Christian Heinrich

icon indicating a website link cmlh.id.au

icon company @Malform icon location Adelaide, Australia icon location https://www.linkedin.com/in/ChristianHeinrich

Results 61 comments of Christian Heinrich

Secure development environments

If I was still preforming https://www.cyber.gov.au/acsc/view-all-content/programs/australian-information-security-evaluation-program and therefore is what Mike Boberski based ASVS ToV on (i.e. Common Criteria) then I'd inspect https://github.com/OWASP/Software-Component-Verification-Standard in addition to https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md#v142-dependency I'll raise a...

Discussion: Too much and/or sensitive information in (mostly API) responses

Should "_sensitive_" be inserted into [ASVS Level 1](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md#level-1---first-steps-automated-or-whole-of-portfolio-view) to mirror the use of the term "_sensitive_" within the description of [ASVS Level 2](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md#level-2---most-applications)?

Scope for 5.0 and beyond

> I think the levels should be RISK-BASED and absolutely not TESTABILITY BASED I'd like to revert to the level of effort of ASVS v1/2009 to align with [Common Criteria](https://www.commoncriteriaportal.org/)...

.well-known/security.txt adheres to RFC 9116

@Sjord > I don't think it is super-important that security.txt adheres to the RFC, but it would be informative to reference the RFC in the requirement. Refer to https://github.com/OWASP/wstg/pull/946#issuecomment-1168764635

.well-known/security.txt adheres to RFC 9116

@Sjord > So what is the status of this issue? Can it be closed? I need approval to submit the Pull Request as "1.1.8 [MODIFIED] Verify that .well-known/security.txt adheres to...

New Requirement on Browser Version Checking

An example of where support has to be given to the widest older releases of web browsers is when the public have to browse emergency warnings, etc yet this web...

New Requirement on Browser Version Checking

> But before we go there, my question is still - is it technically doable (with reasonable effort) without having detailed user-agent information? Yes as the web application is relying...

New Requirement on Browser Version Checking

> I asked the head of the W3c security group here. https://twitter.com/manicode/status/1432727817167331329?s=21 To understand how to reliably detect browser type. ![image](https://user-images.githubusercontent.com/136826/131588730-d1e6ee70-73e9-4403-ba77-21733a3e3119.png) Also of note is "_The header, however, is likely...

Heavy lag when loading a session file

Also occurs on Kali Linux 2.0 VM with the 2.4.2 upstream release. Is zaproxy/zaproxy#1650 a duplicate of this issue?

4.1.4 - how should we relate to "deny by default"?

[_Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is...