Refresh ISO 27001 Multisession Control Statement.

[cmlh]

"1.6 Compliance" of MVSP mandates * Comply with all industry security standards relevant to your business such as PCI DSS, HITRUST, ISO27001, and SSAE 18.

The parent of all MVSP issues is #1151.

V3.7 Defenses Against Session Management Exploits states "Previously, based on ISO 27002 requirements, the ASVS has required blocking multiple simultaneous sessions. Blocking simultaneous sessions is no longer appropriate, ...".

ISO 27002 was updated during 2022 and therefore this statement in ASVS should reflect the latest release of ISO 27002.

I don't know if this is reflect in the latest ISO 27002 or not as I don't have it at hand at the moment.

This issue should also reconsidered when undertaking QA of each future release of ASVS.

[cmlh]

I can't locate the associated control within ISO 27002:2022 and the commit was made by @vanderaj.

[tghosth]

So I think that given we no longer mandate this anyway, I am not super worried about an updated reference.

In general, I think figuring out how to comply with other regulation is not really in scope for ASVS and certainly not a key goal for 5.0.

[tghosth]

In 5.0, I am expecting we will need to trim down this text as much as possible anyway.

[tghosth]

Closing as I don't think we will take action on this

[cmlh]

Closing as I don't think we will take action on this

Can @tghosth provide the context of this decision as it can fixed with a Pull Request?

[tghosth]

Highly likely that this sentence will be removed in 5.0 anyway

[tghosth]

I am reopening this and marking it to be considered when we create the actual 5.0 draft.

[ryarmst]

@cmlh Related discussion: #2101