ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Discuss MTLS for internal services

Open jmanico opened this issue 2 years ago • 1 comments

I think we need to get more aggressive on suggesting the use mTLS intra-service for level 3.

Please note mTLS - Mutual TLS. Somewhere here. https://github.com/OWASP/ASVS/blob/master/5.0/en/0x17-V9-Communications.md in 9.3

jmanico avatar Sep 28 '22 17:09 jmanico

+1 on this, I totally agree we should suggest mTLS. We usually see this in security and architecture reviews that most setups do not have mTLS for intra-service communications.

csfreak92 avatar Oct 04 '22 04:10 csfreak92

@csfreak92 do you fancy drafting some wording?

tghosth avatar Oct 23 '22 14:10 tghosth

Hi @tghosth, I can give it a shot. Please assign to me this issue. Also, are we just suggesting this for Level 3? Wouldn't it make more sense for Level 2 requirement as well?

csfreak92 avatar Oct 23 '22 14:10 csfreak92

Lets start with L3 as it is not super trivial. Assigned to you

tghosth avatar Oct 23 '22 15:10 tghosth