CASA

The Cloud Application Security Assessment (CASA) has built upon the industry-recognized standards of the OWASP's Application Security Verification Standard (ASVS) to provide a consistent set of requirements to harden security for any application.

Control-Requirement Mapping

Definition	Requirements
1_2_2. Authentication Architecture	186. Use the principle of least privilege 228. Authenticate using standard protocols
1_2_3. Authentication Architecture	264. Request authentication
1_4_1. Access Control Architecture	265. Restrict access to critical processes 320. Avoid client-side control enforcement
1_4_4. Access Control Architecture	228. Authenticate using standard protocols 264. Request authentication
1_5_2. Input and Output Architecture	321. Avoid deserializing untrusted data
1_5_3. Input and Output Architecture	173. Discard unsafe inputs
1_5_4. Input and Output Architecture	160. Encode system outputs
1_8_2. Data Protection and Privacy Architecture	185. Encrypt sensitive information 329. Keep client-side storage without sensitive data 026. Encrypt client-side session information
1_9_1. Communications Architecture	147. Use pre-existent mechanisms 181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
1_11_3. Communications Architecture	337. Make critical logic flows thread safe
1_14_1. Configuration Architecture	176. Restrict system objects
1_14_2. Configuration Architecture	330. Verify Subresource Integrity
1_14_3. Configuration Architecture	330. Verify Subresource Integrity
1_14_4. Configuration Architecture	330. Verify Subresource Integrity
1_14_5. Configuration Architecture	321. Avoid deserializing untrusted data 374. Use of isolation methods in running applications
1_14_6. Configuration Architecture	262. Verify third-party components
2_2_1. General Authenticator Security	237. Ascertain human interaction
2_2_4. General Authenticator Security	328. Request MFA for critical systems
2_2_5. General Authenticator Security	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
2_3_1. Authenticator Lifecycle	138. Define lifespan for temporary passwords 367. Proper generation of temporary passwords
2_4_1. Credential Storage	127. Store hashed passwords 134. Store passwords with salt 150. Set minimum size for hash functions
2_4_3. Credential Storage	127. Store hashed passwords
2_4_5. Credential Storage	135. Passwords with random salt
2_6_1. Look-up Secret Verifier	131. Deny multiple password changing attempts
2_7_2. Out of Band Verifier	335. Define out of band token lifespan
2_7_3. Out of Band Verifier	335. Define out of band token lifespan
2_7_4. Out of Band Verifier	338. Implement perfect forward secrecy
2_7_5. Out of Band Verifier	153. Out of band transactions
2_7_6. Out of Band Verifier	223. Uniform distribution in random numbers
2_8_2. One Time Verifier	232. Require equipment identity
2_8_5. One Time Verifier	377. Store logs based on valid regulation
2_8_6. One Time Verifier	141. Force re-authentication
2_9_1. Cryptographic Verifier	145. Protect system cryptographic keys
2_9_3. Cryptographic Verifier	224. Use secure cryptographic mechanisms
2_10_1. Service Authentication	122. Validate credential ownership 228. Authenticate using standard protocols 236. Establish authentication time 264. Request authentication 319. Make authentication options equally secure 334. Avoid knowledge-based authentication 362. Assign MFA mechanisms to a single account
2_10_2. Service Authentication	142. Change system default credentials
2_10_3. Service Authentication	134. Store passwords with salt
2_10_4. Service Authentication	156. Source code without sensitive information
3_2_3. Session Binding	029. Cookies with security attributes
3_3_1. Session Termination	030. Avoid object reutilization
3_3_3. Session Termination	141. Force re-authentication 028. Allow users to log out
3_3_4. Session Termination	028. Allow users to log out
3_4_1. Cookie-based Session Management	029. Cookies with security attributes
3_4_2. Cookie-based Session Management	029. Cookies with security attributes
3_4_3. Cookie-based Session Management	029. Cookies with security attributes
3_5_1. Token-based Session Management	173. Discard unsafe inputs
3_5_2. Token-based Session Management	357. Use stateless session tokens
3_5_3. Token-based Session Management	357. Use stateless session tokens
3_7_1. Defenses Against Session Management Exploits	319. Make authentication options equally secure
4_1_1. General Access Control Design	341. Use the principle of deny by default 096. Set user's required privileges
4_1_2. General Access Control Design	026. Encrypt client-side session information 096. Set user's required privileges
4_1_3. General Access Control Design	186. Use the principle of least privilege
4_1_5. General Access Control Design	359. Avoid using generic exceptions
4_2_2. Operation Level Access Control	141. Force re-authentication 030. Avoid object reutilization 031. Discard user session data
4_3_1. Other Access Control Considerations	122. Validate credential ownership 153. Out of band transactions 176. Restrict system objects 229. Request access credentials 231. Implement a biometric verification component 264. Request authentication 266. Disable insecure functionalities 319. Make authentication options equally secure 328. Request MFA for critical systems
4_3_2. Other Access Control Considerations	176. Restrict system objects 266. Disable insecure functionalities
4_3_3. Other Access Control Considerations	176. Restrict system objects 186. Use the principle of least privilege 341. Use the principle of deny by default
5_1_1. Input Validation	342. Validate request parameters
5_1_2. Input Validation	237. Ascertain human interaction 327. Set a rate limit
5_1_3. Input Validation	342. Validate request parameters
5_1_4. Input Validation	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
5_1_5. Input Validation	324. Control redirects
5_2_3. Sanitization and Sandboxing	115. Filter malicious emails 118. Inspect attachments 173. Discard unsafe inputs 320. Avoid client-side control enforcement
5_2_4. Sanitization and Sandboxing	344. Avoid dynamic code execution
5_2_5. Sanitization and Sandboxing	173. Discard unsafe inputs 176. Restrict system objects 265. Restrict access to critical processes 266. Disable insecure functionalities
5_2_6. Sanitization and Sandboxing	173. Discard unsafe inputs 324. Control redirects
5_2_7. Sanitization and Sandboxing	173. Discard unsafe inputs 320. Avoid client-side control enforcement
5_3_1. Output Encoding and Injection Prevention	160. Encode system outputs
5_3_2. Output Encoding and Injection Prevention	044. Define an explicit charset
5_3_3. Output Encoding and Injection Prevention	173. Discard unsafe inputs 342. Validate request parameters
5_3_4. Output Encoding and Injection Prevention	169. Use parameterized queries
5_3_6. Output Encoding and Injection Prevention	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
5_3_7. Output Encoding and Injection Prevention	173. Discard unsafe inputs
5_3_8. Output Encoding and Injection Prevention	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
5_3_9. Output Encoding and Injection Prevention	348. Use consistent encoding
5_3_10. Output Encoding and Injection Prevention	173. Discard unsafe inputs
5_5_1. Deserialization Prevention	321. Avoid deserializing untrusted data
5_5_2. Deserialization Prevention	157. Use the strict mode
6_1_1. Data Classification	185. Encrypt sensitive information
6_1_2. Data Classification	185. Encrypt sensitive information
6_1_3. Data Classification	185. Encrypt sensitive information
6_2_1. Algorithms	148. Set minimum size of asymmetric encryption
6_2_2. Algorithms	147. Use pre-existent mechanisms
6_2_3. Algorithms	346. Use initialization vectors once
6_2_4. Algorithms	223. Uniform distribution in random numbers
6_2_5. Algorithms	148. Set minimum size of asymmetric encryption 150. Set minimum size for hash functions
6_2_6. Algorithms	346. Use initialization vectors once
6_2_7. Algorithms	148. Set minimum size of asymmetric encryption 149. Set minimum size of symmetric encryption 150. Set minimum size for hash functions 181. Transmit data using secure protocols
6_2_8. Algorithms	224. Use secure cryptographic mechanisms
6_3_1. Random Values	223. Uniform distribution in random numbers
6_3_2. Random Values	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
6_3_3. Random Values	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
6_4_2. Secret Management	156. Source code without sensitive information 380. Define a password management tool
7_1_1. Log Content	083. Avoid logging sensitive data
7_1_2. Log Content	377. Store logs based on valid regulation
7_1_3. Log Content	075. Record exceptional events in logs
7_3_1. Log Protection	173. Discard unsafe inputs 080. Prevent log modification
7_3_3. Log Protection	080. Prevent log modification
8_1_1. General Data Protection	266. Disable insecure functionalities
8_1_3. General Data Protection	173. Discard unsafe inputs 320. Avoid client-side control enforcement
8_1_6. General Data Protection	185. Encrypt sensitive information 046. Manage the integrity of critical files
8_2_1. Client-side Data Protection	329. Keep client-side storage without sensitive data 375. Remove sensitive data from client-side applications
8_2_2. Client-side Data Protection	329. Keep client-side storage without sensitive data 339. Avoid storing sensitive files in the web root
8_3_1. Sensitive Private Data	349. Include HTTP security headers
8_3_2. Sensitive Private Data	317. Allow erasure requests
8_3_3. Sensitive Private Data	189. Specify the purpose of data collection
8_3_5. Sensitive Private Data	323. Exclude unverifiable files
8_3_6. Sensitive Private Data	350. Enable memory protection mechanisms
8_3_8. Sensitive Private Data	360. Remove unnecessary sensitive information
9_1_2. Client Communication Security	181. Transmit data using secure protocols 336. Disable insecure TLS versions
9_1_3. Client Communication Security	336. Disable insecure TLS versions
9_2_1. Server Communication Security	091. Use internally signed certificates 092. Use externally signed certificates
9_2_4. Server Communication Security	088. Request client certificates 089. Limit validity of certificates 090. Use valid certificates
9_2_5. Server Communication Security	075. Record exceptional events in logs 079. Record exact occurrence time of events
10_1_1. Code Integrity	155. Application free of malicious code
10_2_3. Malicious Code Search	154. Eliminate backdoors
10_2_4. Malicious Code Search	262. Verify third-party components
10_2_5. Malicious Code Search	262. Verify third-party components
10_3_2. Application Integrity	178. Use digital signatures 262. Verify third-party components 330. Verify Subresource Integrity
10_3_3. Application Integrity	266. Disable insecure functionalities
11_1_4. Business Logic Security	327. Set a rate limit 039. Define maximum file size 043. Define an explicit content type 072. Set maximum response time
12_4_1. File Storage	339. Avoid storing sensitive files in the web root
12_4_2. File Storage	118. Inspect attachments
13_1_1. Generic Web Service Security	348. Use consistent encoding
13_1_3. Generic Web Service Security	261. Avoid exposing sensitive information
13_1_4. Generic Web Service Security	177. Avoid caching and temporary files 320. Avoid client-side control enforcement 341. Use the principle of deny by default 095. Define users with privileges
13_2_1. RESTful Web Service	342. Validate request parameters
14_1_1. Build and Deploy	158. Use a secure programming language 051. Store source code in a repository 062. Define standard configurations
14_1_4. Build and Deploy	062. Define standard configurations
14_1_5. Build and Deploy	228. Authenticate using standard protocols 229. Request access credentials 235. Define credential interface 264. Request authentication
14_2_1. Dependency	302. Declare dependencies explicitly
14_3_2. Unintended Security Disclosure	078. Disable debugging events
14_5_2. HTTP Request Header Validation	129. Validate previous passwords

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.