ASVS
ASVS copied to clipboard
OWASP
Review feedback from App Defense Alliance CASA
There is a lot of feedback on the following page related to various requirements. I think we need to consider it for 5.0. I don't think it will all be valid but we should at least think about it.
Current: https://appdefensealliance.dev/casa/updates/
Archive: https://web.archive.org/web/20230705085243/https://appdefensealliance.dev/casa/updates/
@tghosth - do you plan to work with it or what is the expectation here?
From quick review - I have a lot of disagreements with those comments. Some comments probably are describing changes between v4.0.3 and current v5.0 state.
note: it still makes sense to work it through to find something valuable and meaningful.
Someone needs to work through it, if you have bandwidth to take that then that would be amazing. I think it would be worth preparing a public response to the comments although we will need to consider if/how we publicise that. For now, maybe create a document somewhere with our responses to each comment and open issues where you think there is a valid comment which we have not considered?
I can, if it is priority. For me our long-list of opened issues are more important at the moment. To give you motivation - I'll do it if our opened issues list is less than 100 :)
I can, if it is priority. For me our long-list of opened issues are more important at the moment. To give you motivation - I'll do it if our opened issues list is less than 100 :)
Haha, I don't think it has more priority than anything else, I'll give you a shout if I can get the issues list down ;)
@tghosth, @elarlang, I can take a look during my free time and check out comments from CASA to see if we need to work on some (not all) of those concerns that they may have raised. Anything in particular that you wish me to do after checking each of them aside from creating an online spreadsheet with our responses to their comments? I could probably open new issues if it warrants having further discussion on them.
I think you should take the following approach @csfreak92 . What do you think?
flowchart TD
id1("Do we think their concern is valid?")
id2("Has it been rectified already in the #quot;bleeding edge#quot;
version in the 5.0 folder of the main branch")
id3{"Mark as
#quot;Invalid#quot;"}
id1-->|Yes|id2
id1-->|No|id3
id4("Is there an open issue for this?")
id5{"Mark as
#quot;Already Rectified#quot;"}
id2-->|No|id4
id2-->|Yes|id5
id6{"Open a new issue explaining
the problem and referencing
the feedback from CASA.
Mark as issue opened
and add reference."}
id7{"Mark as
#quot;Issue exists#quot;
and add reference."}
id4-->|No|id6
id4-->|Yes|id7
This makes sense and way better than over the email rendering of the Github notif, haha. Give me a few weeks to comb over them and can you please assign this task to me?
Will do, I mostly created that flowchart to see if it would work, looking forward to getting more use out of it 🤣🤣🤣
BTW @csfreak92, please try and keep the OAuth PR #1494 moving as a higher priority than this, I'd really like to get those new requirements integrated in :)
I started looking at the CASA feedback. I am having a field day so far. I think Elar is correct; similarly I have strong opposition to many of their comments, but let me get through my workflow and provide a shared spreadsheet here for the WG and community to review once I am done.
Halfway done with the CASA feedback comments. I will start creating Github issues as soon as I finish them. For now, I would hold that off so that we don't add more issues that could hinder ASVS 5.0 release.
I just finished reviewing all CASA comments. I will be cleaning the spreadsheet and then share it to the team early next week.
I shared it over email to the WG. Haven't opened any issues yet as I was warned a lot were duplicates of the opened issues. Maybe later we can start combing them.
We had an excel file with this, we will probably get into this when we have v5.0