-
-
Notifications
You must be signed in to change notification settings - Fork 635
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V8.3 security and policy #1918
Comments
I wonder if all of these should be L2 because they are more like regulatory/legal risks and also like defense in depth rather than primary defense. I think these sort of requirements which are common to data protection legislation, e.g. GDPR or CCPA are worth keeping but with that change in level. I think we could separate chapter 8 into things which are actually security risks and things which are regulatory/legal risks but I don't think it is critical. |
No clear proposals, just some thoughts for further discussion. tldr: I think we should stay away from legal requirements. 8.3.2, 8.3.9
Well, those functionalities are quite a juicy target for attackers. I can understand the abstract meaning and reasoning, but it opens up a new level of impact for attacks. Maybe it's worth special mention for this in the 3.7.1?
Are those requirements realistic - let's take some bank or gov system, you just can not ask it. 8.3.3
Is it actually 2 requirements?
Is this part testable (what is a "clear language")? Is it a bit too much just a policy? The abstract goal here can be, that the application must not collect (sensitive) data that it does not need, and it should be analyzed via:
How we are going to test it? It is written somewhere in a big condition document and it's verified? ping @tghosth |
I don't see a problem with some high-level requirements as long as they are implementable/testable.
I think it could already be considered to be covered in 3.7.1. We don't enumerate every possibility there.
Reauthentication? Definitely realistic. My bank makes me enter in an SMS code every time I want to do some sort of money transfer.
I think it is one requirement because they are opting in to whatever is described in the wording it talks about.
I agree that is subjective and unhelpful and would recommend removing.
For testing opt in, you just have to make sure that users have to explicitly agree to it, should be pretty easy. |
No. The topic is:
Is it always realistic to ask removing your data and export all your data. I don't think so. If it is available as functionality, it is so critical piece, that it is worth special mentioning in 3.7.1. |
Ah ok, I understand better what you mean now. I think that privacy legislation still applies to government bodies except in certain circumstances, for example: It definitely applies for financial institutions. As such I think it is almost always valid to expect that. |
option 1 - cleanupBack to the beginning:
If there is no clear answer, we should remove it. Also, we have an agreement
I'm really not convinced we need those requirements in ASVS. option 2 - updateIf you are still sure you want to keep them:
ping @tghosth |
Following discussion with @elarlang, reduce to Level 3 since this is not a protective control as such but rather a risk reduction mechanism. |
@set-reminder 10 mins josh to look at |
⏰ Reminder
|
Opened #1931 Changes:
|
Can we say for each requirement, what is the risk to solve? Is it worth a requirement in the ASVS or those are here because they are just from GDPR or similar?
If we want to keep them:
edit: cwe 212 is kind of related, but not correct
The text was updated successfully, but these errors were encountered: