Josh Grossman
Josh Grossman
@randomstuff can you PR into a new section in V2 called Federated Authentication
Comments: * I think that 1.6.1 is a classic documentation requirement but might need rewording. * The rest of 1.6 will need to be merged into V6 when we have...
So we currently have two proposals. I prefer @EnigmaRosa's requirement above https://github.com/OWASP/ASVS/issues/2059#issue-2506424424, because it is more outcomes focused than implementation focused. However, I think we do also need to address...
> This is a quite weird requirement by wording - "You must do it immediately, ... or a bit later is also ok." I can accept that, on the other...
Updated proposal. I have made this Level 2 and have reworded to try and focus on the problem. @elarlang is ok with it. What do you think @jmanico @EnigmaRosa? |...
@elarlang > The requirement here should only be about V4 authorization. One thing per requirement. Are you talking about "_If updates exceed a few minutes, implement monitoring and alerts to...
> I feel like the "as quickly as possible" language is going to be a problem. I understand why we select that phrase, I'm just concerned users will have issues...
Feels like we are back to my previous proposal: https://github.com/OWASP/ASVS/issues/2059#issuecomment-2428720713 This proposal provides some practical bounds for what "as fast as possible" means as well as a practical mitigation. I...
Good point about information leakage. Comparing "as fast as possible. Where this is longer than a few minutes," and "are effective immediately. There can be a maximum few minutes for...
> It's too much to say that I prefer my wording, it's just different, and the reason for not using "fast as possible" is that it is relative depending on...