Comments (6)
Thanks for these. I'll incorporate all of these and publish a new version.
from asvs.
PIE is not necessarily a security control. Exploits need to be PIE to run, but that doesn't mean that PIE code will not be linked and loaded at the same specific address each time. Can you nominate a use case for PIE that enables more security?
from asvs.
I'm parroting what I have read, my knowledge of binary app security is limited. According to The Mobile Application Hacker's Handbook, page 56:
PIE allows an (iOS) application to take full advantage of ASLR.
An application compiled without PIE loads the executable at a fixed address.
Some other iOS app security measures recommended by the book:
Stack-Smashing Protection
Automatic Reference Counting (ARC)
^ Not sure if these are also worth considering
from asvs.
In other news, all but two of your QA notes were acted upon and are now in the repo. Check out the new version.
from asvs.
I'm going to assume all is good with this now. Pushing on to clear this queue and get 3.0 ready for release shortly. If there's anything glaringly still open, please log a new ticket and ill sort.
from asvs.
Just checked, all good! Thanks!
from asvs.
Related Issues (20)
- 1.7.1 - do we need to require common logging format? HOT 6
- Section and requirement relevance questions HOT 2
- Consideration for HTTP/3 Security HOT 6
- Suggestion for Reconsideration of ASVS Requirement 8.3.1 Classification HOT 6
- Opportunistic Session Termination HOT 20
- recommendations chapter HOT 3
- Require case-sensitive password matching? HOT 11
- 14.4 section (HTTP Security Headers) rename / find better category-section for "content-type" requirements. HOT 2
- proposal: new requirement for disallowing search engines to crawl and index the content HOT 8
- 2.2.2 and 2.7.1 are duplicates HOT 2
- 2.7.5 is a security problem and weakness HOT 8
- 2.7.6 and 2.7.7 are in conflict HOT 6
- discussion/proposal: disallow user-autologin to an application using SSO sessions HOT 3
- Inclusion of Cypher Injection Prevention for Neo4j in ASVS 5.3.4 HOT 2
- Add requirement about usage of claims other than subject and issuer as an identifier for OpenID Connect HOT 21
- [ASVS 5.0] Fix typos, punctuation, grammar, and standardize spelling to US English HOT 3
- Fingerprinting devices/matching sessions to a device. HOT 9
- `tlmgr` sometimes fails to update
- Most recent artifacts HOT 3
- Warnings on github actions HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.