search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.61k stars 637 forks source link

2.4.1 should be required for L1 #1773

Open appills opened 8 months ago

appills commented 8 months ago

2.4.1

Application Security Verification Levels:

ASVS Level 1 is for low assurance levels, and is completely penetration testable.

Level 1 is the only level that is completely penetration testable using humans. All others require access to documentation, source code, configuration, and the people involved in the development process.

Insecure password storage or insecure credential handling can be tested by a human in at least one method, such as detecting non-timing-safe string comparisons. Secure password hashing is surely testable as a human from a black box and can be inferred to some extent based on response timing.

Using ASVS for Level 1 states:

An application achieves ASVS Level 1 if it adequately defends against application security vulnerabilities that are easy to discover, and included in the OWASP Top 10 and other similar checklists.

And insecure password hashing, storage, and non-timing-safe string comparisons surely fall under A02 Cryptographic Failures

elarlang commented 8 months ago

So you copy-paste selective texts from around documents, but not the one which is written to the mentioned section? :)

https://github.com/OWASP/ASVS/blob/master/5.0/en/0x11-V2-Authentication.md#v24-credential-storage

This section cannot be penetration tested, so controls are not marked as L1. However, this section is of vital importance to the security of credentials if they are stolen, so if forking the ASVS for an architecture or coding guideline or source code review checklist, please place these controls back to L1 in your private version.

Requirement itself: # Description L1 L2 L3 CWE NIST §
2.4.1 [MODIFIED] Verify that one of the following password hashing functions is used when storing the user's password for the application: argon2id, scrypt, bcrypt or PBKDF2. (C6) 916 5.1.1.2

In general I agree it should be level 1, but based on level description for ASVS v4.0.* it is defined as level 2 and the reason is also described in the section.

So at the moment I see it as duplicate of https://github.com/OWASP/ASVS/issues/1495

appills commented 8 months ago

So you copy-paste selective texts from around documents, but not the one which is written to the mentioned section? :)

Hehe good point, I should've copied the text from the section (& probably read that it states to "Verify", which of course there's probably someone out there doing 100k md5's and that might be timing-indistinguishable)

@Sjord brings up a valid point in that #1495 thread:

For me, the levels relate to the security requirements of your application. If you are building a nuclear missile launch system, you would comply to L3. If you are building a tic-tac-toe website, you would comply to L1.

I'll continue my separate thought over there, thank you!

elarlang commented 8 months ago

I don't close it at the moment, just marked it as "level question". If we can declare the levels on one nice day, we need to recheck those issues as well.