Verify that if binaries are delivered to untrusted devices, ensure that an secure automatic updating mechanism is present in the architecture which ensures that only signed binaries are downloaded from trusted sites over a secure connection.
Verify that if binaries are delivered to untrusted devices, ensure that an secure automatic updating mechanism is present in the architecture that ensures only signed binaries are downloaded from trusted sites over a secure connection.
I agree with this stance. If we are talking about Electron-based apps (JavaScript) then we could support it but then it becomes a slippery slope. I can't see this working out the way many would like it to
This requirement has been through a journey but it feels like it is not very relevant to web apps. It sounds very connected to desktop apps and therefore not in scope.
History
Looks like 1.10 was added here as part of a larger re-write: https://github.com/OWASP/ASVS/commit/2e5616340ef2c9eb8c8895721f944398850508b9
Background to non-web requirements
In previous discussion of what is in scope for ASVS in #803:
@jmanico wrote here.
@danielcuthbert wrote just below that.
Proposal
This requirement has been through a journey but it feels like it is not very relevant to web apps. It sounds very connected to desktop apps and therefore not in scope.
I propose deleting the requirement.