Configuration V14 - Sanity Check Comments/Suggestions for v.5.0

[csfreak92]

Chapter V14 - Configuration

Here are a few things I observed reviewing this chapter for v.5.0 for sanity check related to #2582 which requires some clarification as maybe my understanding is not enough just by doing a few passes of reading them:

Question 1: For this requirement, 14.1.5 [MODIFIED] Verify that deployed environments are short lived and frequently redeployed to a "known good" but updated state. Alternatively, long lived environments should use some form of "drift prevention" to ensure that deployed configurations are not changed to an insecure state.,

What does it mean by "deployed environments", does this pertain to non-production environments or does it mean production environments? Why is there a need for production environments need to be short-lived? Maybe that's one question someone would be struggling with reading this requirement. It seems a bit vague to me.

Question 2: For this requirement, 14.1.9 [ADDED] Verify that application code or functionality can only be changed via the standard update or build process and not directly in production through application functionality or some other direct modification mechanism.,

While this is a good common sense control, but upon reading it a few times doesn't this mean through standard build process which means it will deal with CI/CD pipeline? Isn't that also out of scope for ASVS and is treated in another OWASP project I think OWASP SAMM, right?

Question 3: Why did we delete 14.3.1? Old requirement in 4.0.2 says, 14.3.1 [DELETED] Verify that web or application server and framework error messages are configured to deliver user actionable, customized responses to eliminate any unintended security disclosures.

Isn't this a good idea to prevent application server and framework error messages to be configured against unintended security disclosures? Is it removed because it is not practical to test?

Recommendations:

• V14.6 Web or Application Server Configuration
  Needs some paragraph describing this section. For consistency across all subsections in ASVS.

• For V14.8 Secret Management, I thought of another control maybe it is already written somewhere, but let me articulate it and let's discuss if we need to add something like it, "Ensure that exposure and access to key material is limited such as a just-in-time access". What do you guys think?

[elarlang]

I would like when one step further is done to investigate the reasoning for changes instead of asking others to do it for you:

• Question 1, 14.1.5 - Drift prevention / tamper protection #1271
• Question 2, 14.1.9 - discussion: development functionality must not be available in production #1438
• Question 3, 14.3.1 - merge V14.3.1 to V7.4.1 #881

[jmanico]

I would like when one step further is done to investigate the reasoning for changes instead of asking others to do it for you:

• Question 1, 14.1.5 - Drift prevention / tamper protection #1271
• Question 2, 14.1.9 - discussion: development functionality must not be available in production #1438
• Question 3, 14.3.1 - merge V14.3.1 to V7.4.1 #881

What are you trying to say here? I do not understand your comment. @csfreak92 is doing his best to provide supportive feedback here.