discussion/new requirement: inventory/documentation for "allow listed" sources and communications

[elarlang]

Over time there is need to configure every kind of allow lists, like *-src and frame-ancestors for Content-Security-Policy (current requirements 14.4.3 and 14.4.7), allowed Origin's (14.2.3, 13.5.2, 14.5.3), allow list of resources or systems to which the server can send requests or load data/files from (12.6.1).

Problem to solve - if it's not documented, then sooner or later it's not clear, why there is some item in allow list and those may stay there even if thay are not needed (anymore).

Idea - create new requirement which requires those whitelists to be documented. Category probably 1.14.

[jmanico]

Per Google research (weischelbalm/spagneullo) 94% of allow list policies are bypassable. It’s more secure to focus on a nonce or hash based CSP. Strict-dynamic makes this easier. https://m.youtube.com/watch?v=5m7IPjC2v70

[elarlang]

Don't take this CSP out of context here. I have this proposal even if we remove CSP part and say that for CSP use nonces instead.

Think about requirement 14.2.5 (for me it seems V1 requirement btw):

V14.2.5 Verify that an inventory catalog is maintained of all third party libraries in use.

Same with 12.6.1:

V12.6.1 Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from.

If there is configured list of hosts, then there should be documentation which describes - why some host exists in this allow list.

[jmanico]

I am being directly in context, it’s my opinion based on research I have seen that allow lists should not be used with CSP.

[tghosth]

@elarlang I like the concept of ensuring that these sorts of lists are explicitly documented and I agree that this sounds like a V1 control. Do you want to draft something?

@jmanico I think the CSP point is a good question that needs to be looked at separately, do you want to open a specific issue for it?

[jmanico]

Done here, @tghosth #1311

[tghosth]

@elarlang let me know if you are able to draft something :)

[tghosth]

@elarlang where are we with the original part of this issue, are you going to draft something?

[elarlang]

I try to get this one moving as well.

We have requirement like 12.6.1:
V12.6.1 Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from.

Precondition here is - how you can test this if you don't have this "allow list of accepted resources" documented.

The goal for the requirement - we need to have the needs for the application documented, otherwise you can not write actual implementation for allow-list and also we can not test it.

I don't know how to build the requirement text, but it should say - all the needs for requests to external resources by the servers must be documented.

[tghosth]

How about:

Verify that the allow-lists being used for security controls across the application are centrally documented and used for all implementations.