2.2.1 and 2.3.1 are redundant

OWASP / IoT-Security-Verification-Standard-ISVS

OWASP IoT Security Verification Standard (ISVS)

Other

133 stars 49 forks source link

2.2.1 and 2.3.1 are redundant #44

Closed scradster closed 3 years ago

scradster commented 3 years ago

https://github.com/OWASP/IoT-Security-Verification-Standard-ISVS/blame/4582968e2b0323a02cfba36b9d32584d4eb0489a/en/V2-User_Space_Application_Requirements.md#L31

https://github.com/OWASP/IoT-Security-Verification-Standard-ISVS/blame/4582968e2b0323a02cfba36b9d32584d4eb0489a/en/V2-User_Space_Application_Requirements.md#L42

Both require almost the same (2.3.1 missing API keys as example).

Would suggest to remove 2.2.1 and add API keys to 2.3.1 since this requirement better fits Data Protection than Authorization.

scriptingxss commented 3 years ago

Great catch! We will remove 2.2.1 and modify 2.3.1 with the following:

Verify that sensitive information such as personal identifiable information (PII) and user account credentials are stored securely using strong encryption to protect from data leakage and integrity checking to protect against unauthorized modification.

scriptingxss commented 3 years ago

@scradster would you mind submitting a pull request for this? Removing 2.2.1 and modifying 2.3.1. Thanks!