You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Spin-off from #2088 / the discussion over 14.2.6 and/or 14.2.8 comes from #1425.
Current requirements:
#
Description
L1
L2
L3
CWE
14.2.6
[MODIFIED, SPLIT TO 14.2.8, LEVEL L2 > L3] Verify that risky third party libraries or those with a history of vulnerabilities are encapsulated such that only required behaviour is available to the application, to reduce attack surface.
✓
1061
14.2.8
[ADDED, SPLIT FROM 14.2.6] Verify that risky third party libraries or those with a history of vulnerabilities are sandboxed away from the most sensitive system modules/services so that even if a vulnerability in the library was successfully exploited, the sensitive system modules/services would not be compromised.
✓
1061
The need for those requirements are questioned for example in comments:
For me the "main error" is, if we talk about L3 requirement, then those application can not use any "too risky" and not trustful component anyway.
By content, both are more "software architecture" requirements, not a clear configuration requirements. Most likely we need a chapter for V10 for that, something to say "Software Architecture" or "Sandboxing".
The text was updated successfully, but these errors were encountered:
Spin-off from #2088 / the discussion over 14.2.6 and/or 14.2.8 comes from #1425.
Current requirements:
The need for those requirements are questioned for example in comments:
For me the "main error" is, if we talk about L3 requirement, then those application can not use any "too risky" and not trustful component anyway.
By content, both are more "software architecture" requirements, not a clear configuration requirements. Most likely we need a chapter for V10 for that, something to say "Software Architecture" or "Sandboxing".
The text was updated successfully, but these errors were encountered: