Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V1 - cleanup from implementation requirements #2137

Open
9 of 13 tasks
elarlang opened this issue Oct 10, 2024 · 1 comment
Open
9 of 13 tasks

V1 - cleanup from implementation requirements #2137

elarlang opened this issue Oct 10, 2024 · 1 comment
Assignees
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet josh/elar V1 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@elarlang
Copy link
Collaborator

elarlang commented Oct 10, 2024

TLDR from #1063:

  • We have changed the scope and removed requirements that are not clear about the application, such as software lifecycle, code beauty, etc.
  • We collect documentation requirements into V1 that are preconditions for implementing or testing the application security

Only requirements that need to be moved away from V1 are listed here.


V1.1


V1.2 - only documentation requirements


V1.3 - nothing yet


V1.4

  • 1.4.4 - implementation requirement, or code beauty? Feels a bit duplicated discussion to V1.1.6 (About 1.1.6  #1434) Opened Is 1.4.4 a useful and verifiable requirement. #2147 to discuss as doesn't feel like a requirement.
    • Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.
  • 1.4.5 - 1.4.5 #1183
    • Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature or data item rather than just their role. Permissions should still be allocated using roles.

V1.5

V1.5.1 can be more clear towards documentation


V1.6

None of those is a documentation requirement, all are implementation requirements and must belong to V6.

  • 1.6.1
    • Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57.
  • 1.6.2
    • Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.
  • 1.6.3 - Expand 1.6.3 #1544
    • Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data.
  • 1.6.4
    • Verify that the architecture treats client-side secrets (such as symmetric keys, passwords, or API tokens) as insecure and never uses them to protect or access sensitive data.

V1.7 - ok, only documentation requirements


V1.8 - ok, only documentation requirements


V1.9 - ok, nothing there


V1.10 - ok, nothing there


V1.11


V1.12 - ok, nothing there


V1.13 - ok, nothing there


V1.14

@elarlang elarlang added the V1 label Oct 10, 2024
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Oct 15, 2024
@tghosth
Copy link
Collaborator

tghosth commented Oct 15, 2024

Comments:

  • I think that 1.6.1 is a classic documentation requirement but might need rewording.
  • The rest of 1.6 will need to be merged into V6 when we have the draft from Daniel.

All the rest I think I have commented on the actual issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet josh/elar V1 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Development

No branches or pull requests

2 participants