Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

9.3.1 should be for all apps #1734

Closed
jmanico opened this issue Sep 27, 2023 · 2 comments · Fixed by #1735
Closed

9.3.1 should be for all apps #1734

jmanico opened this issue Sep 27, 2023 · 2 comments · Fixed by #1735
Assignees
@tghosth
Labels
6) PR awaiting review _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@jmanico
Copy link
Member

jmanico commented Sep 27, 2023

9.3.1 states internal services only need TLS if they are level 2

9.3.1 [ADDED] Verify that TLS or another appropriate transport encryption mechanism used for all connectivity between internal, HTTP-based services, and does not fall back to insecure or unencrypted communications.   319

I strongly disagree, I think all apps should use HTTP/S and TLS, even those without sensitive data. HTTP/S is not just about data protection, HTTPS is also about properly identifying the server!
@elarlang elarlang assigned tghosth and unassigned elarlang Sep 27, 2023
@tghosth
Copy link
Collaborator

tghosth commented Sep 27, 2023

I added his as part of a V9 rework a while ago.

I am assuming that it was marked as L2 because it is not pen testable but right now I don't see that as a likely definition for the updated levels so I am happy to make it L1.

tghosth added a commit that referenced this issue Sep 27, 2023
@tghosth
resolve #1734 by making the new 9.3.1 L1
e534a7e
@tghosth tghosth mentioned this issue Sep 27, 2023
Merged
@tghosth tghosth linked a pull request Sep 27, 2023 that will close this issue
resolve #1734 by making the new 9.3.1 L1 #1735
Merged
@tghosth
Copy link
Collaborator

tghosth commented Sep 27, 2023

Opened #1735

@tghosth tghosth added 6) PR awaiting review _5.0 - prep This needs to be addressed to prepare 5.0 labels Sep 27, 2023
jmanico added a commit that referenced this issue Sep 27, 2023
@jmanico
Merge pull request #1735 from OWASP/1734-931-should-be-for-all-apps
afeb8f4 
resolve #1734 by making the new 9.3.1 L1
elarlang pushed a commit to elarlang/ASVS that referenced this issue Nov 9, 2023
@tghosth @elarlang
resolve OWASP#1734 by making the new 9.3.1 L1
946711d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tghosth tghosth

Labels
6) PR awaiting review _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

resolve #1734 by making the new 9.3.1 L1 OWASP/ASVS
3 participants
@jmanico @tghosth @elarlang