OWASP Application Security Verification Standard 4.0-en

Application Security Verification Standard 4.0

Final

March 2019

Table of Contents

Frontispiece ......................................................................................................................................................... 7 About the Standard .................................................................................................................................................. 7 Copyright and License............................................................................................................................................... 7 Project Leads ............................................................................................................................................................ 7 Contributors and Reviewers...................................................................................................................................... 7

Preface ................................................................................................................................................................ 8 What's new in 4.0 ..................................................................................................................................................... 8

Using the ASVS .................................................................................................................................................... 9 Application Security Verification Levels .................................................................................................................... 9 How to use this standard ........................................................................................................................................ 10 Level 1 - First steps, automated, or whole of portfolio view .............................................................................. 10 Level 2 - Most applications ................................................................................................................................. 10 Level 3 - High value, high assurance, or high safety ........................................................................................... 11 Applying ASVS in Practice ....................................................................................................................................... 11

Assessment and Certification ............................................................................................................................. 11 OWASP's Stance on ASVS Certifications and Trust Marks ...................................................................................... 11 Guidance for Certifying Organizations ................................................................................................................... 11 Testing Method .................................................................................................................................................. 12 Other uses for the ASVS .......................................................................................................................................... 12 As Detailed Security Architecture Guidance....................................................................................................... 12 As a Replacement for Off-the-shelf Secure Coding Checklists ........................................................................... 13 As a Guide for Automated Unit and Integration Tests ....................................................................................... 13 For Secure Development Training ...................................................................................................................... 13 As a Driver for Agile Application Security ........................................................................................................... 13 As a Framework for Guiding the Procurement of Secure Software ................................................................... 13

V1: Architecture, Design and Threat Modeling Requirements ............................................................................ 14 Control Objective .................................................................................................................................................... 14 V1.1 Secure Software Development Lifecycle Requirements .................................................................................. 14 V1.2 Authentication Architectural Requirements ................................................................................................... 15 V1.3 Session Management Architectural Requirements ........................................................................................ 15 V1.4 Access Control Architectural Requirements.................................................................................................... 15 V1.5 Input and Output Architectural Requirements ............................................................................................... 16 V1.6 Cryptographic Architectural Requirements .................................................................................................... 16 V1.7 Errors, Logging and Auditing Architectural Requirements ............................................................................. 17 V1.8 Data Protection and Privacy Architectural Requirements .............................................................................. 17

OWASP Application Security Verification Standard 4.0

2

V1.9 Communications Architectural Requirements ................................................................................................ 17 V1.10 Malicious Software Architectural Requirements .......................................................................................... 17 V1.11 Business Logic Architectural Requirements .................................................................................................. 18 V1.12 Secure File Upload Architectural Requirements ........................................................................................... 18 V1.13 API Architectural Requirements ................................................................................................................... 18 V1.14 Configuration Architectural Requirements ................................................................................................... 18 References .............................................................................................................................................................. 19

V2: Authentication Verification Requirements ................................................................................................... 20 Control Objective .................................................................................................................................................... 20 NIST 800-63 - Modern, evidence-based authentication standard .......................................................................... 20 Selecting an appropriate NIST AAL Level ............................................................................................................ 20 Legend .................................................................................................................................................................... 20 V2.1 Password Security Requirements ................................................................................................................... 21 V2.2 General Authenticator Requirements............................................................................................................. 22 V2.3 Authenticator Lifecycle Requirements ............................................................................................................ 23 V2.4 Credential Storage Requirements................................................................................................................... 23 V2.5 Credential Recovery Requirements................................................................................................................. 24 V2.6 Look-up Secret Verifier Requirements ............................................................................................................ 25 V2.7 Out of Band Verifier Requirements................................................................................................................. 25 V2.8 Single or Multi Factor One Time Verifier Requirements ................................................................................. 26 V2.9 Cryptographic Software and Devices Verifier Requirements .......................................................................... 27 V2.10 Service Authentication Requirements........................................................................................................... 27 Additional US Agency Requirements ...................................................................................................................... 27 Glossary of terms .................................................................................................................................................... 28 References .............................................................................................................................................................. 28

V3: Session Management Verification Requirements ......................................................................................... 29 Control Objective .................................................................................................................................................... 29 Security Verification Requirements......................................................................................................................... 29 V3.1 Fundamental Session Management Requirements ........................................................................................ 29 V3.2 Session Binding Requirements........................................................................................................................ 29 V3.3 Session Logout and Timeout Requirements.................................................................................................... 29 V3.4 Cookie-based Session Management............................................................................................................... 30 V3.5 Token-based Session Management ................................................................................................................ 31 V3.6 Re-authentication from a Federation or Assertion ......................................................................................... 31

OWASP Application Security Verification Standard 4.0

3

V3.7 Defenses Against Session Management Exploits ........................................................................................... 31 Description of the half-open Attack ................................................................................................................... 31

References .............................................................................................................................................................. 32

V4: Access Control Verification Requirements.................................................................................................... 33 Control Objective .................................................................................................................................................... 33 Security Verification Requirements......................................................................................................................... 33 V4.1 General Access Control Design ....................................................................................................................... 33 V4.2 Operation Level Access Control ...................................................................................................................... 33 V4.3 Other Access Control Considerations.............................................................................................................. 33 References .............................................................................................................................................................. 34

V5: Validation, Sanitization and Encoding Verification Requirements................................................................. 35 Control Objective .................................................................................................................................................... 35 V5.1 Input Validation Requirements....................................................................................................................... 35 V5.2 Sanitization and Sandboxing Requirements ................................................................................................... 36 V5.3 Output encoding and Injection Prevention Requirements.............................................................................. 36 V5.4 Memory, String, and Unmanaged Code Requirements .................................................................................. 37 V5.5 Deserialization Prevention Requirements....................................................................................................... 37 References .............................................................................................................................................................. 38

V6: Stored Cryptography Verification Requirements .......................................................................................... 39 Control Objective .................................................................................................................................................... 39 V6.1 Data Classification.......................................................................................................................................... 39 V6.2 Algorithms ...................................................................................................................................................... 39 V6.3 Random Values............................................................................................................................................... 40 V6.4 Secret Management ....................................................................................................................................... 40 References .............................................................................................................................................................. 40

V7: Error Handling and Logging Verification Requirements ................................................................................ 42 Control Objective .................................................................................................................................................... 42 V7.1 Log Content Requirements ............................................................................................................................. 42 V7.2 Log Processing Requirements ......................................................................................................................... 42 V7.3 Log Protection Requirements ......................................................................................................................... 43 V7.4 Error Handling ................................................................................................................................................ 43 References .............................................................................................................................................................. 44

V8: Data Protection Verification Requirements .................................................................................................. 45

OWASP Application Security Verification Standard 4.0

4

Control Objective .................................................................................................................................................... 45 V8.1 General Data Protection................................................................................................................................. 45 V8.2 Client-side Data Protection............................................................................................................................. 45 V8.3 Sensitive Private Data..................................................................................................................................... 46 References .............................................................................................................................................................. 47

V9: Communications Verification Requirements ................................................................................................ 48 Control Objective .................................................................................................................................................... 48 V9.1 Communications Security Requirements ........................................................................................................ 48 V9.2 Server Communications Security Requirements ............................................................................................. 48 References .............................................................................................................................................................. 49

V10: Malicious Code Verification Requirements ................................................................................................. 50 Control Objective .................................................................................................................................................... 50 V10.1 Code Integrity Controls ................................................................................................................................. 50 V10.2 Malicious Code Search.................................................................................................................................. 50 V10.3 Deployed Application Integrity Controls ....................................................................................................... 51 References .............................................................................................................................................................. 51

V11: Business Logic Verification Requirements .................................................................................................. 52 Control Objective .................................................................................................................................................... 52 V11.1 Business Logic Security Requirements .......................................................................................................... 52 References .............................................................................................................................................................. 53

V12: File and Resources Verification Requirements............................................................................................ 54 Control Objective .................................................................................................................................................... 54 V12.1 File Upload Requirements ............................................................................................................................ 54 V12.2 File Integrity Requirements .......................................................................................................................... 54 V12.3 File execution Requirements......................................................................................................................... 54 V12.4 File Storage Requirements............................................................................................................................ 55 V12.5 File Download Requirements........................................................................................................................ 55 V12.6 SSRF Protection Requirements ..................................................................................................................... 55 References .............................................................................................................................................................. 55

V13: API and Web Service Verification Requirements ........................................................................................ 56 Control Objective .................................................................................................................................................... 56 V13.1 Generic Web Service Security Verification Requirements............................................................................. 56 V13.2 RESTful Web Service Verification Requirements........................................................................................... 56

OWASP Application Security Verification Standard 4.0

5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

OWASP Application Security Verification Standard 4.0-en

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches

OWASP Application Security Verification Standard 4.0-en

Outlook rss feeds error

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches