Christian Heinrich
Christian Heinrich
Can we extend the verification to Certificate Authorities similar to the process undertaken by https://www.dta.gov.au/our-projects/digital-identity/gatekeeper-public-key-infrastructure-framework and https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#14-obtain-certificates-from-a-reliable-ca too?
Any chance of creating a milestone to track @jmanico https://mvsp.dev/ and https://github.com/OWASP/ASVS/issues/1039, https://github.com/OWASP/ASVS/issues/317, [PA-DSS](https://github.com/OWASP/ASVS/issues/1127#issuecomment-968157979) and others?
@elarlang states: > I would like to have separate and clear requirement for checking, that sensitive data is not sent to 3rd (or in general untrusted) parties, like Google Analytics...
> ... and in general, it's quite interesting to read this kind of statements. In ASVS we have requirements (see 6.1.*) to crypt sensitive data for better protecting it, but...
I'd support this with the wording that verification is to a point in time. Issue https://github.com/OWASP/ASVS/issues/1108 is related.
I propose the following change: 1. Split [14.1.1](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x22-V14-Config.md#v141-build-and-deploy) into a new requirement that restricts ephemeral hosts to Level 1 and that verification is up until a point in time. 1....
I proposed Level 1 for ephemeral hosts as they represent a less mature CI pipeline. I've edited https://github.com/OWASP/ASVS/issues/1315#issuecomment-1186051905 to represent a single change of [14.1.1](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x22-V14-Config.md#v141-build-and-deploy).
A majority of my supply chain attacks rely upon ephemeral infrastructure. The agenda of DevOps is to promote ephemeral CI as more mature. Therefore, https://github.com/OWASP/ASVS/issues/1315#issuecomment-1186051905 could be reworded so that...
I was also thinking this issue may be more related to the ["Build Environments" section of the Software Component Verification Standard (SCVS)](https://owasp-scvs.gitbook.io/scvs/v3-build-environment). Do you mind if I raise this issue...
We should consider deprecating [14.1.1](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x22-V14-Config.md#v141-build-and-deploy) so there is no duplication with [SCVS](https://owasp-scvs.gitbook.io/scvs/v3-build-environment)? [Build - Ephemeral](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment) are defined as SLSA 3 and SLSA 4.