the aim to be designed in such a way as to be easily transformed into automated penetration tests etc.
Another typical way to present security concerns and measures would be to list appropriate security concerns
- per type of architectural component of a web app, and thus integrate it into the development lifecycle.
+ per type of architectural component of a web app, and thus integrate it into the development life-cycle.
We suspect the ASVS is presented the way it is, exactly because security is an \emph{emergent property},
and thus security measures should not be regarded as attachments to respective components of an app.
Rather, it should be verified at each stage and level; and thus a checklist is a better presentation.