v4.0.2-2.1.10 cites CWE-263 without warning about direct opposition #871
Assignees
Comments
|
Would you lie to give us a PR to this effect? I agree. |
|
I opened now this separate issue (#940 ) for splitting mentioned requirement and pointed out this CWE mismatch problem there as well. But I proposed to remove link to incorrect CWE which against vision here ("For sake of transparency, I would not remove the reference.") |
|
Since this is resolved I'm closing for now, please reopen if needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Requirement 2.1.10 states:
I will focus on the "credential rotation" part of this requirement; splitting this requirement is already discussed in #683.
The table refers to CWE-263 and NIST SP800-63B section 5.1.1.2 ("Memorized Secret Verifiers"). The NIST document mentions a similar requirement. However, that definition (as well as CWE-262) is in direct opposition to the ASVS requirement. Its extended description is as follows:
Without any further warning to the contrary, I expect that a citation next to a requirement will refer to something that supports that requirement, or is at least compatible with it. I couldn't find anything to that effect in any text near the table, or any text that precedes it. So at the very least, I would expect some overall warning that some references may disagree with an ASVS' requirement.
This would still burden a reader with cross-referencing every requirement if the mapping with the cited publications is important to them (especially the NIST sections). Right now, I have no idea how many of these references are supporting or dissenting, let alone which. As such, it would be even better to have some sort of mark or footnote in the ASVS that points out which requirements are incompatible with the cited material.
For sake of transparency, I would not remove the reference.
The text was updated successfully, but these errors were encountered: