13.4.6 / v5.0.be-14.1.5 - known good state #2953
Comments
elarlang
added
1) Discussion ongoing
|
I think this is a fair observation. If you want to keep this around, I would suggest we state the first, like: 13.4.6 Verify that the integrity and security posture of deployed environments are maintained over time, ensuring that configurations do not drift to an insecure state. Examples of this include using short-lived environments that are frequently redeployed from a secure baseline ("known good state") or employing drift prevention mechanisms for long-lived environments. |
tghosth
added
6) PR awaiting review
and removed
1) Discussion ongoing
|
I can merge in the improved wording, but the question is - is it realistic to be tested and verifiable? |
elarlang
added
1) Discussion ongoing
|
How about this Elar? A more verifiable version might be: 13.4.6 Verify that mechanisms are in place to detect and respond to configuration drift in deployed environments. This may include using immutable infrastructure, automated redeployment from a secure baseline, or drift detection tools that compare current state against approved configurations. The tools I use for this include:
|
|
If you both think that this is actionable and verifiable requirement I'm ok to close this out. I don't have enough experience with this to have a strong opinion on the content, just concerns for the requirement in ASVS. |
|
I think a push to make this more verifiable is sensible, I'm happy to modify this more to make it more verifiable. It's a good push. |
tghosth
added
6) PR awaiting review
and removed
1) Discussion ongoing
It requires to implement certain solution, but not to address the actual problem that seems to be "ensure that deployed configurations are not changed to an insecure state".
The text was updated successfully, but these errors were encountered: