ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

8.1.1 and 8.1.2 are pretty clear duplicates

Open jmanico opened this issue 3 years ago • 6 comments

From https://github.com/OWASP/ASVS/blob/master/5.0/en/0x16-V8-Data-Protection.md

8.1.1 Verify the application protects sensitive data from being cached in server components such as load balancers and application caches.   524
8.1.2 Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.   524

jmanico avatar Sep 28 '22 16:09 jmanico

is it different when we take away "cached" from 8.1.2? One seems to target load balancers and cache servers, other data (temporary copy) in the application.

elarlang avatar Sep 28 '22 17:09 elarlang

is it different when we take away "cached" from 8.1.2? One seems to target load balancers and cache servers, other data (temporary copy) in the application.

I think we can merge the two, the difference is so subtle I think it's not necessary.

jmanico avatar Sep 29 '22 07:09 jmanico

I don't mind. Those are presenting different test-cases but covering the same problem (and same level and same CWE)

elarlang avatar Sep 29 '22 08:09 elarlang

I do mind. We need a leaner standard. This level of redundancy for the secure building side of the house is distracting.

jmanico avatar Sep 29 '22 09:09 jmanico

Agree with merging

tghosth avatar Sep 29 '22 19:09 tghosth

3rd agree. These two date back to a different web, and ideally we need a leaner standard

danielcuthbert avatar Oct 01 '22 12:10 danielcuthbert

Opened #1404, @jmanico please can you review

tghosth avatar Oct 21 '22 10:10 tghosth