danielcuthbert
commented
5 years ago Reworded a lot of this based on your comments @ossie-git, ta for that.
Closed ossie-git closed 5 years ago
danielcuthbert
commented
5 years ago Reworded a lot of this based on your comments @ossie-git, ta for that.
"Automated penetration tools are encouraged to provide as much as possible coverage and to exercise as many parameters as possible with many different forms of malicious inputs as possible." -> The use of automated penetration testing tools is encouraged to provide as much coverage as possible."
"It is possible to perform a manual penetration test and verify all L1 issues without requiring access to source code, but this is not a leading practice" This isn't true. Even in the first main control (Authentication), a # of requirements require access to look at how secret management is done, verifier implementation (hashing, etc.) and so on.
"L2 requires at least some access to developers, documentation, code, and authenticated access to the system" -> What is meant by authenticated access to the system as it is not clear?
TOGAF isn't a security architecture framework but SABSA is. From what I remember, TOGAF points users to use SABSA for security-related architectural design