-
-
Notifications
You must be signed in to change notification settings - Fork 629
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V11 rework by @jmanico #1953
Comments
@jmanico did you have an opinion on: |
We need this requirement. If you don't have the limits defined, you can not implement them and you can not test them. It's a documentation and pre-condition requirement that, by current logic belongs to section V1.11.
|
Can you think how we can reword it to be more specific or clear that this is what we are trying to achieve? |
"Monitoring": I have addressed the topic here: #1211 (comment) And those requirement are moved to V7 in another branch: |
Using the same style as other similar ones:
|
11.1.5 "Globally defined" means that software needs to track global totals that typically is beyond the current software. All the more reason why we need to support dual-authorization. |
The "Globally" is unnecessary and limiting here. All I say, we just need a requirement to say (not a wording proposal!) "Verify that business logic limits are analyzed and documented." + "Verify that business logic limits are implemented correctly". |
We already have per-user limits defined. I think this is clear enough so it's easily implemented. 11.1.3 [MODIFIED] Verify that the application has appropriate limits defined on a per user basis for specific business actions or transactions. ✓ ✓ ✓ The 4x requirement that defines multi-user approval will cover the global limits. We can delete it from section v11. |
@jmanico I discussed with @elarlang and we thought this made sense and is in line with our current thinking about documentation requirements
|
I like this merge of user and global limits. Good job ot you both. I’ll add it to the new branch and submit a PR today with all of the suggesting changes. Thank you!
|
PR submitted via #1954 that should address everyone's comments. I also updated the definition and removed some of the older references. |
* Resolve OWASP#1863 by clarifying 13.4.2 * Remove blanks * tag --------- Co-authored-by: Elar Lang <47597707+elarlang@users.noreply.github.com>
I have addressed those here: #1869 (comment) |
I don't think that issue is a blocker for merging but should certainly be addressed when we have a draft for 5.0 |
Now just waiting on #1576 |
Jim has prepared a rework of V11:
https://github.com/OWASP/ASVS/tree/Business-Logic-5.0-Rewrite
These are the notes that Jim sent:
This shows V11 status:
The text was updated successfully, but these errors were encountered: