Preface 5 What’s new in 0? 5

Download 0.8 Mb.
Size0.8 Mb.
  1   2   3   4   5   6   7   8   9   ...   21

Application Security Verification Standard 3.0.1

July 2016

Acknowledgements 3

About the Standard 3

Copyright and License 3

Preface 5

What’s new in 3.0? 5

Using the Application Security Verification Standard 6

Application Security Verification Levels 6

How to use this standard 7

Applying ASVS in Practice 8

Case Studies 11

Case Study 1: As a Security Testing Guide 11

Case Study 2: As a secure SDLC 12

Assessing software has achieved a verification level 13

OWASP’s stance on ASVS Certifications and Trust Marks 13

Guidance for certifying organizations 13

The role of automated penetration testing tools 13

The role of penetration testing 14

As detailed security architecture guidance 14

As a replacement for off the shelf secure coding checklists 14

As a guide for automated unit and integration tests 14

As secure development training 14

OWASP Projects using ASVS 16

Security Knowledge Framework 16

OWASP Zed Attack Proxy 16

OWASP Cornucopia 16

Detailed Verification Requirements 17

V1: Architecture, design and threat modelling 18

Control objective 18

Requirements 18

References 19

V2: Authentication Verification Requirements 20

Control objective 20

Requirements 20

References 22

V3: Session Management Verification Requirements 24

Control objective 24

Requirements 24

References 25

V4: Access Control Verification Requirements 26

Control objective 26

Requirements 26

References 27

V5: Malicious input handling verification requirements 28

Control objective 28

Requirements 28

References 30

V6: Output encoding / escaping 32

V7: Cryptography at rest verification requirements 33

Control objective 33

Requirements 33

References 34

V8: Error handling and logging verification requirements 35

Control objective 35

Requirements 35

References 36

V9: Data protection verification requirements 37

Control objective 37

Requirements 37

References 39

V10: Communications security verification requirements 40

Control objective 40

Requirements 40

References 41

V11: HTTP security configuration verification requirements 43

Control objective 43

Requirements 43

References 44

V12: Security configuration verification requirements 45

V13: Malicious controls verification requirements 46

Control objective 46

Requirements 46

References 46

V14: Internal security verification requirements 47

V15: Business logic verification requirements 48

Control objective 48

Requirements 48

References 48

V16: Files and resources verification requirements 49

Control objective 49

Requirements 49

References 50

V17: Mobile verification requirements 51

Control objective 51

Requirements 51

References 52

V18: Web services verification requirements 53

Control objective 53

Requirements 53

References 54

V19. Configuration 55

Control objective 55

Requirements 55

References 56

Appendix A: What ever happened to… 57

Appendix B: Glossary 62

Appendix C: References 66

Appendix D: Standards Mappings 67


About the Standard

The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, and even consumers to define what a secure application is.

Copyright and License

Copyright © 2008 – 2016 The OWASP Foundation. This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make clear to others the license terms of this work.

Version 3.0, 2015

Project Leads

Lead Authors

Contributors and Reviewers

Andrew van der Stock

Daniel Cuthbert

Jim Manico

Abhinav Sejpal

Ari Kesäniemi

Boy Baukema

Colin Watson

Cristinel Dumitru

David Ryan

François-Eric Guyomarc’h

Gary Robinson

Glenn Ten Cate

James Holland

Martin Knobloch

Raoul Endres

Ravishankar S

Riccardo Ten Cate

Roberto Martelloni

Ryan Dewhurst

Stephen de Vries

Steven van der Baan

Version 2.0, 2014

Project Leads

Lead Authors

Contributors and Reviewers

Daniel Cuthbert

Sahba Kazerooni

Andrew van der Stock

Krishna Raja

Antonio Fontes

Archangel Cuison

Ari Kesäniemi

Boy Baukema

Colin Watson

Dr Emin Tatli

Etienne Stalmans

Evan Gaustad

Jeff Sergeant

Jerome Athias

Jim Manico

Mait Peekma

Pekka Sillanpää

Safuat Hamdy

Scott Luc

Sebastien Deleersnyder

Version 1.0, 2009

Project Leads

Lead Authors

Contributors and Reviewers

Mike Boberski

Jeff Williams

Dave Wichers

Jim Manico

Andrew van der Stock

Barry Boyd

Bedirhan Urgun

Colin Watson

Dan Cornell

Dave Hausladen

Dave van Stein

Dr. Sarbari Gupta

Dr. Thomas Braun

Eoin Keary

Gaurang Shah

George Lawless

Jeff LoSapio

Jeremiah Grossman

John Martin

John Steven

Ken Huang

Ketan Dilipkumar Vyas

Liz Fong Shouvik Bardhan

Mandeep Khera

Matt Presson

Nam Nguyen

Paul Douthit

Pierre Parrend

Richard Campbell

Scott Matsumoto

Stan Wisseman

Stephen de Vries

Steve Coyle

Terrie Diaz

Theodore Winograd

Share with your friends:
  1   2   3   4   5   6   7   8   9   ...   21

The database is protected by copyright © 2019
send message

    Main page