Do we want V7.4 to get moved to V10?

Question

Do we want V7.4 to get moved to V10?

tghosth opened this issue 2 months ago · comments

Josh Grossman commented 2 months ago

Elar Lang · Answer 1 · Thu May 02 2024 19:31:39 GMT+0800 (China Standard Time)

Yes. Proposed it here: #1444 (comment)

Even the chapter text says:

The purpose of error handling is to allow the application to provide security-relevant events for monitoring, triage and escalation. The purpose is not to create logs. When logging security-related events, ensure that there is a purpose to the log and that it can be distinguished by SIEM or analysis software.

Reasons to move:

it is all about how the program code works and handles errors, and is not directly related to logging
it should be a clear message, that security logging IS NOT error logging. As a pentester and trainer, this is something I need to explain too often.

Previously there was no better place than V7, now V10 comes more as a "code quality" paragraph and the current V7.4 suits better there.

But to not cause confusion, I think we need to work with V10 first to be a more suitable place. At the moment it is still "malicious code" by title, but it's not anymore by content.

Another option is to keep it in V7, as all errors in the program code are also security events, but then we need to "re-brand" the V7.

Josh Grossman · Answer 2 · Thu May 02 2024 19:44:26 GMT+0800 (China Standard Time)

I disagree but not strongly. My reasons:

I think there is a conceptual fit in V7, made stronger by the fact that it has been there since ASVS v1.
I worry that V10 is getting overloaded with too much stuff compare dot other chapters.
I think we can make the split between error logging and security logging clearer in V7.

Elar Lang · Answer 3 · Thu May 02 2024 19:54:46 GMT+0800 (China Standard Time)

The more I think about it, the more it fits to V7. There is no big "problem to solve" here and we can close this issue. We can re-open the issue when V10 is ready and re-check if it is a better fit there.