Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is 14.1.1 in scope for ASVS? #2084

Closed
tghosth opened this issue Sep 15, 2024 · 5 comments · Fixed by #2105
Closed

Is 14.1.1 in scope for ASVS? #2084

tghosth opened this issue Sep 15, 2024 · 5 comments · Fixed by #2105
Labels
6) PR awaiting review V14 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Sep 15, 2024

# Description L1 L2 L3 CWE
14.1.1 Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts.

This feels like more of a process thing than a secure application thing. I would be inclined to drop it.

cc; @meghanjacquot @jmanico @elarlang
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 V14 labels Sep 15, 2024
@tghosth tghosth mentioned this issue Sep 15, 2024
Closed
@elarlang
Copy link
Collaborator

previously touched in #1527

As it is written, it is out of scope for me.

Now, the question is what we may loose if in the end product (the application) if we don't require it? Maybe we need to cover those aspects (if there are any) some other way.

@meghanjacquot
Copy link
Collaborator

I propose moving it to be part of V1 in section 1, but to be less prescriptive change the "and" to an "or" and add etc. I am in support of dropping it from V14.

@elarlang
Copy link
Collaborator

I can not see material for V1, see my comment here #2088 (comment)

@meghanjacquot
Copy link
Collaborator

I propose moving it to be part of V1 in section 1, but to be less prescriptive change the "and" to an "or" and add etc. I am in support of dropping it from V14.

Since I understand more about what V1 is going to become, then I amend this and am fine with the proposal to drop it from V14.

tghosth added a commit that referenced this issue Sep 22, 2024
@tghosth
Delete 14.1.1 as out of scope to resolve #2084
25f3051
@tghosth tghosth mentioned this issue Sep 22, 2024
Merged
@tghosth tghosth linked a pull request Sep 22, 2024 that will close this issue
Delete 14.1.1 as out of scope to resolve #2084 #2105
Merged
@tghosth
Copy link
Collaborator Author

tghosth commented Sep 22, 2024

Opened #2105

@tghosth tghosth added 6) PR awaiting review and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet labels Sep 22, 2024
elarlang pushed a commit that referenced this issue Sep 22, 2024
@tghosth @elarlang
Delete 14.1.1 as out of scope to resolve #2084
9fec162
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
6) PR awaiting review V14 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Delete 14.1.1 as out of scope to resolve #2084 OWASP/ASVS
3 participants
@tghosth @elarlang @meghanjacquot