Consider Adding Checks for Privacy Preserving Schemas in ASVS about asvs HOT 17 CLOSED

We have requirements like:

Change my mind that all those regulations and directives are not covered by those. Whatever regulation or directive applies to you, you need to make your security analysis and requirements based on that.

from asvs.

Are you suggesting that in ASVS we specifically mandate that applications must use privacy preserving encryption, because that seems a little extreme... It's quite a major thing to require them to do, complex to implement (would probably require a vendor/appliance) and might not be relevant or possible in all scenarios...

from asvs.

Thank you for highlighting the nature of ASVS items as requirements. Reflecting on your feedback, I propose an alternative approach:

Considering that the ASVS predominantly consists of requirements, one approach could be to introduce a specialized category or an appendix dedicated to advanced privacy-preserving techniques. This section would focus on emerging and sophisticated data protection methods suitable for high-risk scenarios or sectors where data privacy is of utmost importance, such as healthcare, finance, or governmental applications. In this specialized section, the recommendations for privacy-preserving techniques like homomorphic encryption, Zero-Knowledge Proofs, or differential privacy could be framed as context-specific requirements. They would apply to applications where the nature of data and operations demands an exceptionally high level of privacy protection, thus making such advanced measures necessary rather than optional.

from asvs.

So getting this specific and specialized sounds more like a cheat sheet than an ASVS section, do you think this would be a useful addition to the cheat sheets project?

from asvs.

from asvs.

I don't know the topic content, so I just share abstract ideas or thoughts from ASVS structure point of view.

To the ASVS we can put things when we can require it (just recommending is not enough) - always and for everyone the same way, or if there are different solutions available to achieve the same effect, then it must be taken account.

I'm not fan of the appendix idea. We just trying to get ride of one. ASVS should mostly contain requirements.

Separate section we can do if all those requirements belong by content to the same criteria and there are enough of them to be worth of separate section. In general we have "level 3" for specialized requirements and we can add requirements to suitable section.

from asvs.

but PET’s are super critical to the future.

I am on the same page and I believe we should have a place for PET in the ASVS.

from asvs.

but PET’s are super critical to the future.

I am on the same page and I believe we should have a place for PET in the ASVS.

I agree. This is a challenging requirement because there are so many options. Perhaps for ASVS an ASVS 3 requirement that says something to the effect of:

"Apply one or more privacy engineering technique such as:

• Data Minimization and Anonymization
• Secure Multi-party Computation (MPC)
• Cryptography Protection
• Zero-Knowledge Proofs (ZKP)
• Federated Learning and Analysis:
• Trusted Execution Environments (TEE)
• Consent Management
• Privacy-Preserving Data Discovery and Sharing"

from asvs.

@jmanico do you not think this is a better candidate for a cheat sheet rather than an ASVS item?

from asvs.

from asvs.

from asvs.

Maybe the outcome here could be explaining section to the document, how to combine ASVS with regulations.

from asvs.

Can we mention PET in 1.8.2?

from asvs.

What do we think about #1784?

from asvs.

In general I prefer to have proposals in the issue.

from asvs.

In general I prefer to have proposals in the issue.

This was a small item and I am trying to drive us forward faster :)

from asvs.

Im ok to drop this for now.

from asvs.