ASVS Refresh ISO 27001 Multisession Control Statement.

"1.6 Compliance" of MVSP mandates * Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18.

The parent of all MVSP issues is #1151.

V3.7 Defenses Against Session Management Exploits states "Previously, based on ISO 27002 requirements, the ASVS has required blocking multiple simultaneous sessions. Blocking simultaneous sessions is no longer appropriate, ...".

ISO 27002 was updated during 2022 and therefore this statement in ASVS should reflect the latest release of ISO 27002.

I don't know if this is reflect in the latest ISO 27002 or not as I don't have it at hand at the moment.

This issue should also reconsidered when undertaking QA of each future release of ASVS.

Apr 08 '23 03:04 cmlh

I can't locate the associated control within ISO 27002:2022 and the commit was made by @vanderaj.

Apr 10 '23 01:04 cmlh

So I think that given we no longer mandate this anyway, I am not super worried about an updated reference.

In general, I think figuring out how to comply with other regulation is not really in scope for ASVS and certainly not a key goal for 5.0.

Jun 15 '23 09:06 tghosth

In 5.0, I am expecting we will need to trim down this text as much as possible anyway.

Jun 15 '23 09:06 tghosth

Closing as I don't think we will take action on this

Jun 15 '23 11:06 tghosth

Closing as I don't think we will take action on this

Can @tghosth provide the context of this decision as it can fixed with a Pull Request?

Jun 16 '23 06:06 cmlh

Highly likely that this sentence will be removed in 5.0 anyway

Jun 19 '23 15:06 tghosth

I am reopening this and marking it to be considered when we create the actual 5.0 draft.

Jul 11 '23 05:07 tghosth

@cmlh Related discussion: #2101

Oct 21 '24 13:10 ryarmst