ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

discussion/new requirement: inventory/documentation for "allow listed" sources and communications

Open elarlang opened this issue 4 years ago • 23 comments

Over time there is need to configure every kind of allow lists, like *-src and frame-ancestors for Content-Security-Policy (current requirements 14.4.3 and 14.4.7), allowed Origin's (14.2.3, 13.5.2, 14.5.3), allow list of resources or systems to which the server can send requests or load data/files from (12.6.1).

Problem to solve - if it's not documented, then sooner or later it's not clear, why there is some item in allow list and those may stay there even if thay are not needed (anymore).

Idea - create new requirement which requires those whitelists to be documented. Category probably 1.14.

elarlang avatar May 11 '21 09:05 elarlang

Per Google research (weischelbalm/spagneullo) 94% of allow list policies are bypassable. It’s more secure to focus on a nonce or hash based CSP. Strict-dynamic makes this easier.

https://m.youtube.com/watch?v=5m7IPjC2v70

jmanico avatar May 11 '21 09:05 jmanico

Don't take this CSP out of context here. I have this proposal even if we remove CSP part and say that for CSP use nonces instead.

Think about requirement 14.2.5 (for me it seems V1 requirement btw):

V14.2.5 Verify that an inventory catalog is maintained of all third party libraries in use.

Same with 12.6.1:

V12.6.1 Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from.

If there is configured list of hosts, then there should be documentation which describes - why some host exists in this allow list.

elarlang avatar May 11 '21 11:05 elarlang

I am being directly in context, it’s my opinion based on research I have seen that allow lists should not be used with CSP.

jmanico avatar May 11 '21 19:05 jmanico

@elarlang I like the concept of ensuring that these sorts of lists are explicitly documented and I agree that this sounds like a V1 control. Do you want to draft something?

@jmanico I think the CSP point is a good question that needs to be looked at separately, do you want to open a specific issue for it?

tghosth avatar Feb 23 '22 15:02 tghosth

Done here, @tghosth https://github.com/OWASP/ASVS/issues/1311

jmanico avatar Jul 03 '22 01:07 jmanico

@elarlang let me know if you are able to draft something :)

tghosth avatar Jul 26 '22 16:07 tghosth

@elarlang where are we with the original part of this issue, are you going to draft something?

tghosth avatar Sep 13 '22 17:09 tghosth

I try to get this one moving as well.

We have requirement like 12.6.1: V12.6.1 Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from.

Precondition here is - how you can test this if you don't have this "allow list of accepted resources" documented.

The goal for the requirement - we need to have the needs for the application documented, otherwise you can not write actual implementation for allow-list and also we can not test it.

I don't know how to build the requirement text, but it should say - all the needs for requests to external resources by the servers must be documented.

elarlang avatar Oct 08 '22 17:10 elarlang

How about:

Verify that the allow-lists being used for security controls across the application are centrally documented and used for all implementations.

tghosth avatar Oct 23 '22 14:10 tghosth

Related requirements.

# Description L1 L2 L3 CWE
1.1.4 Verify documentation and justification of all the application's trust boundaries, components, and significant data flows. 1059
1.1.5 Verify definition and security analysis of the application's high-level architecture and all connected remote services. (C1) 1059

elarlang avatar Dec 11 '22 11:12 elarlang

Verify that the allow-lists being used for security controls such as CSP and allowed outbound access across the application are centrally documented and used for all implementations.

12.6.1, 14.x?

Add somewhere to 1.x

tghosth avatar Dec 12 '22 12:12 tghosth

@set-reminder 5 weeks @tghosth to look at this

tghosth avatar Dec 12 '22 12:12 tghosth

Reminder Monday, January 16, 2023 12:00 AM (GMT+01:00)

@tghosth to look at this

octo-reminder[bot] avatar Dec 12 '22 12:12 octo-reminder[bot]

🔔 @tghosth

@tghosth to look at this

octo-reminder[bot] avatar Jan 15 '23 23:01 octo-reminder[bot]

Update, previous 12.6.1 is now moved to 14.7.1.

V14.7 Web or Application Server Configuration

# Description L1 L2 L3 CWE
14.7.1 [MOVED FROM 12.6.1, GRAMMAR] Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data or files from. 918

Pre-condition for implementing 14.7.1 is documented allow-list of resources - and this is the reason why we need the documentation requirement.

It feels that it is covered by:

# Description L1 L2 L3 CWE
1.1.4 Verify documentation and justification of all the application's trust boundaries, components, and significant data flows. 1059
1.1.5 Verify definition and security analysis of the application's high-level architecture and all connected remote services. (C1) 1059

But those requirements will be potentially removed via #1541.

Also related: https://github.com/OWASP/ASVS/issues/1620#issuecomment-1750098336 (but I see it as separate requirement)

elarlang avatar Oct 07 '23 10:10 elarlang

Need to create documentation requirements for this. Potentially separate for CSP and for backend resource accesses.

tghosth avatar Dec 14 '23 11:12 tghosth