v4 Feedback: 0x10-V1-Architecture.md

[ossie-git]

"Since single page applications and act as clients to remote API or services" -> "Since single page applications act as clients to remote API or services"

"For more information, see also:

For more information, please see:" -> you only need one of these

Previous issues pending :) - https://github.com/OWASP/ASVS/issues/143

[vanderaj]

This entire section needs a solid rewrite. I would love to get folks who are into enterprise application architecture to assist us with a requirements gathering session. Let me reach out on Twitter and see if I can find folks - let me know if you would like to participate as I think a complete re-do here would be the best outcome.

[vanderaj]

I've reached out to Twitter to obtain help from enterprise and app architects. The first step will be to gather requirements; probably need to run a few sessions in different time zones, and then to filter to the minimum requirements. I am hoping we can gain a common understanding of application security architecture

[jmanico]

Additional comments on this from @vanderaj

I left this for last as I think this section is the most ambiguous. I understand the intention of the section, but I think it is laid out in a somewhat indirect/confusing manner.

There is no clear separation between components and libraries that are part of the application and those that are not part of the application (would the database be considered part of it or is this an external service relied on by the application, would Angular JS as a framework, etc.) and it is not clarified in the definitions section. This would make some requirements ambiguous and more difficult for someone doing ASVS verification to verify.

1.1 - defining what application components are used would make this task easier you probably won't fulfill this requirement without fulfilling 1.3 as well. Also, are things such as interfaces / APIs included? It should be but is unclear from the wording

1.3 - this should be applicable to all, including L1. It is difficult to get 1.1 right for L1 without this. Also, how high is high? Are you looking just for blocks (web application, backend, etc) or is there some type of DFD diagramming?

1.4 - I would think that this would be applicable to L2 applications as well

1.5 - I would think that this would be applicable to L2 applications as well

1.8 - this requirement is unclear without defining what components are. I'm guessing that these are just major components (web server, application server, database, etc.) but this is unclear? Would you have to segregate micro-services?

1.11 - I am unsure as to why this wasn't an L1 requirement as well. There are more stringent L1 requirements in the standard. Also, this would mean that an L1 application could fail the OWASP Top 10 (A9-Using Components with Known Vulnerabilities) although ASVS is meant as a superset of requirements which is strange.

I think extracting the threat modeling and the data flow diagramming into different requirements would be beneficial as a high-level DFD would probably be necessary to get 1.1 down for any reasonable complex application.

Finally, I think that mentioned components being needed by the application is a little more straight-forward for thick click applications (such as those Microsoft's Attack Surface Analyzer) does unless you are referring more specifically to interfaces used + functionality (if the developer is using web frameworks that provide functionality for parts of the application). In either case, an application would need a deeper analysis than the one highlighted in 1.1 and even 1.3 to be able to properly fulfill 1.1 with its current wording.

[tghosth]

hi @ossie-git, did you ever get a chance to rework this?

[vanderaj]

I'm working on this right now. There will be an update shortly whilst I gather architectural issues from the other chapters for de-dupe purposes. Need to do that for renumbering.

[jmanico]

I'm around if you want a review or other help let me know.