Software Security/Group 1/Reflection
It is hard for us to give a properly founded critique of the ASVS methodology as a whole, having only used a very small fragment of it. The ASVS methodology seems very comprehensive and complicated, covering the entire security review process from beginning to end, with lots and lots of elaborate documents detailing the various aspects in depth. We on the other hand have really only focused on a handful of relatively concrete parts, such as the review and requirements levels, and have only been able to use these as a rough guide, because ASVS is too general and technology-independent to give very specific concrete guidance about these levels. Had this project been bigger in scope and longer in duration, we might have been able to make better use of it and give a properly founded assessment.