OWASP ASVS

Summary

The OWASP Application Security Verification Standard project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The version used in this section is OWASP-ASVS v4.0.3.

Definitions

Definition	Requirements
ASVS-1_1_1. Secure Software Development Lifecycle	331. Guarantee legal compliance
ASVS-1_2_1. Authentication architecture	186. Use the principle of least privilege 096. Set user's required privileges
ASVS-1_2_2. Authentication architecture	186. Use the principle of least privilege 228. Authenticate using standard protocols
ASVS-1_2_3. Authentication architecture	264. Request authentication
ASVS-1_2_4. Authentication architecture	328. Request MFA for critical systems
ASVS-1_4_1. Access control architecture	265. Restrict access to critical processes 320. Avoid client-side control enforcement
ASVS-1_5_2. Input and output architecture	321. Avoid deserializing untrusted data
ASVS-1_5_3. Input and output architecture	173. Discard unsafe inputs
ASVS-1_5_4. Input and output architecture	160. Encode system outputs
ASVS-1_6_2. Cryptographic architecture	145. Protect system cryptographic keys
ASVS-1_6_3. Cryptographic architecture	361. Replace cryptographic keys
ASVS-1_6_4. Cryptographic architecture	145. Protect system cryptographic keys
ASVS-1_7_2. Errors, logging and auditing architecture	378. Use of log management system
ASVS-1_8_2. Data protection and privacy architecture	185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 026. Encrypt client-side session information
ASVS-1_9_1. Communications architecture	147. Use pre-existent mechanisms 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
ASVS-1_9_2. Communications architecture	336. Disable insecure TLS versions
ASVS-1_12_2. Secure File Upload Architecture	349. Include HTTP security headers
ASVS-1_14_5. Configuration architecture	321. Avoid deserializing untrusted data 374. Use of isolation methods in running applications
ASVS-1_14_6. Configuration architecture	262. Verify third-party components
ASVS-2_1_1. Password security	133. Passwords with at least 20 characters
ASVS-2_1_2. Password security	132. Passphrases with at least 4 words
ASVS-2_1_3. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
ASVS-2_1_4. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
ASVS-2_1_5. Password security	126. Set a password regeneration mechanism
ASVS-2_1_6. Password security	141. Force re-authentication
ASVS-2_1_7. Password security	332. Prevent the use of breached passwords
ASVS-2_1_8. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
ASVS-2_1_9. Password security	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters
ASVS-2_1_10. Password security	129. Validate previous passwords
ASVS-2_2_1. General authenticator security	237. Ascertain human interaction
ASVS-2_2_2. General authenticator security	153. Out of band transactions 231. Implement a biometric verification component
ASVS-2_2_3. General authenticator security	153. Out of band transactions
ASVS-2_2_4. General authenticator security	328. Request MFA for critical systems
ASVS-2_2_6. General authenticator security	139. Set minimum OTP length 140. Define OTP lifespan 347. Invalidate previous OTPs
ASVS-2_2_7. General authenticator security	153. Out of band transactions 231. Implement a biometric verification component
ASVS-2_3_1. Authenticator lifecycle	138. Define lifespan for temporary passwords 367. Proper generation of temporary passwords
ASVS-2_3_2. Authenticator lifecycle	153. Out of band transactions 231. Implement a biometric verification component
ASVS-2_4_1. Credential storage	127. Store hashed passwords 134. Store passwords with salt 150. Set minimum size for hash functions
ASVS-2_4_2. Credential storage	135. Passwords with random salt
ASVS-2_4_3. Credential storage	127. Store hashed passwords
ASVS-2_4_4. Credential storage	127. Store hashed passwords
ASVS-2_4_5. Credential storage	135. Passwords with random salt
ASVS-2_5_1. Credential recovery	126. Set a password regeneration mechanism
ASVS-2_5_2. Credential recovery	334. Avoid knowledge-based authentication
ASVS-2_5_3. Credential recovery	238. Establish safe recovery
ASVS-2_5_4. Credential recovery	142. Change system default credentials
ASVS-2_5_5. Credential recovery	301. Notify configuration changes
ASVS-2_5_6. Credential recovery	140. Define OTP lifespan 238. Establish safe recovery
ASVS-2_6_1. Look-up secret verifier	131. Deny multiple password changing attempts
ASVS-2_6_2. Look-up secret verifier	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
ASVS-2_6_3. Look-up secret verifier	126. Set a password regeneration mechanism 238. Establish safe recovery
ASVS-2_7_1. Out of band verifier	153. Out of band transactions
ASVS-2_7_2. Out of band verifier	335. Define out of band token lifespan
ASVS-2_7_3. Out of band verifier	335. Define out of band token lifespan
ASVS-2_7_4. Out of band verifier	338. Implement perfect forward secrecy
ASVS-2_7_6. Out of band verifier	223. Uniform distribution in random numbers
ASVS-2_8_1. One time verifier	140. Define OTP lifespan
ASVS-2_8_2. One time verifier	232. Require equipment identity
ASVS-2_8_3. One time verifier	147. Use pre-existent mechanisms
ASVS-2_8_4. One time verifier	347. Invalidate previous OTPs
ASVS-2_8_5. One time verifier	377. Store logs based on valid regulation
ASVS-2_8_6. One time verifier	141. Force re-authentication
ASVS-2_8_7. One time verifier	231. Implement a biometric verification component
ASVS-2_9_1. Cryptographic verifier	145. Protect system cryptographic keys
ASVS-2_9_3. Cryptographic verifier	224. Use secure cryptographic mechanisms
ASVS-2_10_2. Service authentication	142. Change system default credentials
ASVS-2_10_3. Service authentication	134. Store passwords with salt
ASVS-2_10_4. Service authentication	156. Source code without sensitive information
ASVS-3_1_1. Fundamental session management security	037. Parameters without sensitive data
ASVS-3_2_1. Session binding	030. Avoid object reutilization
ASVS-3_2_2. Session binding	224. Use secure cryptographic mechanisms
ASVS-3_2_3. Session binding	029. Cookies with security attributes
ASVS-3_2_4. Session binding	224. Use secure cryptographic mechanisms
ASVS-3_3_1. Session termination	030. Avoid object reutilization
ASVS-3_3_2. Session termination	141. Force re-authentication
ASVS-3_3_3. Session termination	141. Force re-authentication 028. Allow users to log out
ASVS-3_3_4. Session termination	028. Allow users to log out
ASVS-3_4_1. Cookie-based session management	029. Cookies with security attributes
ASVS-3_4_2. Cookie-based session management	029. Cookies with security attributes
ASVS-3_4_3. Cookie-based session management	029. Cookies with security attributes
ASVS-3_4_4. Cookie-based session management	029. Cookies with security attributes
ASVS-3_4_5. Cookie-based session management	029. Cookies with security attributes 031. Discard user session data
ASVS-3_5_2. Token-based session management	357. Use stateless session tokens
ASVS-3_5_3. Token-based session management	357. Use stateless session tokens
ASVS-3_7_1. Defenses against session management exploits	319. Make authentication options equally secure
ASVS-4_1_1. General access control design	341. Use the principle of deny by default 096. Set user's required privileges
ASVS-4_1_2. General access control design	026. Encrypt client-side session information 096. Set user's required privileges
ASVS-4_1_3. General access control design	186. Use the principle of least privilege
ASVS-4_1_5. General access control design	359. Avoid using generic exceptions
ASVS-4_2_1. Operation level access control	176. Restrict system objects
ASVS-4_2_2. Operation level access control	141. Force re-authentication 030. Avoid object reutilization 031. Discard user session data
ASVS-4_3_1. Other access control considerations	122. Validate credential ownership 153. Out of band transactions 176. Restrict system objects 229. Request access credentials 231. Implement a biometric verification component 264. Request authentication 266. Disable insecure functionalities 319. Make authentication options equally secure 328. Request MFA for critical systems
ASVS-5_1_1. Input validation	342. Validate request parameters
ASVS-5_1_2. Input validation	237. Ascertain human interaction 327. Set a rate limit
ASVS-5_1_3. Input validation	342. Validate request parameters
ASVS-5_1_4. Input validation	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
ASVS-5_1_5. Input validation	324. Control redirects
ASVS-5_2_1. Sanitization and sandboxing	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
ASVS-5_2_2. Sanitization and sandboxing	173. Discard unsafe inputs 320. Avoid client-side control enforcement
ASVS-5_2_3. Sanitization and sandboxing	115. Filter malicious emails 118. Inspect attachments 173. Discard unsafe inputs 320. Avoid client-side control enforcement
ASVS-5_2_4. Sanitization and sandboxing	344. Avoid dynamic code execution
ASVS-5_2_5. Sanitization and sandboxing	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 266. Disable insecure functionalities
ASVS-5_2_6. Sanitization and sandboxing	173. Discard unsafe inputs 324. Control redirects
ASVS-5_2_7. Sanitization and sandboxing	173. Discard unsafe inputs 320. Avoid client-side control enforcement
ASVS-5_2_8. Sanitization and sandboxing	374. Use of isolation methods in running applications 050. Control calls to interpreted code
ASVS-5_3_1. Output encoding and injection prevention	160. Encode system outputs
ASVS-5_3_2. Output encoding and injection prevention	044. Define an explicit charset
ASVS-5_3_3. Output encoding and injection prevention	173. Discard unsafe inputs 342. Validate request parameters
ASVS-5_3_4. Output encoding and injection prevention	169. Use parameterized queries
ASVS-5_3_5. Output encoding and injection prevention	169. Use parameterized queries 173. Discard unsafe inputs 342. Validate request parameters
ASVS-5_3_6. Output encoding and injection prevention	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
ASVS-5_3_7. Output encoding and injection prevention	173. Discard unsafe inputs
ASVS-5_3_8. Output encoding and injection prevention	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
ASVS-5_3_9. Output encoding and injection prevention	348. Use consistent encoding
ASVS-5_3_10. Output encoding and injection prevention	173. Discard unsafe inputs
ASVS-5_4_1. Memory, string, and unmanaged code	158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs
ASVS-5_4_2. Memory, string, and unmanaged code	173. Discard unsafe inputs 320. Avoid client-side control enforcement
ASVS-5_4_3. Memory, string, and unmanaged code	345. Establish protections against overflows
ASVS-5_5_1. Deserialization prevention	321. Avoid deserializing untrusted data
ASVS-5_5_2. Deserialization prevention	157. Use the strict mode
ASVS-5_5_3. Deserialization prevention	173. Discard unsafe inputs 321. Avoid deserializing untrusted data
ASVS-5_5_4. Deserialization prevention	173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution
ASVS-6_1_1. Data classification	185. Encrypt sensitive information
ASVS-6_1_2. Data classification	185. Encrypt sensitive information
ASVS-6_1_3. Data classification	185. Encrypt sensitive information
ASVS-6_2_1. Algorithms	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 181. Transmit data using secure protocols
ASVS-6_2_2. Algorithms	147. Use pre-existent mechanisms
ASVS-6_2_3. Algorithms	346. Use initialization vectors once
ASVS-6_2_4. Algorithms	223. Uniform distribution in random numbers
ASVS-6_2_5. Algorithms	148. Set minimum size of asymmetric encryption 150. Set minimum size for hash functions
ASVS-6_2_6. Algorithms	346. Use initialization vectors once
ASVS-6_2_7. Algorithms	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 181. Transmit data using secure protocols
ASVS-6_2_8. Algorithms	224. Use secure cryptographic mechanisms
ASVS-6_3_1. Random values	223. Uniform distribution in random numbers
ASVS-6_3_2. Random values	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
ASVS-6_3_3. Random values	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
ASVS-6_4_1. Secret management	145. Protect system cryptographic keys 380. Define a password management tool
ASVS-6_4_2. Secret management	156. Source code without sensitive information 380. Define a password management tool
ASVS-7_1_1. Log content	083. Avoid logging sensitive data
ASVS-7_1_2. Log content	377. Store logs based on valid regulation
ASVS-7_1_3. Log content	075. Record exceptional events in logs
ASVS-7_1_4. Log content	322. Avoid excessive logging
ASVS-7_2_2. Log processing	378. Use of log management system 075. Record exceptional events in logs
ASVS-7_2_4. Log processing	083. Avoid logging sensitive data
ASVS-7_3_1. Log protection	173. Discard unsafe inputs 080. Prevent log modification
ASVS-7_3_3. Log protection	080. Prevent log modification
ASVS-7_3_4. Log protection	079. Record exact occurrence time of events
ASVS-7_4_1. Error handling	075. Record exceptional events in logs
ASVS-7_4_2. Error handling	075. Record exceptional events in logs 079. Record exact occurrence time of events
ASVS-7_4_3. Error handling	378. Use of log management system
ASVS-8_1_1. General data protection	266. Disable insecure functionalities
ASVS-8_1_2. General data protection	177. Avoid caching and temporary files
ASVS-8_1_3. General data protection	173. Discard unsafe inputs 320. Avoid client-side control enforcement
ASVS-8_1_4. General data protection	378. Use of log management system 075. Record exceptional events in logs
ASVS-8_2_1. Client-side data protection	329. Keep client-side storage without sensitive data 375. Remove sensitive data from client-side applications
ASVS-8_3_1. Sensitive private data	349. Include HTTP security headers
ASVS-8_3_2. Sensitive private data	317. Allow erasure requests
ASVS-8_3_3. Sensitive private data	189. Specify the purpose of data collection
ASVS-8_3_4. Sensitive private data	315. Provide processed data information
ASVS-8_3_5. Sensitive private data	323. Exclude unverifiable files
ASVS-8_3_6. Sensitive private data	350. Enable memory protection mechanisms
ASVS-8_3_7. Sensitive private data	147. Use pre-existent mechanisms
ASVS-9_1_1. Client communication security	336. Disable insecure TLS versions
ASVS-9_1_2. Client communication security	181. Transmit data using secure protocols 336. Disable insecure TLS versions
ASVS-9_1_3. Client communication security	336. Disable insecure TLS versions
ASVS-9_2_1. Server communication security	091. Use internally signed certificates 092. Use externally signed certificates
ASVS-9_2_2. Server communication security	181. Transmit data using secure protocols
ASVS-9_2_3. Server communication security	176. Restrict system objects 264. Request authentication
ASVS-10_1_1. Code integrity	155. Application free of malicious code
ASVS-10_2_1. Malicious code search	155. Application free of malicious code 041. Scan files for malicious code
ASVS-10_2_3. Malicious code search	154. Eliminate backdoors
ASVS-10_2_4. Malicious code search	262. Verify third-party components
ASVS-10_2_5. Malicious code search	262. Verify third-party components
ASVS-10_2_6. Malicious code search	155. Application free of malicious code 041. Scan files for malicious code
ASVS-10_3_1. Application integrity	178. Use digital signatures 088. Request client certificates 090. Use valid certificates 093. Use consistent certificates
ASVS-10_3_2. Application integrity	178. Use digital signatures 262. Verify third-party components 330. Verify Subresource Integrity
ASVS-10_3_3. Application integrity	266. Disable insecure functionalities
ASVS-11_1_1. Business logic security	337. Make critical logic flows thread safe
ASVS-11_1_2. Business logic security	327. Set a rate limit 072. Set maximum response time
ASVS-11_1_3. Business logic security	327. Set a rate limit 072. Set maximum response time
ASVS-11_1_4. Business logic security	327. Set a rate limit 039. Define maximum file size 043. Define an explicit content type 072. Set maximum response time
ASVS-12_1_1. File upload	039. Define maximum file size
ASVS-12_1_2. File upload	039. Define maximum file size 042. Validate file format
ASVS-12_1_3. File upload	039. Define maximum file size
ASVS-12_2_1. File integrity	340. Use octet stream downloads
ASVS-12_3_1. File execution	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
ASVS-12_3_2. File execution	173. Discard unsafe inputs 176. Restrict system objects
ASVS-12_3_3. File execution	348. Use consistent encoding
ASVS-12_3_4. File execution	266. Disable insecure functionalities 349. Include HTTP security headers 043. Define an explicit content type 062. Define standard configurations
ASVS-12_3_5. File execution	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
ASVS-12_3_6. File execution	266. Disable insecure functionalities 340. Use octet stream downloads
ASVS-12_4_1. File storage	339. Avoid storing sensitive files in the web root
ASVS-12_4_2. File storage	118. Inspect attachments
ASVS-12_5_1. File download	040. Compare file format and extension
ASVS-12_5_2. File download	040. Compare file format and extension 042. Validate file format 043. Define an explicit content type
ASVS-12_6_1. SSRF protection	173. Discard unsafe inputs 324. Control redirects
ASVS-13_1_1. Generic web service security	348. Use consistent encoding
ASVS-13_1_3. Generic web service security	261. Avoid exposing sensitive information
ASVS-13_1_5. Generic web service security	349. Include HTTP security headers 062. Define standard configurations
ASVS-13_2_1. RESTful web service	266. Disable insecure functionalities
ASVS-13_2_2. RESTful web service	342. Validate request parameters
ASVS-13_2_3. RESTful web service	174. Transactions without a distinguishable pattern 029. Cookies with security attributes
ASVS-13_2_5. RESTful web service	266. Disable insecure functionalities 349. Include HTTP security headers 062. Define standard configurations
ASVS-13_2_6. RESTful web service	181. Transmit data using secure protocols 336. Disable insecure TLS versions
ASVS-13_3_1. SOAP web service	173. Discard unsafe inputs
ASVS-13_3_2. SOAP web service	228. Authenticate using standard protocols
ASVS-13_4_1. GraphQL	176. Restrict system objects 264. Request authentication 077. Avoid disclosing technical information
ASVS-14_1_1. Build and deploy	051. Store source code in a repository 062. Define standard configurations
ASVS-14_1_2. Build and deploy	157. Use the strict mode 158. Use a secure programming language 164. Use optimized structures
ASVS-14_1_3. Build and deploy	266. Disable insecure functionalities
ASVS-14_1_4. Build and deploy	062. Define standard configurations
ASVS-14_1_5. Build and deploy	228. Authenticate using standard protocols 229. Request access credentials 235. Define credential interface 264. Request authentication
ASVS-14_2_1. Dependency	302. Declare dependencies explicitly
ASVS-14_2_2. Dependency	360. Remove unnecessary sensitive information
ASVS-14_2_3. Dependency	330. Verify Subresource Integrity
ASVS-14_2_4. Dependency	362. Assign MFA mechanisms to a single account
ASVS-14_2_5. Dependency	262. Verify third-party components
ASVS-14_2_6. Dependency	374. Use of isolation methods in running applications
ASVS-14_3_2. Unintended security disclosure	078. Disable debugging events
ASVS-14_3_3. Unintended security disclosure	077. Avoid disclosing technical information
ASVS-14_4_1. HTTP security headers	266. Disable insecure functionalities 349. Include HTTP security headers 062. Define standard configurations
ASVS-14_4_2. HTTP security headers	349. Include HTTP security headers 043. Define an explicit content type
ASVS-14_4_3. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
ASVS-14_4_4. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
ASVS-14_4_5. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
ASVS-14_4_6. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
ASVS-14_4_7. HTTP security headers	349. Include HTTP security headers 062. Define standard configurations
ASVS-14_5_1. HTTP request header validation	173. Discard unsafe inputs 266. Disable insecure functionalities 320. Avoid client-side control enforcement 349. Include HTTP security headers 062. Define standard configurations

Last updated

2023/09/18