ASVS
ASVS copied to clipboard
OWASP
Suggest small change to 6.1.1
I would like to suggest that we augment 6.1.1 to mention one other privacy law.
From:
| 6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. | ✓ | ✓ | 311 |
|---|
To:
6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR or California's CCPA. | | ✓ | ✓ | 311
I prefer to go kind of opposite way - to not mention local regulations at all.
We have "documentation requirements" to cover all the local regulation parts:
V1.8 Data Protection and Privacy Architecture
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 1.8.1 | [MODIFIED, MERGED FROM 8.3.4, LEVEL L2 > L1] Verify that all sensitive data created and processed by the application has been identified and classified into protection levels, and ensure that a policy is in place on how to deal with sensitive data. | ✓ | ✓ | ✓ | 213 |
| 1.8.2 | Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture. | ✓ | ✓ |
Current 6.1. requirements:
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 6.1.1 | Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. | ✓ | ✓ | 311 | |
| 6.1.2 | Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records. | ✓ | ✓ | 311 | |
| 6.1.3 | Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records. | ✓ | ✓ | 311 |
One options is to merge 6.1.1, 6.1.2 and 6.1.3 to one requirement and kind of reference to documented requirements 1.8.1 + 1.8.2.
I am going to tag this as both v6 and v8. Whether this gets added or not, I think we need to add it to V8 and not V6.
Additionally to previously highlighted documentation requirements...
Current requirement V6.1.1:
V6.1.1 Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR.
The requirement is about regulations and sensitive data protection. The problem to solve is from "V8 Data protection" responsibility, "V6 Stored Cryptography" is just a technical solution to achieve that.
In V8 we have a requirement that covers the content of 6.1.1:
V8.3.7 Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity.
The same applies to V6.1.2 and V6.1.3:
- V6.1.2 Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records.
- V6.1.3 Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records.
So my porposal is to remove V6.1.1, V6.1.2 and V6.1.3 as duplicate of V8.3.7 or merge to V8.3.7 (or cover with documentation requirements 1.8.1, 1.8.2) if needed.
I would agree with merging V6.1.1, V6.1.2 and V6.1.3 to V8.3.7 and cover with documentation requirements as well.
There are quite a few other privacy regulations across the world other than GDPR and CCPA. I say we drop the specific law and just call it privacy regulation.
Ok, 6.1.3 talks about "regulated financial data" but I am not sure that relates to a specific regulatory standard so as far as I am concerned it is a duplicate of the protection levels requirement 1.8.1.
6.1.1 and 6.1.2 talk about real regulations/standards so I think it makes sense to have a V1 requirement related to documentation of regulations/standards and then expand 8.1.9 to include it as well.
I opened #2209 for this.
I think 8.3.7 is a slightly different point because it is about the need for both confidentiality and integrity so I would leave it alone for now but I opened an issue to track (#2208).
As I wrote in https://github.com/OWASP/ASVS/issues/1658#issuecomment-2442142678
The requirement is about regulations and sensitive data protection. The problem to solve is from "V8 Data protection" responsibility, "V6 Stored Cryptography" is just a technical solution to achieve that.
Requirements 6.1.1, 6.1.2 and 6.1.3 does not belong to V6, as those are not requirements about cryptography, but are requirements about protecting sensitive data.
If those are different enough from current 8.3.7 then some combination of 6.1.1+6.1.2+6.1.3 can be moved to V8.
edit: nvm, read the PR #2209 :)
I really don't like the proposed 1.8.3 as trojan horse requirement "follow all policies"...