Comments (10)
tghosth
commented on June 27, 2024
I still don't like this. I think it is too specific and for logging we need to focus on principles rather than specific events. I would happily just drop this requirement.
I also think we need to better differentiate between regular logging (which might be a short term thing) and security audit logs which may need to be longer term (e.g. account details change history).
from asvs.
elarlang
commented on June 27, 2024
My proposal was to make it more abstract.
Anyway, waiting outcome from #1795 (comment)
from asvs.
jmanico
commented on June 27, 2024
Elar. As mentioned in #1795 (comment) I think it's fair to see security logging as a lower priority in the interest of getting 5.0 live.
Perhaps a more general requirement "do security logging on ASVS requirements that fail" or similar is the right way to go for 5.0.
from asvs.
tghosth
commented on June 27, 2024
This should be removed once #1944 is merged. The original requirement should be tagged as merged into 7.2.3.
Additional events added to the logging cheatsheet here: OWASP/CheatSheetSeries#1394
from asvs.
tghosth
commented on June 27, 2024
@set-reminder in 1 week @tghosth to address once #1944 is merged
from asvs.
octo-reminder
commented on June 27, 2024
⏰ Reminder
Thursday, May 9, 2024 12:00 AM (GMT+02:00)
from asvs.
tghosth
commented on June 27, 2024
@elarlang actually I see this as slightly different case to 7.2.3.
7.2.3 is deliberate bypass attempts. 7.2.6 is general security control failures, might not be malicious. I would therefore keep them separate.
Opened #1947
What do you think?
from asvs.
elarlang
commented on June 27, 2024
I can understand the difference, but I'm concerned, is it also understandable when just reading the requirements.
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 7.2.3 | [MODIFIED, MOVED FROM 7.1.3] Verify that the application logs attempts to bypass the security controls defined in the design documentation such as input validation. | ✓ | ✓ | 778 | |
| 7.2.6 | [MOVED FROM 9.2.5] Verify that the application logs security control failures such as backend TLS failures. | ✓ | 778 |
I don't have any recommendations, accepting PR.
from asvs.
tghosth
commented on June 27, 2024
Let's leave it for now and see if anyone complains during the draft :)
from asvs.
octo-reminder
commented on June 27, 2024
from asvs.
Related Issues (20)
- Proposal: the application must belong/covered to the HSTS preload list (probably level 3) HOT 43
- Do we want V7.4 to get moved to V10? HOT 3
- Minor V7 changes HOT 2
- Italian Translation HOT 1
- V11 rework by @jmanico HOT 16
- update 50.2.1 (v4.0.3-14.4.3) and/or split requirement for content-security-policy HOT 13
- move or merge 8.3.5 to V7 HOT 3
- URL Safety HOT 23
- proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint)
- proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server HOT 3
- proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling HOT 6
- discussion: OAuth - using OAuth just for authentication HOT 4
- proposal/discussion: JWT - 3.5.6 add "type", and rephrase it to describe the goal HOT 6
- proposal/discussion: OAuth: requirement for refresh_token lifetime
- V51: Additional OAuth/OIDC proposals HOT 6
- discussion OAuth/OIDC: accepted flows and grants HOT 6
- 4.3.1 and 4.3.3 HOT 6
- Password Storage Algorithms 2.4.1 revisited HOT 3
- Make 2.1.14 easier and more simplified HOT 7
- Implement Requirement for Anomalous Behavior Detection HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.