ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

V9 rework needed

Open tghosth opened this issue 3 years ago • 12 comments

I have ready V9 and I think it needs some rework.

Overall I think it is trying to distinguish between external facing services and service to service comms and also trying to distinguish between TLS and other encryption mechanisms.

I have started by trying to make this differentiation clearer but I am keen to get other feedback from people.

tghosth avatar Feb 10 '22 14:02 tghosth

V9 title is general "Communications" but content seems to be only for encryption oriented.

If to keep it only for communication encryption, then maybe it makes sense to make title more precise as well.

If to not keep it only for encryption, I would like to put new subcategory for communications for CSRF and Origin header checks - basically requirements for validation, is the request originated from expected party. Requirement like current:

  • 4.2.2
  • 4.2.3
  • 13.5.2
  • 14.5.3

elarlang avatar Feb 10 '22 17:02 elarlang

Ok so what everything in V9 has in common which is not the case for the 4 requirements you specified is that the server-side configuration would almost certainly be outside of the application code/config but rather at the server or service hosting level.

if you can think of other comms related items that fall into that bucket then we can look at them but I think the other items you have pointed out are application code/config related so belong wherever they currently are.

tghosth avatar Feb 21 '22 15:02 tghosth

I think the other items you have pointed out are application code/config related so belong wherever they currently are.

That's the problem, that they are not - CSRF is not authorization problem and does not belong to V4. Those 4 belong together to one (sub)category, but it does not mean it must be V9. That's why I asked, how do we define the category name "Communication".

elarlang avatar Feb 21 '22 19:02 elarlang

You think that CSRF is more of a configuration problem?

tghosth avatar Feb 22 '22 15:02 tghosth

If current V9 is purely for configuration, should it be part of V14 then?

elarlang avatar Feb 23 '22 08:02 elarlang

But it is a special kind of configuration which is a little outside of the regular application domain and it is also an important topic which is why I think it merits its own section. I agree that things are getting a little murky now but I think it makes enough sense where it is.

tghosth avatar Feb 23 '22 14:02 tghosth

Then I stand for this:

If to keep it only for communication encryption, then maybe it makes sense to make category title more precise as well.

https://github.com/OWASP/ASVS/issues/1220#issuecomment-1035200681

elarlang avatar Feb 23 '22 19:02 elarlang

Can we say "Communication Protection"?

tghosth avatar Feb 24 '22 07:02 tghosth

Can we say "Communication Protection"? @elarlang what do you think?

tghosth avatar Jul 04 '22 15:07 tghosth

In my head I can fit all CSRF, Origin, CORS etc related requirements under this title.

If to keep current structure, the category name should contain TLS

elarlang avatar Jul 05 '22 17:07 elarlang

Ok so "Communication Encryption"? @elarlang

tghosth avatar Jul 26 '22 17:07 tghosth

Seems good

elarlang avatar Aug 08 '22 10:08 elarlang

Created #1342 @elarlang

tghosth avatar Aug 24 '22 14:08 tghosth