ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

7.2 covering "Security Events"

Open elarlang opened this issue 2 years ago • 1 comments

Intro

The first steps of V7 re-org are in progress. There have been discussions on covering security events in different issues, main ones are:

  • https://github.com/OWASP/ASVS/issues/997
  • https://github.com/OWASP/ASVS/issues/1444

There are also opened some issues related to security events logging:

  • https://github.com/OWASP/ASVS/issues/1626
  • https://github.com/OWASP/ASVS/issues/1622
  • https://github.com/OWASP/ASVS/issues/1577
  • https://github.com/OWASP/ASVS/issues/1445
  • https://github.com/OWASP/ASVS/issues/1272

Problem to solve

I think it does not make sense to list all the possible security events in ASVS. Every application has its own needs and for every application, the required list of security events must be analyzed and documented.

Related comments from other issues:

  • https://github.com/OWASP/ASVS/issues/997#issuecomment-842057635
  • https://github.com/OWASP/ASVS/issues/997#issuecomment-841866764

On the other hand - it would be nice to define the minimum list of events every application must log. It opens again discussion for every event - should it be in the "minimum list"?

So the challenge here is to find suitable abstractation.

elarlang avatar Nov 26 '23 10:11 elarlang

Minimum list is hard, but perhaps all AuthN, AuthZ and input validation events?

jmanico avatar Nov 26 '23 17:11 jmanico

I think an expanded logging security section that includes events from the application security vocabulary cheatsheet is a good idea. If you agree team, I'l take this on.

https://cheatsheetseries.owasp.org/cheatsheets/Logging_Vocabulary_Cheat_Sheet.html

jmanico avatar Apr 02 '24 08:04 jmanico

We have had this discussion (https://github.com/OWASP/ASVS/issues/997#issuecomment-1103924784). We should not create too detailed requirements for logging, otherwise it is like a separate project inside ASVS and does not make sense.

In ASVS - all the security events must be analyzed and documented (documentation requirement as a precondition for implementation and testing).

At the moment, the idea is to not have more than 1 requirement "per type", e. g. one requirement for authentication, and one for authorization.

We need to finetune requirements to send the idea, not the long list of events as separate requirements.

Waiting for wordsmithing:

  • https://github.com/OWASP/ASVS/issues/1900
  • https://github.com/OWASP/ASVS/issues/1902

elarlang avatar Apr 02 '24 09:04 elarlang

One extreme end is to have one requirement per event, but this is like a separate standard for logging and we don't do this. We have an agreement on this.

Another extreme end is to have abstract requirements. The danger here is to be too abstract, that it is not intuitive, understandable in testable - so it is "fix the logging" and it is losing its point to exist.

I would like to have something in the middle - one requirement per topic (authentication, authorization, input validation, connections...).

We need to have agreement on this as a precondition to develop other logging-related requirements.

elarlang avatar Apr 07 '24 14:04 elarlang

Elar, I'd rather see more detailed logging requirements. But in the interest in getting 5.0 done - something needs to drop - and I think it's fair see security logging as a lower priority.

jmanico avatar Apr 08 '24 12:04 jmanico

Following a lot of discussion, our approach is to create less and more abstract requirements with references to other resources such as the cheatsheets.

tghosth avatar May 02 '24 10:05 tghosth