Skip to content

Commit

Permalink
Merge pull request #920 from elarlang/asvs-issue-881
Browse files Browse the repository at this point in the history
issue #881, closes #881 + some whitespace fixes
  • Loading branch information
jmanico authored Mar 14, 2021
2 parents f5b8a7a + d166891 commit 5b56b3f
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions 4.0/en/0x22-V14-Config.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,7 @@ Note: At Level 1, 14.2.1 compliance relates to observations or detections of cli
| **14.2.7** | [ADDED] Verify that third party components are sourced separately from internally owned and developed applications |||| 441 |


Note: Certain languages and package managers, have ecosystems that require the identification of packages using multiple factors (e.g groupId and artifactId). This would allow the build process to more specifically identify a resource. In other cases, package managers operate by the order of repositories or mirrors included. Consult your package managers to specifically indicate search order.

Note: Certain languages and package managers, have ecosystems that require the identification of packages using multiple factors (e.g groupId and artifactId). This would allow the build process to more specifically identify a resource. In other cases, package managers operate by the order of repositories or mirrors included. Consult your package managers to specifically indicate search order.


## V14.3 Unintended Security Disclosure Requirements
Expand All @@ -55,7 +54,7 @@ Configurations for production should be hardened to protect against common attac

| # | Description | L1 | L2 | L3 | CWE |
| --- | --- | --- | --- | -- | -- |
| **14.3.1** | Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures. | ||| 209 |
| **14.3.1** | [DELETED, MERGED TO 7.4.1] | | | | |
| **14.3.2** | Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures. |||| 497 |
| **14.3.3** | Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components. |||| 200 |

Expand Down Expand Up @@ -92,4 +91,4 @@ For more information, see also:
* [Exploiting CORS misconfiguration for BitCoins and Bounties](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
* [OWASP Web Security Testing Guide 4.1: Configuration and Deployment Management Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README.html)
* [Sandboxing third party components](https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#sandboxing-content)
* [Defining multiple repositories in maven](https://maven.apache.org/guides/mini/guide-multiple-repositories.html)
* [Defining multiple repositories in maven](https://maven.apache.org/guides/mini/guide-multiple-repositories.html)

0 comments on commit 5b56b3f

Please sign in to comment.