Ryan Armstrong
Ryan Armstrong
Starting with a recommendation for 3.3.2 in #2113.
@elarlang I agree and #1790 is on my TODO list, but I want to have defined terminology first. The pattern is common enough that it is worth acknowledging, no?
@elarlang As far as terminology, what do you think about adopting "Stateless Session Mechanism" as above?
I think the ASVS can definitely set out requirements independent of the stateful vs. stateless debate and this is generally the direction that I personally would *prefer* V3 to go...
@tghosth I'll drop that idea for now and suggest instead an update on V1.3 proposal text (#2103) to address mechanism pattern decisions.
Returning to the terminology, I would like to suggest the addition of the following items to Appendix A: - **Absolute Maximum Session Lifetime** - Also referred to as "Overall Timeout"...
@randomstuff >Is our wording better than NIST's? Should we align with NIST? I quite like how "overall timeout" is consistent with "inactivity timeout". Sorry, this was from another issue. Please...
@tghosth PR opened. There is nothing more for now, but I think terminology (both definitions used and how they are referenced throughout) may be worth returning to again later.
Can I suggest: _Verify that all data is validated according to the rules applicable to each individual data item and that sets of related data items meet the logical and...