Sjoerd Langkemper

icon indicating a website link https://www.sjoerdlangkemper.nl/

icon location Haarlem, The Netherlands

Results 204 comments of Sjoerd Langkemper

new requirement - one application per hostname (and remove current 3.4.5)

> are those part of the same application or are those separate applications. What I think @tghosth was trying to say is that https://example.com/a and https://example.com/b are different applications, if...

new requirement - one application per hostname (and remove current 3.4.5)

> Verify that multiple, separate applications are not hosted on the same hostname. I would say it the other way around: > Verify that a hostname hosts only a single...

new requirement - one application per hostname (and remove current 3.4.5)

I think a requirement could be sufficiently clear without explicitly defining what an application is. I think it's sufficiently clear for most people what an application is, but defining it...

v4 control objectives need fine tuning

> Users are associated with a well-defined set of entitlements. I think "privileges" is more clear than "entitlements". I think the original is also fine. > Access control policy metadata...

v4 control objectives need fine tuning

> @Sjord, do you want to open a separate issues about 1.4.5 if it has not already been discussed in another issue? I think this is up to @jmanico.

discussion - merge 3.4.6 to 3.4.2?

I think these are fine as separate requirements. An alternative would be to have a requirement like "Verify that session tokens are not accessible by JavaScript", but that is too...

2.10.1 Verify that intra-service secrets do not rely on unchanging credentials such as passwords, API keys

I attempted to retrieve the history of this requirement, but it doesn't provide much more information: * 0e0ca929649c414ed535855499ff4c4560ed200b Verify that intra-service secrets do not rely on unchanging passwords, such as...

2.10.1 Verify that intra-service secrets do not rely on unchanging credentials such as passwords, API keys

I propose to delete this requirement.

2.2.3

> [2.2.3](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#:~:text=verify%20that%20secure%20notifications%20are%20sent%20to%20users%20after%20updates%20to%20authentication%20details%2C%20such%20as%20credential%20resets%2C%20email%20or%20address%20changes%2C%20logging%20in%20from%20unknown%20or%20risky%20locations.%20) Verify that secure notifications are sent to users after updates to authentication details, such as credential resets, email or address changes, logging in from unknown or risky locations....

2.2.3

I propose: > 2.2.3: Verify that users are notified after updates to authentication details, such as credential resets, or modification of the username or email address. I removed the requirement...