Comments (17)
We have requirements like:
# | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|
1.5.1 | Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance. | ✓ | ✓ | 1029 | |
1.8.1 | [MODIFIED, MERGED FROM 8.3.4, LEVEL L2 > L1] Verify that all sensitive data created and processed by the application has been identified and classified into protection levels, and ensure that a policy is in place on how to deal with sensitive data. | ✓ | ✓ | ✓ | 213 |
1.8.2 | Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture. | ✓ | ✓ |
Change my mind that all those regulations and directives are not covered by those. Whatever regulation or directive applies to you, you need to make your security analysis and requirements based on that.
from asvs.
Are you suggesting that in ASVS we specifically mandate that applications must use privacy preserving encryption, because that seems a little extreme... It's quite a major thing to require them to do, complex to implement (would probably require a vendor/appliance) and might not be relevant or possible in all scenarios...
from asvs.
Thank you for highlighting the nature of ASVS items as requirements. Reflecting on your feedback, I propose an alternative approach:
Considering that the ASVS predominantly consists of requirements, one approach could be to introduce a specialized category or an appendix dedicated to advanced privacy-preserving techniques. This section would focus on emerging and sophisticated data protection methods suitable for high-risk scenarios or sectors where data privacy is of utmost importance, such as healthcare, finance, or governmental applications. In this specialized section, the recommendations for privacy-preserving techniques like homomorphic encryption, Zero-Knowledge Proofs, or differential privacy could be framed as context-specific requirements. They would apply to applications where the nature of data and operations demands an exceptionally high level of privacy protection, thus making such advanced measures necessary rather than optional.
from asvs.
So getting this specific and specialized sounds more like a cheat sheet than an ASVS section, do you think this would be a useful addition to the cheat sheets project?
from asvs.
from asvs.
I don't know the topic content, so I just share abstract ideas or thoughts from ASVS structure point of view.
To the ASVS we can put things when we can require it (just recommending is not enough) - always and for everyone the same way, or if there are different solutions available to achieve the same effect, then it must be taken account.
I'm not fan of the appendix idea. We just trying to get ride of one. ASVS should mostly contain requirements.
Separate section we can do if all those requirements belong by content to the same criteria and there are enough of them to be worth of separate section. In general we have "level 3" for specialized requirements and we can add requirements to suitable section.
from asvs.
but PET’s are super critical to the future.
I am on the same page and I believe we should have a place for PET in the ASVS.
from asvs.
but PET’s are super critical to the future.
I am on the same page and I believe we should have a place for PET in the ASVS.
I agree. This is a challenging requirement because there are so many options. Perhaps for ASVS an ASVS 3 requirement that says something to the effect of:
"Apply one or more privacy engineering technique such as:
- Data Minimization and Anonymization
- Secure Multi-party Computation (MPC)
- Cryptography Protection
- Zero-Knowledge Proofs (ZKP)
- Federated Learning and Analysis:
- Trusted Execution Environments (TEE)
- Consent Management
- Privacy-Preserving Data Discovery and Sharing"
from asvs.
@jmanico do you not think this is a better candidate for a cheat sheet rather than an ASVS item?
from asvs.
from asvs.
from asvs.
Maybe the outcome here could be explaining section to the document, how to combine ASVS with regulations.
from asvs.
Can we mention PET in 1.8.2?
from asvs.
What do we think about #1784?
from asvs.
In general I prefer to have proposals in the issue.
from asvs.
In general I prefer to have proposals in the issue.
This was a small item and I am trying to drive us forward faster :)
from asvs.
Im ok to drop this for now.
from asvs.
Related Issues (20)
- Proposal: the application must belong/covered to the HSTS preload list (probably level 3) HOT 45
- Do we want V7.4 to get moved to V10? HOT 3
- Minor V7 changes HOT 2
- Italian Translation HOT 1
- V11 rework by @jmanico HOT 16
- update 50.2.1 (v4.0.3-14.4.3) and/or split requirement for content-security-policy HOT 13
- move or merge 8.3.5 to V7 HOT 3
- URL Safety HOT 23
- proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint) HOT 4
- proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server HOT 4
- proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling HOT 8
- discussion: OAuth - using OAuth just for authentication HOT 6
- proposal/discussion: JWT - 3.5.6 add "type", and rephrase it to describe the goal HOT 7
- proposal/discussion: OAuth: requirement for refresh_token lifetime
- V51: Additional OAuth/OIDC proposals HOT 6
- discussion OAuth/OIDC: accepted flows and grants HOT 7
- 4.3.1 and 4.3.3 HOT 6
- Password Storage Algorithms 2.4.1 revisited HOT 3
- Make 2.1.14 easier and more simplified HOT 7
- Implement Requirement for Anomalous Behavior Detection HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.