I propose either moving this section v2.10 or deleting it.

"all encrypted connections"

What about not encrypted connections? (those should not exists by 9.1.1, 9.2.2)

"... TO external systems"

Seems a bit out of scope.

.. or we say, that if an external system provides sensitive information without authentication, the application should not use the service? I think this problem is then on the external service side and does not make the application itself less secure.

I think it should be deleted.

This is mixing up too many different issues at once.

I think the requirement should be something like:

Verify that access to all sensitive data, whether from external or internal systems, necessitates authentication, a valid session, and appropriate access control measures.

Verify that access to all sensitive data, whether from external or internal systems, necessitates authentication, a valid session, and appropriate access control measures.

This is a bit "fix the world" requirement...

as I wrote here #1891 (comment)

.. or we say, that if an external system provides sensitive information without authentication, the application should not use the service? I think this problem is then on the external service side and does not make the application itself less secure.

My point is, that we can not require anything from any external application, we can only set requirements for the application in scope.

It means this requirement is out of scope, or we need to say, that the application is not allowed to use external service if it serves sensitive information without authentication.

Ok so I think the one thing we agree on is that the requirement should not be in V9 so I am going to remove it from there and then we can discuss it for V2.

Opened #1897 to move this but this issue should stay open to discuss for the V2 rework.

I sorta meant to wait for feedback but forgot that PRs not on master don't have branch protection so accidentally merged it. In the spirit of move fast and break stuff, let's just discuss on V2 instead.

I prefer to not postpone it. At least decide now, what is the aspect from the requirement what it brings and how the current requirement belongs to the scope.

I guess I sort of see it as a missing requirement in 2.10 because it is kinda talking about service to service authentication but it is sort of a basic requirement that 2.10 does not explicitly say.

Update, at the moment the requirement was moved to 2.10.5

Discussed with Elar and we think maybe it is best to just remove this.

@set-reminder 10 minutes @tghosth Josh to action

⏰ Reminder
Thursday, March 21, 2024 1:07 PM (GMT+01:00)

@tghosth Josh to action

🔔 @tghosth

@tghosth Josh to action