cmlh
commented
1 year ago I can't locate the associated control within ISO 27002:2022 and the commit was made by @vanderaj.
Closed cmlh closed 4 weeks ago
cmlh
commented
1 year ago I can't locate the associated control within ISO 27002:2022 and the commit was made by @vanderaj.
tghosth
commented
1 year ago So I think that given we no longer mandate this anyway, I am not super worried about an updated reference.
In general, I think figuring out how to comply with other regulation is not really in scope for ASVS and certainly not a key goal for 5.0.
tghosth
commented
1 year ago In 5.0, I am expecting we will need to trim down this text as much as possible anyway.
tghosth
commented
1 year ago Closing as I don't think we will take action on this
cmlh
commented
1 year ago Closing as I don't think we will take action on this
Can @tghosth provide the context of this decision as it can fixed with a Pull Request?
tghosth
commented
1 year ago Highly likely that this sentence will be removed in 5.0 anyway
tghosth
commented
1 year ago I am reopening this and marking it to be considered when we create the actual 5.0 draft.
ryarmst
commented
1 month ago @cmlh Related discussion: #2101
"1.6 Compliance" of MVSP mandates
* Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18.The parent of all MVSP issues is #1151.
V3.7 Defenses Against Session Management Exploits states "Previously, based on ISO 27002 requirements, the ASVS has required blocking multiple simultaneous sessions. Blocking simultaneous sessions is no longer appropriate, ...".
ISO 27002 was updated during 2022 and therefore this statement in ASVS should reflect the latest release of ISO 27002.
I don't know if this is reflect in the latest ISO 27002 or not as I don't have it at hand at the moment.
This issue should also reconsidered when undertaking QA of each future release of ASVS.