Josh Grossman

icon indicating a website link https://JoshCGrossman.com/

icon location InfoSec Consultant | Sometimes known as TGhostH | Based in Silicon Wadi | Cyber is an adjective | You wanna break it? You'd better know how to fix it!

Results 903 comments of Josh Grossman

1.4.5

This seems like a classic architecture level control where the conceptual basis is included in 1.4.x but the practical requirements are included in 4.x. Do you disagree @elarlang ?

1.4.5

I think that 1.4.5 is not something you explicitly need to check in the code but rather describing a specific AuthZ paradigm so I think it is fine. What do...

1.4.5

I agree there should also be a specific requirement in 4.x

1.4.5

1.4.5, checking access control based on roles rather than permission attributes makes it more difficult to remove permissions from a role as the access control checking code is hardcoded to...

1.4.5

@elarlang any further comments?

3.3.2 reauthentication on session timeout

@Sjord can you tell if the current requirement is ported from NIST?

3.3.2 reauthentication on session timeout

In principle, I would prefer to be aligned with NIST in this case. For companies that violate the timeouts, I can think of three ways to handle this: 1) We...

3.3.2 reauthentication on session timeout

> In principle, I would prefer to be aligned with NIST in this case. > > For companies that violate the timeouts, I can think of three ways to handle...

New CSP Requirement

@jmanico are you able to draft the suggested text?

New CSP Requirement

Seemed to be support for CSP staying as Level 1 in #1297 so I closed that but I think we still need to decide how we want it to read...