Closed vanderaj closed 5 years ago
ossie-git
commented
6 years ago I have about 10 - 15 issues open (they were sent by mail and added by @vanderaj ). This is one of them. Should I add a comment in each of them so I am tagged when they are marked as resolved to review the resolution?
jmanico
commented
5 years ago This is a pretty open ended bug. Can I get some help narrowing this down? @ossie-git do you want to take this one over and help redesign it?
ossie-git
commented
5 years ago I can take a shot at it but probably in the 2nd week of November as I'm currently busy
jmanico
commented
5 years ago This is a dupe of https://github.com/OWASP/ASVS/issues/274 merging content there
I left this for last as I think this section is the most ambiguous. I understand the intention of the section, but I think it is laid out in a somewhat indirect/confusing manner.
There is no clear separation between components and libraries that are part of the application and those that are not part of the application (would the database be considered part of it or is this an external service relied on by the application, would Angular JS as a framework, etc.) and it is not clarified in the definitions section. This would make some requirements ambiguous and more difficult for someone doing ASVS verification to verify.
1.1 - defining what application components are used would make this task easier you probably won't fulfill this requirement without fulfilling 1.3 as well. Also, are things such as interfaces / APIs included? It should be but is unclear from the wording
1.3 - this should be applicable to all, including L1. It is difficult to get 1.1 right for L1 without this. Also, how high is high? Are you looking just for blocks (web application, backend, etc) or is there some type of DFD diagramming?
1.4 - I would think that this would be applicable to L2 applications as well
1.5 - I would think that this would be applicable to L2 applications as well
1.8 - this requirement is unclear without defining what components are. I'm guessing that these are just major components (web server, application server, database, etc.) but this is unclear? Would you have to segregate micro-services?
1.11 - I am unsure as to why this wasn't an L1 requirement as well. There are more stringent L1 requirements in the standard. Also, this would mean that an L1 application could fail the OWASP Top 10 (A9-Using Components with Known Vulnerabilities) although ASVS is meant as a superset of requirements which is strange.
I think extracting the threat modeling and the data flow diagramming into different requirements would be beneficial as a high-level DFD would probably be necessary to get 1.1 down for any reasonable complex application.
Finally, I think that mentioned components being needed by the application is a little more straight-forward for thick click applications (such as those Microsoft's Attack Surface Analyzer) does unless you are referring more specifically to interfaces used + functionality (if the developer is using web frameworks that provide functionality for parts of the application). In either case, an application would need a deeper analysis than the one highlighted in 1.1 and even 1.3 to be able to properly fulfill 1.1 with its current wording.