Elar Lang
Elar Lang
> Sorry, I did not know it was on your list already :) . I tried to my best to search if the issue was reported already but could not...
Logging and level 1 - by current description (see https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md), level 1 is not the case for logging related requirements, as those require access to logs.
and on this topic there is discussion in https://github.com/OWASP/ASVS/issues/956
Starting point here is - how do we cover "all security events what must be logged" without listing them.
> May I suggest we take the OWASP logging vocabulary cheat sheet and build a separate logging standard for logging events? https://cheatsheetseries.owasp.org/cheatsheets/Logging_Vocabulary_Cheat_Sheet.html this is something to do, but do not...
* 11.1.3 - limits for user * 11.1.5 - limits for application
8.1.4 (see also https://github.com/OWASP/ASVS/issues/1272) and 11.2.2 are anti-automation requirements, 11.1.3 and 11.1.5 are business logic limits. Example of limits: * 11.1.3 user can put to shopping cart only X amount...
It's more question - do we want to keep separate requirements for separate test-cases (per user and per application), or we merge them to one requirement. From reporting point of...
For making it clear, that those are separate problems and both need attention, I keep my opinion and recommendation to have them separately. We have "Verification Standard" and we should...
I copy-paste [my opinion](https://app.slack.com/client/T04T40NHX/C06MNF14M/thread/C06MNF14M-1620288971.020800) (2021-05-06) from ASVS slack channel Picking some phrases from https://github.com/OWASP/ASVS/blob/master/4.0/en/0x10-V1-Architecture.md > "Architecture is not an implementation, but a way of thinking about a problem" From this...