ASVS
ASVS copied to clipboard
OWASP
new requirement for data process transaction / integrity
I think we miss requirement to verify, that on data changes related data must be in transaction, if some step fails, you need to rollback previous step as well.
How would we do this? It would assume there is some state table to compare to, or is it even simpler than that?
Let's say you make 3 SQL commands to insert data and 3rd one fails, then you must rollback 2 previous ones, otherwise it's incorrect integrity.
2 ways how to look it:
- V11.1 business logic requirement - if some step is failing, need to cancel previous ones as well
- V8.1 data protection/integrity requirement
I completely agree. I think we need to refer to the need for "atomic transaction" where either all steps succeed or all steps fail.
@elarlang do you think we need two requirements or is 1 sufficient?
@elarlang I mean do we need one in data protection and one in business logic or is one in business logic sufficient?
Re-analyzing the situation - it think category "V8 Data protection" is more protecting already existing data (from leaking) and more confidentiality oriented. So the direction should be "V11 business logic" and data integrity - if one step fails, nothing goes in (everything is rolled back) to avoid partial data.
Ok @elarlang, so how about:
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 11.1.9 | [ADDED] Verify that "atomic transactions" are being used at the business logic level such that either a business logic operation succeeds in its entirety, or it is rolled back to the previous correct state. | ✓ | ✓ | ? |
Do you have a CWE and what level do you suggest?
I tried again to find suitable CWE but did not find. My logic says that this is co common and basic problem in software and it means there should be some CWE for that, but I can not hit correct words to find it.
Can we move forward with blank CWE?