-
-
Notifications
You must be signed in to change notification settings - Fork 673
What is new in version 4.0.3
We are pleased to announce that the version 4.0.3 of the ASVS has now been released! Thanks to the project leaders and other contributors for their support in getting this out.
This is not a big release but rather it is intended to fix spelling errors and make requirements clearer without making breaking changes such as materially changing requirements, strengthening requirements or adding requirements.
However, some requirements may have been slightly weakened where we felt appropriate and some entirely redundant requirements have been removed (but without renumbering). Nevertheless, Anyone using 4.0.1 or 4.0.2 should be able to smoothly start using 4.0.3.
This document notes some key changes.
There were a number of requirements which were almost direct duplicates of other pre-existing requirements. We have tried to remove some of these to make it easier to consume the standard. Similarly, certain requirements appeared to not be practically actionable. We have removed some of these as well. Wherever we have removed requirements, we have deliberately left the numbering as it was and added a note in the text of the requirement starting with "[DELETED...]
".
In a couple of examples we have reduced what is necessary to fulfil certain requirements where discussion concluded that this was appropriate. This allowed us to increase the accuracy of the standard without causing applications which would have previously passed a requirement to fail it.
Notably, we have not reduced the minimum length from 12. It is likely that in future versions, this will occur but only in conjunction with very explicit requirements around other password requirements as well as Multi-Factor Authentication requirements.
Some headers included the word "Requirements", some did not. We have tried to remove that as standard and fix some other wording issues along the way.