Jim Manico
Jim Manico
We're not discussing login throttling as a way to stop detected automated login attacks, and yet, tbis is the most important dedense.
We should create a function to safely embed JSON on a webpage simular to to what https://github.com/yahoo/serialize-javascript accomplishes.
2.4.4 recommends bcrypt wf 10 (thats ok) but does not mention the 72 byte limit
2.3.3
2.3.3 is not clear in terms of what we need to review for it. Please add more clarify to this requirement!!
10.1.1 | Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections. -- | --
13.2.6 | Verify that the message headers and payload are trustworthy and not modified in transit. Requiring strong encryption for transport (TLS only) may be sufficient in many cases as...
I think the following objectives are too role-centric, Roles are just one paradigm. Change: * Users are associated with a well-defined set of roles and privileges. * Role and permission...
I suggest we have a CSP requirement that moves folks away from allow-lists to a nonce or hash strict-dynamic policy (CSP3 stuff) which is much easier to deploy and more...
8.3.6 | Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data. --...