure the compliance of various security related regulations, including sector-specific ones. In this work, we study the synergy of these two activities, i.e., by following ASVS, how does a development team position their developed applications in meeting those regulation requirements. We take the highly regulated financial services sector as a case study. In particular, we look at two recent guidelines published by Monetary Authority of Singapore (MAS) - the Technology Risk Management (TRM) guidelines and Notice 655 Cyber Hygiene. We developed a systematic approach to map ASVS to those two sector-specific regulations. Our results show that by adopting ASVS, a development team can achieve a high degree of regulatory compliance (38.6 % for the MAS TRM guidelines and 47.6% for the MAS Notice 655, respectively). That demonstrates the viability of using international standards (like ASVS) to support compliance with the two sector-specific regulations. In addition, our mapping approach can be useful for organizations to support their compliance efforts.