-
-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
5.6.2 Adding Server-side validation proposal #2006
Comments
For me the proposed phrase just duplicates the requirement and does not provide anything extra. |
I would partially agree and also mentioned. But It feels like a bit implicit to me
|
Would it be suitable to use the Glossary (Appendix A) to provide an expanded definition of and examples of "trusted service layer"? Notably, the top Google search results for me all come from its use with the ASVS. I see it is currently defined in V1.5. |
I think the requirement could be slightly clearer based on this structure but I agree with Ryan that I prefer to keep the trusted service layer terminology but make sure it is sufficiently covered in the glossary |
#1553 - in this issue, there is a discussion of how and why we reached the current requirement text. |
Ok so I added a minor clarification to 5.6.2 and also added trusted service layer to the glossary. @mesutgungor |
Well, seems that the PR is merged already. I really don't think we need " as it can be bypassed" to the requirement. bypass - for me it is a situation, when there is proper defense in place but there is some mistake in program code that gives you opportunity to send the parameters in a way that security mechanisms are not exectuted. In this context is not the case - client-side validation is just a usability on the client side and from the server-side/trusted service layer point of view, when communicating with the service directly, there is nothing to bypass. You just skip the UI part. |
Can you think of a better way to word this? |
We just don't need this phrase in the requirement, it does not give anything extra.
The description part, maybe we should go with message like (input for wordsmithing): |
Discussed with @elarlang @set-reminder 7 days @tghosth to rollback addition to requirement and update the glossary. For glossary:
|
⏰ Reminder
|
In 5.6 Validation and Sanitization Architecture
Although "trusted service layer" covers it, I would propose adding "server-side(back-end) validation" explicitly to make it more clarified.
Current :
Proposal
The text was updated successfully, but these errors were encountered: