(From Dave Wichers)
I took a first stab at the Common Authentication requirements based on Keith's SCP Guide and the ASVS. Keith and I spent a couple hours going through these changes and have together produced the following:
The numbering scheme I have proposed is here, if you haven't looked at it yet: https://www.owasp.org/index.php/OWASP_Common_Numbering_Project#tab=OWASP_Common_Requirements_Numbering_Scheme
The requirements are here:
https://www.owasp.org/index.php/OWASP_Common_Numbering_Project#tab=OWASP_Common_Requirements_-_DRAFT
An updated version of Keith's Secure Coding Best Practices is attached where just the Authentication section has been updated to match these requirements. Keith has decided to have his guide use exactly the same requirements numbers as the common numbering project. But for ASVS, and the Dev/Test/Code review guides I would imagine we would just cross reference to the Common Numbers rather than adopt them.
· Please ignore the rest of my comments on his document. Focus only on the Authentication section.
Also attached is my working notes for these common requirements and a mapping of them to the old Secure Coding Best Practices Guide and the current ASVS.
I plan to update the Authentication section of ASVS to match these new common requirements, but haven't done that yet, as I didn’t want to hold up your review.
I wanted to get your feedback before we follow this model/approach for all the other sections, which is a lot of work. So if you have any major comments on the approach, now is the time to raise them and reach some consensus so we can avoid major rework later.
Here are my major questions:
1. Any comments on the numbering scheme proposed?
a. I have developed suggested areas for requirements based on the various OWASP docs but they can easily change. If you have any suggested changes, let me know.
2. Any comments on our overall approach for developing a full requirements area and mapping that to the Secure Coding Best Practices?
3. Any specific comments on the requirements we have identified so far?
After getting Authentication worked out, I plan to work with Keith to crank out either all the rest all at once or maybe in 2-3 rounds to get all the rest done.
Any and all feedback welcome.
Thanks,
Dave Wichers