Review quirementes 14.2.6 and 14.2.8, potential move to V10

[elarlang]

Spin-off from #2088 / the discussion over 14.2.6 and/or 14.2.8 comes from #1425.

Current requirements:

#	Description	L1	L2	L3	CWE
14.2.6	[MODIFIED, SPLIT TO 14.2.8, LEVEL L2 > L3] Verify that risky third party libraries or those with a history of vulnerabilities are encapsulated such that only required behaviour is available to the application, to reduce attack surface.			✓	1061
14.2.8	[ADDED, SPLIT FROM 14.2.6] Verify that risky third party libraries or those with a history of vulnerabilities are sandboxed away from the most sensitive system modules/services so that even if a vulnerability in the library was successfully exploited, the sensitive system modules/services would not be compromised.			✓	1061

The need for those requirements are questioned for example in comments:

• Are parts of 14.2.x section out of scope for ASVS? #2088 (comment)
• Item number 14.2.6 needs to be revised  #1425 (comment)

For me the "main error" is, if we talk about L3 requirement, then those application can not use any "too risky" and not trustful component anyway.

By content, both are more "software architecture" requirements, not a clear configuration requirements. Most likely we need a chapter for V10 for that, something to say "Software Architecture" or "Sandboxing".

[jmanico]

These are great requirements. Well done.

[elarlang]

Those are current requirements that are questioned by 2 persons...

[jmanico]

With a little wordsmithing, I personally like them. That's all.