OWASP Application Security Verification Standard 4.0-en
Application Security Verification Standard 4.0
Final
March 2019
Table of Contents
Frontispiece ......................................................................................................................................................... 7 About the Standard .................................................................................................................................................. 7 Copyright and License............................................................................................................................................... 7 Project Leads ............................................................................................................................................................ 7 Contributors and Reviewers...................................................................................................................................... 7
Preface ................................................................................................................................................................ 8 What's new in 4.0 ..................................................................................................................................................... 8
Using the ASVS .................................................................................................................................................... 9 Application Security Verification Levels .................................................................................................................... 9 How to use this standard ........................................................................................................................................ 10 Level 1 - First steps, automated, or whole of portfolio view .............................................................................. 10 Level 2 - Most applications ................................................................................................................................. 10 Level 3 - High value, high assurance, or high safety ........................................................................................... 11 Applying ASVS in Practice ....................................................................................................................................... 11
Assessment and Certification ............................................................................................................................. 11 OWASP's Stance on ASVS Certifications and Trust Marks ...................................................................................... 11 Guidance for Certifying Organizations ................................................................................................................... 11 Testing Method .................................................................................................................................................. 12 Other uses for the ASVS .......................................................................................................................................... 12 As Detailed Security Architecture Guidance....................................................................................................... 12 As a Replacement for Off-the-shelf Secure Coding Checklists ........................................................................... 13 As a Guide for Automated Unit and Integration Tests ....................................................................................... 13 For Secure Development Training ...................................................................................................................... 13 As a Driver for Agile Application Security ........................................................................................................... 13 As a Framework for Guiding the Procurement of Secure Software ................................................................... 13
V1: Architecture, Design and Threat Modeling Requirements ............................................................................ 14 Control Objective .................................................................................................................................................... 14 V1.1 Secure Software Development Lifecycle Requirements .................................................................................. 14 V1.2 Authentication Architectural Requirements ................................................................................................... 15 V1.3 Session Management Architectural Requirements ........................................................................................ 15 V1.4 Access Control Architectural Requirements.................................................................................................... 15 V1.5 Input and Output Architectural Requirements ............................................................................................... 16 V1.6 Cryptographic Architectural Requirements .................................................................................................... 16 V1.7 Errors, Logging and Auditing Architectural Requirements ............................................................................. 17 V1.8 Data Protection and Privacy Architectural Requirements .............................................................................. 17
OWASP Application Security Verification Standard 4.0
2
V1.9 Communications Architectural Requirements ................................................................................................ 17 V1.10 Malicious Software Architectural Requirements .......................................................................................... 17 V1.11 Business Logic Architectural Requirements .................................................................................................. 18 V1.12 Secure File Upload Architectural Requirements ........................................................................................... 18 V1.13 API Architectural Requirements ................................................................................................................... 18 V1.14 Configuration Architectural Requirements ................................................................................................... 18 References .............................................................................................................................................................. 19
V2: Authentication Verification Requirements ................................................................................................... 20 Control Objective .................................................................................................................................................... 20 NIST 800-63 - Modern, evidence-based authentication standard .......................................................................... 20 Selecting an appropriate NIST AAL Level ............................................................................................................ 20 Legend .................................................................................................................................................................... 20 V2.1 Password Security Requirements ................................................................................................................... 21 V2.2 General Authenticator Requirements............................................................................................................. 22 V2.3 Authenticator Lifecycle Requirements ............................................................................................................ 23 V2.4 Credential Storage Requirements................................................................................................................... 23 V2.5 Credential Recovery Requirements................................................................................................................. 24 V2.6 Look-up Secret Verifier Requirements ............................................................................................................ 25 V2.7 Out of Band Verifier Requirements................................................................................................................. 25 V2.8 Single or Multi Factor One Time Verifier Requirements ................................................................................. 26 V2.9 Cryptographic Software and Devices Verifier Requirements .......................................................................... 27 V2.10 Service Authentication Requirements........................................................................................................... 27 Additional US Agency Requirements ...................................................................................................................... 27 Glossary of terms .................................................................................................................................................... 28 References .............................................................................................................................................................. 28
V3: Session Management Verification Requirements ......................................................................................... 29 Control Objective .................................................................................................................................................... 29 Security Verification Requirements......................................................................................................................... 29 V3.1 Fundamental Session Management Requirements ........................................................................................ 29 V3.2 Session Binding Requirements........................................................................................................................ 29 V3.3 Session Logout and Timeout Requirements.................................................................................................... 29 V3.4 Cookie-based Session Management............................................................................................................... 30 V3.5 Token-based Session Management ................................................................................................................ 31 V3.6 Re-authentication from a Federation or Assertion ......................................................................................... 31
OWASP Application Security Verification Standard 4.0
3
V3.7 Defenses Against Session Management Exploits ........................................................................................... 31 Description of the half-open Attack ................................................................................................................... 31
References .............................................................................................................................................................. 32
V4: Access Control Verification Requirements.................................................................................................... 33 Control Objective .................................................................................................................................................... 33 Security Verification Requirements......................................................................................................................... 33 V4.1 General Access Control Design ....................................................................................................................... 33 V4.2 Operation Level Access Control ...................................................................................................................... 33 V4.3 Other Access Control Considerations.............................................................................................................. 33 References .............................................................................................................................................................. 34
V5: Validation, Sanitization and Encoding Verification Requirements................................................................. 35 Control Objective .................................................................................................................................................... 35 V5.1 Input Validation Requirements....................................................................................................................... 35 V5.2 Sanitization and Sandboxing Requirements ................................................................................................... 36 V5.3 Output encoding and Injection Prevention Requirements.............................................................................. 36 V5.4 Memory, String, and Unmanaged Code Requirements .................................................................................. 37 V5.5 Deserialization Prevention Requirements....................................................................................................... 37 References .............................................................................................................................................................. 38
V6: Stored Cryptography Verification Requirements .......................................................................................... 39 Control Objective .................................................................................................................................................... 39 V6.1 Data Classification.......................................................................................................................................... 39 V6.2 Algorithms ...................................................................................................................................................... 39 V6.3 Random Values............................................................................................................................................... 40 V6.4 Secret Management ....................................................................................................................................... 40 References .............................................................................................................................................................. 40
V7: Error Handling and Logging Verification Requirements ................................................................................ 42 Control Objective .................................................................................................................................................... 42 V7.1 Log Content Requirements ............................................................................................................................. 42 V7.2 Log Processing Requirements ......................................................................................................................... 42 V7.3 Log Protection Requirements ......................................................................................................................... 43 V7.4 Error Handling ................................................................................................................................................ 43 References .............................................................................................................................................................. 44
V8: Data Protection Verification Requirements .................................................................................................. 45
OWASP Application Security Verification Standard 4.0
4
Control Objective .................................................................................................................................................... 45 V8.1 General Data Protection................................................................................................................................. 45 V8.2 Client-side Data Protection............................................................................................................................. 45 V8.3 Sensitive Private Data..................................................................................................................................... 46 References .............................................................................................................................................................. 47
V9: Communications Verification Requirements ................................................................................................ 48 Control Objective .................................................................................................................................................... 48 V9.1 Communications Security Requirements ........................................................................................................ 48 V9.2 Server Communications Security Requirements ............................................................................................. 48 References .............................................................................................................................................................. 49
V10: Malicious Code Verification Requirements ................................................................................................. 50 Control Objective .................................................................................................................................................... 50 V10.1 Code Integrity Controls ................................................................................................................................. 50 V10.2 Malicious Code Search.................................................................................................................................. 50 V10.3 Deployed Application Integrity Controls ....................................................................................................... 51 References .............................................................................................................................................................. 51
V11: Business Logic Verification Requirements .................................................................................................. 52 Control Objective .................................................................................................................................................... 52 V11.1 Business Logic Security Requirements .......................................................................................................... 52 References .............................................................................................................................................................. 53
V12: File and Resources Verification Requirements............................................................................................ 54 Control Objective .................................................................................................................................................... 54 V12.1 File Upload Requirements ............................................................................................................................ 54 V12.2 File Integrity Requirements .......................................................................................................................... 54 V12.3 File execution Requirements......................................................................................................................... 54 V12.4 File Storage Requirements............................................................................................................................ 55 V12.5 File Download Requirements........................................................................................................................ 55 V12.6 SSRF Protection Requirements ..................................................................................................................... 55 References .............................................................................................................................................................. 55
V13: API and Web Service Verification Requirements ........................................................................................ 56 Control Objective .................................................................................................................................................... 56 V13.1 Generic Web Service Security Verification Requirements............................................................................. 56 V13.2 RESTful Web Service Verification Requirements........................................................................................... 56
OWASP Application Security Verification Standard 4.0
5
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
Related searches
- minecraft education edition 1.4.0 download
- 4.0 ford engine diagram
- 4.0 ford engine exploded view
- 4 0 biosyn
- ford explorer 4.0 engine diagram
- 4.0 ford engines for sale
- minecraft education edition 1 4 0 download
- minecraft 0 4 0 download
- 4 0 jaguar engine for sale
- 4 0 ford engine diagram
- 4 0 ford engine exploded view
- ford explorer 4 0 engine diagram