Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify 7.2.2 (previouly v5.0.be-3.1.3, v4.0.3-3.5.2) #2817

Closed
tghosth opened this issue Mar 30, 2025 · 2 comments
Closed

Clarify 7.2.2 (previouly v5.0.be-3.1.3, v4.0.3-3.5.2) #2817

tghosth opened this issue Mar 30, 2025 · 2 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 6) PR awaiting review V7 (prev V3) _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Mar 30, 2025

Previous wording:

# Description L1 L2 L3 CWE NIST §
3.5.2 Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations. 798

Current wording:

# Description Level #v5.0.be
7.2.2 [MODIFIED, MOVED FROM 3.5.2, LEVEL L2 > L1] Verify that the application uses either self-contained or reference tokens for session management, avoiding static API secrets and key. 1 v5.0.be-3.1.3

I propose:

"Verify that the application uses temporary self-contained or reference tokens for session management, avoiding static secrets and keys."
@tghosth tghosth mentioned this issue Mar 30, 2025
Closed
43 tasks
@elarlang
Copy link
Collaborator

elarlang commented Mar 30, 2025
edited
Loading

For me the "temporary" is quite confusing here.

Note, that current wording is:

V7.2.2 Verify that the application uses either self-contained or reference tokens for session management. Static API secrets and keys should be avoided.

Proposal, combination of different pieces:

Verify that the application uses either self-contained or reference tokens for session management, i.e. not using static API secrets and keys.

The "avoid static" part for reference tokens is covered by requirements:

  • V7.2.3 / v5.0.be-3.1.4 Verify that if reference tokens are used to represent user sessions, they are unique and generated using a cryptographically secure pseudo-random number generator (CSPRNG) and possess at least 128 bits of entropy.
  • 7.2.4 / v5.0.be-3.1.5 Verify that the application generates a new session token on user authentication, including re-authentication, and terminates the current session token.

@tghosth
Copy link
Collaborator Author

tghosth commented Mar 30, 2025
edited
Loading

Maybe we should say:

"Verify that the application uses either self-contained or reference tokens that are dynamically generated for session management, i.e. not using static API secrets and keys."

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Mar 30, 2025
@elarlang elarlang added the 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR label Mar 30, 2025
elarlang added a commit that referenced this issue Mar 30, 2025
@elarlang
update 7.2.2, closes #2817
b089bf4
@elarlang elarlang mentioned this issue Mar 30, 2025
Merged
@elarlang elarlang added 6) PR awaiting review and removed 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR labels Mar 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 6) PR awaiting review V7 (prev V3) _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tghosth @elarlang