elarlang
commented
1 month ago I think you talk about "service authentication", see https://github.com/OWASP/ASVS/blob/master/5.0/en/0x11-V2-Authentication.md#v210-service-authentication
There is also one separate issue where it discussed https://github.com/OWASP/ASVS/issues/2072#issuecomment-2366836867
I agree that this section suits better to configuration, or just be separate from the user authentication requirements - but there can be also overlap and split them is not that brain-free choice.
Note on CWE: Previously we had one-to-one mapping between ASVS and CWE, but it does not work well and it is complicated to maintain. In the future the mapping is dropped and it relies on a separate project, see https://github.com/OWASP/ASVS/issues/1481
I know there is a section that talks exclusively about user password management, but secrets are not always associated with passwords, for example, in the configuration section there is no section that talks about avoiding the use of passwords or JWT tokens in plain text in setting files, perhaps it could be mentioned in data protection, but I think it would be redundant with the access section.
For this reason I think the section on secret management should have its own section.
Strictly speaking I needed to relate some CWEs to ASVs but not all of them have an equivalent. If CWE is aimed at classifying web application risks then ASVS should in the future be able to cover all identifiers, thus becoming an extension of descriptions and recommendations of CWE itself.