7.11 - broad scope. This is a recommendation, not a control. Perhaps remove.

[Sergicles]

Verify that all consumers of cryptographic services do not have direct access to key material. Isolate cryptographic processes, including master secrets and consider the use of a virtualized or physical hardware key vault (HSM).

Verify that all consumers of cryptographic services do not have direct access to key material. Web/application servers will have access, unless HSM is used.

consider the use of a virtualized or physical hardware key vault (HSM) This is a recommendation, not a control, should be removed from standard (i.e. controls).

I think this control should be reconsidered or removed. On the right track, but asking for something that's organisationally much broader than perceived scope of ASVS.

[vanderaj]

@jmanico and I talked about this yesterday, and we both agreed it's way too hard to do. HSMs are going to go away, and we really want to push this down to operating systems that have key chain/secure zone/Amazon KMS, etc. Have a look at this, and see if it will work better:

| 7.11 | Verify that consumers of cryptographic services do not have direct access to key material, such as by using key vaults or API based alternatives. | | ✓ | ✓ | 3.1 |

[jmanico]

Like the direction. Made a small change.

| 7.11 | Verify that consumers of cryptographic services do not have direct access to key material by using key vaults or other key isolation alternatives. | | ✓ | ✓ | 4.0 |

I checked this change in per 7f15ddb510df670943ec7600b1cee1ef1a860460 and if you like it @vanderaj please close it out!