Comments (6)
tghosth
commented on August 22, 2024
1
I like the concept but I agree with Elar that this is out of scope for ASVS.
However, I think this might actually be a valid use of a top 10 project, the OWASP Top 10 emerging application security mechanisms or something. I don't usually like top 10s but since this is specifically for awareness, it might be a good fit :)
from asvs.
tghosth
commented on August 22, 2024
Ok, so my big problem with trusted types is that it is quite complicated to implement (especially retroactively) and it is only supported by Chromium and Opera but not Firefox and Safari.
https://caniuse.com/trusted-types
Santizer API seems like a more widely adopted process but it is still at the discussion stage (https://wicg.github.io/sanitizer-api/) and things are changing so much that Chromium has actually removed support from it until the API becomes more stable.
https://caniuse.com/?search=sanitizer
It is also solving a slightly different problem to trusted types.
In conclusion, I think that disappointingly these mechanisms are not mature enough to include in ASVS.
@jmanico what do you think?
from asvs.
jmanico
commented on August 22, 2024
I'm torn on this. Developers will mostly benefit from this being built
into frameworks. But it's also a very high end defense that is quite
powerful.
I tend to say yes, but can accept a no. I worry ASVS is getting too bulky.
from asvs.
elarlang
commented on August 22, 2024
So, yes it is useful, but...
First the thing what @tghosth already pointed out, that it lacks browser support at the moment.
Second - can / do we need to require it? The point is, you can write your code secure against so-called DOM XSS without using it.
Feels more something to be recommended, not required. Happy to change my mind with arguments why it should be required.
from asvs.
ImanSharaf
commented on August 22, 2024
@tghosth I believe that ASVS could still play a pivotal role in advocating for future-ready security measures. While Trusted Types and Sanitizer API are not widely adopted yet, their potential in enhancing web application security is considerable.
Suggested Approach
- Future Guidance: Perhaps ASVS could include a section on emerging security technologies like Trusted Types and Sanitizer API. This would not be a requirement but rather guidance for the future, helping organizations prepare for and gradually adopt these technologies as they mature and gain wider support.
- Awareness and Advocacy: By mentioning these technologies, ASVS can raise awareness and potentially influence broader adoption and faster maturity, as organizations and developers start considering and experimenting with these APIs.
- Differentiation of Standards: Clearly differentiate between current best practices and emerging technologies. This ensures that the ASVS remains practical and relevant, while also being forward-looking.
from asvs.
elarlang
commented on August 22, 2024
For me it feels cheat sheet material. ASVS is not an awareness project, there is top10 and cheat sheet projects for that.
As this discussion and quite different point of view what and why is ASVS is relatively frequent lately, we need to write it out somewhere.
from asvs.
Related Issues (20)
- discussion OAuth/OIDC: accepted flows and grants HOT 7
- 4.3.1 and 4.3.3 HOT 7
- Password Storage Algorithms 2.4.1 revisited HOT 3
- Make 2.1.14 easier and more simplified HOT 7
- Implement Requirement for Anomalous Behavior Detection HOT 4
- cloud config scanning HOT 1
- Link checker is temperamental and apparently deprecated HOT 2
- 5.5.4 should be removed as a duplicate of 5.2. HOT 1
- 5.3.4 should also mention stored procedures. HOT 2
- Do we need CSS to be mentioned in both 5.3.1 and 5.2.8. HOT 2
- Add HTML comments to 5.3.1
- Dynamically generated HTML HOT 11
- Proposal/discussion: OIDC nonce claim requirement HOT 1
- Proposal/discussion: OIDC requirement to ensure issuer URL == issuer claim HOT 2
- Proposal/discussion: OIDC requirement about ID token only being used to prove that the user has been authenticated HOT 7
- 5.6.2 Adding Server-side validation proposal HOT 12
- 7.1 Proposal for Masked Data Logging Need HOT 4
- 8.2.2 advice on sessionStorage breaks multi-tab web application use unlike cookies HOT 13
- Set Account Lockout ASVS Levels 1-3 Aligned to NIST, PCI-DSS, CIS et al
- CWE indicated in requirement 50.2.1 (previously v4.0.3-14.4.3) seems incorrect HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.