Josh Grossman

icon indicating a website link https://JoshCGrossman.com/

icon location InfoSec Consultant | Sometimes known as TGhostH | Based in Silicon Wadi | Cyber is an adjective | You wanna break it? You'd better know how to fix it!

Results 43 issues of Josh Grossman

v3.3.1 - Clarification as to meaning,

3 comment

This requirement is currently as follows. (My emphasis). I had a question come up on this during a training course. [3.3.1](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x12-V3-Session-management.md#v33-session-termination) > Verify that logout and expiration invalidate the session...

help wanted
5.0
Needs wider input

14.4.3 Should Content Security Policy be L1 or should it be higher?

5 comment

CSP is not super easy to implement. Do we definitely believe it should be Level 1? Current requirement: [14.4.3](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x22-V14-Config.md#v144-http-security-headers) > [MODIFIED] Verify that a Content Security Policy (CSP) response header...

help wanted
5.0
Needs wider input

Is 13.1.4 a duplicate with Access Control?

14 comment

| # | Description | | :---: | :--- | | [13.1.4](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x21-V13-API.md#v131-generic-web-service-security) | Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at...

_5.0 - prep
Community wanted
josh/elar
4a) Waiting for another
V4 Authorization reorg
4b Major-rework
V13

Merge 3.1.1 and 13.1.3 into 8.3.1 to resolve #1313

2 comment

This Pull Request relates to issue #1313

PR awaiting review
5.0

Are 5.2.6 and 12.6.1 effectively duplicates?

8 comment

Does anyone have a compelling reason why these are not duplicates: [**V5.2.6**](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing) | Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file...

help wanted
Discussion ongoing
5.0
Needs wider input

8.3.1 and 13.1.3 about data in URLs/query string seem to be duplicated

7 comment

Can anyone see why we should not merge these two requirements? | # | Description | | :---: | :--- | | [8.3.1](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x16-V8-Data-Protection.md#v83-sensitive-private-data) | Verify that sensitive data is sent...

help wanted
5.0
Needs wider input

V9 rework needed

12 comment

I have ready V9 and I think it needs some rework. Overall I think it is trying to distinguish between external facing services and service to service comms and also...

PR awaiting review
proposal for review

NIST for 2.3.4

8 comment

@csfreak92 said he would confirm the ~~CWE~~ NIST mapping for this requirement as discussed here: https://github.com/OWASP/ASVS/pull/1263#issuecomment-1113002285

awaiting proposal
Not 5.0 blocker

Clarify 8.2.2 to resolve #1141

1 comment

This Pull Request relates to issue #1141

PR awaiting review
5.0

Duplication on 3rd party Javascript

10 comment

### Current state: We currently have the following two requirements: [10.3.2](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x18-V10-Malicious.md#v103-application-integrity): > Verify that the application employs integrity protections, such as code signing or subresource integrity. The application must not...

help wanted
Discussion ongoing
5.0
Needs wider input