proposal: remove 13.1.2 as it is duplicate #1028
Comments
|
I think 4.3.1 should go away. We need multi factor for any use of
sensitive data. Admin interfaces are not special - they need mult factor
like any other app with sensitive data or other important risk factors.
I'm ok with 13.1.2 going away because of duplication.
- Jim
…On 6/21/21 3:28 AM, Elar Lang wrote:
V4.3 Other Access Control Considerations
<https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V4-Access-Control.md#v43-other-access-control-considerations>
V4.3.1 Verify administrative interfaces use appropriate
multi-factor authentication to prevent unauthorized use.
* Levels: 1, 2, 3
* CWE 419 (Unprotected Primary Channel)
V13.1 Generic Web Service Security
<https://github.com/OWASP/ASVS/blob/master/4.0/en/0x21-V13-API.md#v131-generic-web-service-security>
V13.1.2 Verify that access to administration and management
functions is limited to authorized administrators.
* Levels: 1, 2, 3
* CWE 419 (Unprotected Primary Channel)
Proposal: remove 13.1.2 as it is duplicate (and authorization
questions should be covered in category V4, and should be not
duplicated to other categories, like an API)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1028>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEBYCL6CDNJIATNBYS2X5TTT4H6XANCNFSM47BJNLNQ>.
|
There seems to be some conflict. |
|
I think 4.3.1 should be removed because the need for multi-factor is covered elsewhere and making multi-factor necessary for admins is not necessary. 13.1.2 looks fine as is. |
|
Problem with 13.1.2 - it's authorization requirement in API category, but it's not API specific. |
|
I agree that 13.1.2 can be removed. All functionality should only be accessible by authorized users. This is not specific to admins or API's. I think the ASVS needs an explicit requirement that states something like "All functionality should only be accessible by authorized users". But that's a separate issue and shouldn't go in V13, so this can be removed.
I think this is a separate issue, and perhaps it's better to create a new GitHub issue for this. |
|
Maybe fix the title of the issue? This discussion is about 13.1.2 not 13.2.1 ;) |
elarlang
changed the title
|
@jmanico - can you review original proposal and say, do you agree removing 13.1.2 as duplicate or you have some arguments against this proposal? |
elarlang
added
the
4) proposal for review
|
definitely a duplicate and the OP looks good to me |
|
Can this be reworded to verify the authorization of different roles (or is this a duplicate requirement already specified in ASVS)? |
V4.3 Other Access Control Considerations
V13.1 Generic Web Service Security
Proposal: remove 13.1.2 as it is duplicate (and authorization questions should be covered in category V4, and should be not duplicated to other categories, like an API)
The text was updated successfully, but these errors were encountered: