Many of the items in that checklist are "verify X". To me, when it says "Verify requests to uploaded files will never be executed as HTML/JavaScript", that means spend hours visiting every place where files may be uploaded, find the corresponding download, and check the code to make sure it won't be interpreted as HTML/JS.

There are 132 items just in the "L1" part of the standard (the minimum recommended protections), which seems like it could be thousands of hours to "verify" all of those.

But the OWASP ASVS says that half the things in L1 are probably automatically testable or testable in the CI/CD pipeline.

Clearly we don't want to manually verify all these things, as that doesn't prevent drift as time goes on. But we also don't have a process that would automate any of this. It seems like having access to request logs would allow us to identify many things (like whether API tokens are exposed in URLs) and access to live production data streams as they go through the load balancer would allow us to detect file uploads and content types sent back. But I'm unaware of tools for doing that.

Cloudflare has their "web application firewall", which probably helps some with this on an ongoing basis, I think that starts at $5K/month. AWS has a WAF as well, and you can purchase subscriptions to rules for checking traffic, and some of those mention OWASP.

Right now we are going over OWASP doing some "gut feel" what items are the highest priority and are likely to be vulnerable to. We've also been looking at code and finding some definite security issues.

But longer term we need to present to non-technical board members why we aren't scanning all file uploads with A/V software, for example.

Anyone have any wisdom on how you are "verifying" compliance with security standards?