Elar Lang
Elar Lang
Like I said, if it is related to messing with DNS, it's out of ASVS scope. And proposals and descriptions are more related to 12.6.1 or material for new requirement....
> Configures the DNS of attacker.com to resolve to 192.168.1.123, routing the request to the server on the local network as the application server. How attacker can do that for...
And how the attacker.com got into the allow-listed domains? > In my scenario, the attacker owns attacker.com, so they can just configure the DNS in the normal way anyway they...
Ping @Sjord
If you provide for every user to access whatever address, then it must be accepted risk based on business logic rule. How to make potential impact lower for this kind...
Side note for @mjang-cobalt, when doing v5.0, most likely we heavily change the structure categories and subcategories and therefore current text will be changed as well. It's nice to make...
We probably going to change V7 quite a lot. Before putting effort into it, it makes sense to wait outcome from https://github.com/OWASP/ASVS/issues/997
> ... that is known to be secure > Verify that the application's authentication mechanism is well known and trusted or has undergone provable security testing. We can also watch...
Arguments are provided in #570. No plan and point at the moment to cover it again with just a bit different wording. It came from NIST, but it is optional...
Can you convince me and everyone else, why we need this requirement? What security problem it solves that it need to be presented in ASVS? Also - "option to show...