[Global_industry_committee] [Owasp-leaders] Draft NIST Special Publication 800-118 Guide to Enterprise Password Management

Colin Watson colin.watson at owasp.org
Fri May 22 09:29:29 EDT 2009


Thanks for all the input so far, and to those who are looking at it
this weekend.

Jeff:
> Could someone compare what's in the NIST pub to what is required in the
> OWASP ASVS sections on Authentication and Session Management?

There was/is another NIST SP, 800-63 Rev. 1 "DRAFT Electronic
Authentication [of remote citizens] Guideline" which was open for
comment until 30 January 2009, and we hadn't really got into these
response activities by then unfortunately.

http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf

But I think references to ASVS should be included in our response,
since authentication is discussed in SP 800-118 too.

ASVS Authentication Requirements V2
- only the issues in V2.7, V2.8, V2.9, V2.11 and V2.13 are mentioned
in SP 800-118, and not very specifically nor in a mandatory statement

ASVS Session Management Requirements V3
- nothing in SP 800-118

Colin


More information about the Global_industry_committee mailing list