Scribd
Upload
45 views28 pages

OWASP Application Security Verification Standard 4.0.3-En

The document outlines various chapters and sections related to software architecture, authentication, session management, access control, and data protection. Each chapter is divided into multiple sections, detailing specific requirements and architectures. The content is structured to provide a comprehensive overview of secure software development practices.

Uploaded by

redteamfore
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
45 views28 pages

OWASP Application Security Verification Standard 4.0.3-En

The document outlines various chapters and sections related to software architecture, authentication, session management, access control, and data protection. Each chapter is divided into multiple sections, detailing specific requirements and architectures. The content is structured to provide a comprehensive overview of secure software development practices.

Uploaded by

redteamfore
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 28

chapter_id chapter_name section_id

V1 Architecture, Design and TV1.1


V1 Architecture, Design and TV1.1
V1 Architecture, Design and TV1.1
V1 Architecture, Design and TV1.1
V1 Architecture, Design and TV1.1
V1 Architecture, Design and TV1.1
V1 Architecture, Design and TV1.1
V1 Architecture, Design and TV1.2
V1 Architecture, Design and TV1.2
V1 Architecture, Design and TV1.2
V1 Architecture, Design and TV1.2
V1 Architecture, Design and TV1.4
V1 Architecture, Design and TV1.4
V1 Architecture, Design and TV1.4
V1 Architecture, Design and TV1.4
V1 Architecture, Design and TV1.4
V1 Architecture, Design and TV1.5
V1 Architecture, Design and TV1.5
V1 Architecture, Design and TV1.5
V1 Architecture, Design and TV1.5
V1 Architecture, Design and TV1.6
V1 Architecture, Design and TV1.6
V1 Architecture, Design and TV1.6
V1 Architecture, Design and TV1.6
V1 Architecture, Design and TV1.7
V1 Architecture, Design and TV1.7
V1 Architecture, Design and TV1.8
V1 Architecture, Design and TV1.8
V1 Architecture, Design and TV1.9
V1 Architecture, Design and TV1.9
V1 Architecture, Design and TV1.10
V1 Architecture, Design and TV1.11
V1 Architecture, Design and TV1.11
V1 Architecture, Design and TV1.11
V1 Architecture, Design and TV1.12
V1 Architecture, Design and TV1.12
V1 Architecture, Design and TV1.14
V1 Architecture, Design and TV1.14
V1 Architecture, Design and TV1.14
V1 Architecture, Design and TV1.14
V1 Architecture, Design and TV1.14
V1 Architecture, Design and TV1.14
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.1
V2 Authentication V2.2
V2 Authentication V2.2
V2 Authentication V2.2
V2 Authentication V2.2
V2 Authentication V2.2
V2 Authentication V2.2
V2 Authentication V2.2
V2 Authentication V2.3
V2 Authentication V2.3
V2 Authentication V2.3
V2 Authentication V2.4
V2 Authentication V2.4
V2 Authentication V2.4
V2 Authentication V2.4
V2 Authentication V2.4
V2 Authentication V2.5
V2 Authentication V2.5
V2 Authentication V2.5
V2 Authentication V2.5
V2 Authentication V2.5
V2 Authentication V2.5
V2 Authentication V2.5
V2 Authentication V2.6
V2 Authentication V2.6
V2 Authentication V2.6
V2 Authentication V2.7
V2 Authentication V2.7
V2 Authentication V2.7
V2 Authentication V2.7
V2 Authentication V2.7
V2 Authentication V2.7
V2 Authentication V2.8
V2 Authentication V2.8
V2 Authentication V2.8
V2 Authentication V2.8
V2 Authentication V2.8
V2 Authentication V2.8
V2 Authentication V2.8
V2 Authentication V2.9
V2 Authentication V2.9
V2 Authentication V2.9
V2 Authentication V2.10
V2 Authentication V2.10
V2 Authentication V2.10
V2 Authentication V2.10
V3 Session Management V3.1
V3 Session Management V3.2
V3 Session Management V3.2
V3 Session Management V3.2
V3 Session Management V3.2
V3 Session Management V3.3
V3 Session Management V3.3
V3 Session Management V3.3
V3 Session Management V3.3
V3 Session Management V3.4
V3 Session Management V3.4
V3 Session Management V3.4
V3 Session Management V3.4
V3 Session Management V3.4
V3 Session Management V3.5
V3 Session Management V3.5
V3 Session Management V3.5
V3 Session Management V3.6
V3 Session Management V3.6
V3 Session Management V3.7
V4 Access Control V4.1
V4 Access Control V4.1
V4 Access Control V4.1
V4 Access Control V4.1
V4 Access Control V4.1
V4 Access Control V4.2
V4 Access Control V4.2
V4 Access Control V4.3
V4 Access Control V4.3
V4 Access Control V4.3
V5 Validation, Sanitization a V5.1
V5 Validation, Sanitization a V5.1
V5 Validation, Sanitization a V5.1
V5 Validation, Sanitization a V5.1
V5 Validation, Sanitization a V5.1
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.2
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.3
V5 Validation, Sanitization a V5.4
V5 Validation, Sanitization a V5.4
V5 Validation, Sanitization a V5.4
V5 Validation, Sanitization a V5.5
V5 Validation, Sanitization a V5.5
V5 Validation, Sanitization a V5.5
V5 Validation, Sanitization a V5.5
V6 Stored Cryptography V6.1
V6 Stored Cryptography V6.1
V6 Stored Cryptography V6.1
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.2
V6 Stored Cryptography V6.3
V6 Stored Cryptography V6.3
V6 Stored Cryptography V6.3
V6 Stored Cryptography V6.4
V6 Stored Cryptography V6.4
V7 Error Handling and Loggin V7.1
V7 Error Handling and Loggin V7.1
V7 Error Handling and Loggin V7.1
V7 Error Handling and Loggin V7.1
V7 Error Handling and Loggin V7.2
V7 Error Handling and Loggin V7.2
V7 Error Handling and Loggin V7.3
V7 Error Handling and Loggin V7.3
V7 Error Handling and Loggin V7.3
V7 Error Handling and Loggin V7.3
V7 Error Handling and Loggin V7.4
V7 Error Handling and Loggin V7.4
V7 Error Handling and Loggin V7.4
V8 Data Protection V8.1
V8 Data Protection V8.1
V8 Data Protection V8.1
V8 Data Protection V8.1
V8 Data Protection V8.1
V8 Data Protection V8.1
V8 Data Protection V8.2
V8 Data Protection V8.2
V8 Data Protection V8.2
V8 Data Protection V8.3
V8 Data Protection V8.3
V8 Data Protection V8.3
V8 Data Protection V8.3
V8 Data Protection V8.3
V8 Data Protection V8.3
V8 Data Protection V8.3
V8 Data Protection V8.3
V9 Communication V9.1
V9 Communication V9.1
V9 Communication V9.1
V9 Communication V9.2
V9 Communication V9.2
V9 Communication V9.2
V9 Communication V9.2
V9 Communication V9.2
V10 Malicious Code V10.1
V10 Malicious Code V10.2
V10 Malicious Code V10.2
V10 Malicious Code V10.2
V10 Malicious Code V10.2
V10 Malicious Code V10.2
V10 Malicious Code V10.2
V10 Malicious Code V10.3
V10 Malicious Code V10.3
V10 Malicious Code V10.3
V11 Business Logic V11.1
V11 Business Logic V11.1
V11 Business Logic V11.1
V11 Business Logic V11.1
V11 Business Logic V11.1
V11 Business Logic V11.1
V11 Business Logic V11.1
V11 Business Logic V11.1
V12 Files and Resources V12.1
V12 Files and Resources V12.1
V12 Files and Resources V12.1
V12 Files and Resources V12.2
V12 Files and Resources V12.3
V12 Files and Resources V12.3
V12 Files and Resources V12.3
V12 Files and Resources V12.3
V12 Files and Resources V12.3
V12 Files and Resources V12.3
V12 Files and Resources V12.4
V12 Files and Resources V12.4
V12 Files and Resources V12.5
V12 Files and Resources V12.5
V12 Files and Resources V12.6
V13 API and Web Service V13.1
V13 API and Web Service V13.1
V13 API and Web Service V13.1
V13 API and Web Service V13.1
V13 API and Web Service V13.1
V13 API and Web Service V13.2
V13 API and Web Service V13.2
V13 API and Web Service V13.2
V13 API and Web Service V13.2
V13 API and Web Service V13.2
V13 API and Web Service V13.2
V13 API and Web Service V13.3
V13 API and Web Service V13.3
V13 API and Web Service V13.4
V13 API and Web Service V13.4
V14 Configuration V14.1
V14 Configuration V14.1
V14 Configuration V14.1
V14 Configuration V14.1
V14 Configuration V14.1
V14 Configuration V14.2
V14 Configuration V14.2
V14 Configuration V14.2
V14 Configuration V14.2
V14 Configuration V14.2
V14 Configuration V14.2
V14 Configuration V14.3
V14 Configuration V14.3
V14 Configuration V14.3
V14 Configuration V14.4
V14 Configuration V14.4
V14 Configuration V14.4
V14 Configuration V14.4
V14 Configuration V14.4
V14 Configuration V14.4
V14 Configuration V14.4
V14 Configuration V14.5
V14 Configuration V14.5
V14 Configuration V14.5
V14 Configuration V14.5
section_name req_id
Secure Software Development Lifecycle V1.1.1
Secure Software Development Lifecycle V1.1.2
Secure Software Development Lifecycle V1.1.3
Secure Software Development Lifecycle V1.1.4
Secure Software Development Lifecycle V1.1.5
Secure Software Development Lifecycle V1.1.6
Secure Software Development Lifecycle V1.1.7
Authentication Architecture V1.2.1
Authentication Architecture V1.2.2
Authentication Architecture V1.2.3
Authentication Architecture V1.2.4
Access Control Architecture V1.4.1
Access Control Architecture V1.4.2
Access Control Architecture V1.4.3
Access Control Architecture V1.4.4
Access Control Architecture V1.4.5
Input and Output Architecture V1.5.1
Input and Output Architecture V1.5.2
Input and Output Architecture V1.5.3
Input and Output Architecture V1.5.4
Cryptographic Architecture V1.6.1
Cryptographic Architecture V1.6.2
Cryptographic Architecture V1.6.3
Cryptographic Architecture V1.6.4
Errors, Logging and Auditing Architecture V1.7.1
Errors, Logging and Auditing Architecture V1.7.2
Data Protection and Privacy Architecture V1.8.1
Data Protection and Privacy Architecture V1.8.2
Communications Architecture V1.9.1
Communications Architecture V1.9.2
Malicious Software Architecture V1.10.1
Business Logic Architecture V1.11.1
Business Logic Architecture V1.11.2
Business Logic Architecture V1.11.3
Secure File Upload Architecture V1.12.1
Secure File Upload Architecture V1.12.2
Configuration Architecture V1.14.1
Configuration Architecture V1.14.2
Configuration Architecture V1.14.3
Configuration Architecture V1.14.4
Configuration Architecture V1.14.5
Configuration Architecture V1.14.6
Password Security V2.1.1
Password Security V2.1.2
Password Security V2.1.3
Password Security V2.1.4
Password Security V2.1.5
Password Security V2.1.6
Password Security V2.1.7
Password Security V2.1.8
Password Security V2.1.9
Password Security V2.1.10
Password Security V2.1.11
Password Security V2.1.12
General Authenticator Security V2.2.1
General Authenticator Security V2.2.2
General Authenticator Security V2.2.3
General Authenticator Security V2.2.4
General Authenticator Security V2.2.5
General Authenticator Security V2.2.6
General Authenticator Security V2.2.7
Authenticator Lifecycle V2.3.1
Authenticator Lifecycle V2.3.2
Authenticator Lifecycle V2.3.3
Credential Storage V2.4.1
Credential Storage V2.4.2
Credential Storage V2.4.3
Credential Storage V2.4.4
Credential Storage V2.4.5
Credential Recovery V2.5.1
Credential Recovery V2.5.2
Credential Recovery V2.5.3
Credential Recovery V2.5.4
Credential Recovery V2.5.5
Credential Recovery V2.5.6
Credential Recovery V2.5.7
Look-up Secret Verifier V2.6.1
Look-up Secret Verifier V2.6.2
Look-up Secret Verifier V2.6.3
Out of Band Verifier V2.7.1
Out of Band Verifier V2.7.2
Out of Band Verifier V2.7.3
Out of Band Verifier V2.7.4
Out of Band Verifier V2.7.5
Out of Band Verifier V2.7.6
One Time Verifier V2.8.1
One Time Verifier V2.8.2
One Time Verifier V2.8.3
One Time Verifier V2.8.4
One Time Verifier V2.8.5
One Time Verifier V2.8.6
One Time Verifier V2.8.7
Cryptographic Verifier V2.9.1
Cryptographic Verifier V2.9.2
Cryptographic Verifier V2.9.3
Service Authentication V2.10.1
Service Authentication V2.10.2
Service Authentication V2.10.3
Service Authentication V2.10.4
Fundamental Session Management Security V3.1.1
Session Binding V3.2.1
Session Binding V3.2.2
Session Binding V3.2.3
Session Binding V3.2.4
Session Termination V3.3.1
Session Termination V3.3.2
Session Termination V3.3.3
Session Termination V3.3.4
Cookie-based Session Management V3.4.1
Cookie-based Session Management V3.4.2
Cookie-based Session Management V3.4.3
Cookie-based Session Management V3.4.4
Cookie-based Session Management V3.4.5
Token-based Session Management V3.5.1
Token-based Session Management V3.5.2
Token-based Session Management V3.5.3
Federated Re-authentication V3.6.1
Federated Re-authentication V3.6.2
Defenses Against Session Management Exploits V3.7.1
General Access Control Design V4.1.1
General Access Control Design V4.1.2
General Access Control Design V4.1.3
General Access Control Design V4.1.4
General Access Control Design V4.1.5
Operation Level Access Control V4.2.1
Operation Level Access Control V4.2.2
Other Access Control Considerations V4.3.1
Other Access Control Considerations V4.3.2
Other Access Control Considerations V4.3.3
Input Validation V5.1.1
Input Validation V5.1.2
Input Validation V5.1.3
Input Validation V5.1.4
Input Validation V5.1.5
Sanitization and Sandboxing V5.2.1
Sanitization and Sandboxing V5.2.2
Sanitization and Sandboxing V5.2.3
Sanitization and Sandboxing V5.2.4
Sanitization and Sandboxing V5.2.5
Sanitization and Sandboxing V5.2.6
Sanitization and Sandboxing V5.2.7
Sanitization and Sandboxing V5.2.8
Output Encoding and Injection Prevention V5.3.1
Output Encoding and Injection Prevention V5.3.2
Output Encoding and Injection Prevention V5.3.3
Output Encoding and Injection Prevention V5.3.4
Output Encoding and Injection Prevention V5.3.5
Output Encoding and Injection Prevention V5.3.6
Output Encoding and Injection Prevention V5.3.7
Output Encoding and Injection Prevention V5.3.8
Output Encoding and Injection Prevention V5.3.9
Output Encoding and Injection Prevention V5.3.10
Memory, String, and Unmanaged Code V5.4.1
Memory, String, and Unmanaged Code V5.4.2
Memory, String, and Unmanaged Code V5.4.3
Deserialization Prevention V5.5.1
Deserialization Prevention V5.5.2
Deserialization Prevention V5.5.3
Deserialization Prevention V5.5.4
Data Classification V6.1.1
Data Classification V6.1.2
Data Classification V6.1.3
Algorithms V6.2.1
Algorithms V6.2.2
Algorithms V6.2.3
Algorithms V6.2.4
Algorithms V6.2.5
Algorithms V6.2.6
Algorithms V6.2.7
Algorithms V6.2.8
Random Values V6.3.1
Random Values V6.3.2
Random Values V6.3.3
Secret Management V6.4.1
Secret Management V6.4.2
Log Content V7.1.1
Log Content V7.1.2
Log Content V7.1.3
Log Content V7.1.4
Log Processing V7.2.1
Log Processing V7.2.2
Log Protection V7.3.1
Log Protection V7.3.2
Log Protection V7.3.3
Log Protection V7.3.4
Error Handling V7.4.1
Error Handling V7.4.2
Error Handling V7.4.3
General Data Protection V8.1.1
General Data Protection V8.1.2
General Data Protection V8.1.3
General Data Protection V8.1.4
General Data Protection V8.1.5
General Data Protection V8.1.6
Client-side Data Protection V8.2.1
Client-side Data Protection V8.2.2
Client-side Data Protection V8.2.3
Sensitive Private Data V8.3.1
Sensitive Private Data V8.3.2
Sensitive Private Data V8.3.3
Sensitive Private Data V8.3.4
Sensitive Private Data V8.3.5
Sensitive Private Data V8.3.6
Sensitive Private Data V8.3.7
Sensitive Private Data V8.3.8
Client Communication Security V9.1.1
Client Communication Security V9.1.2
Client Communication Security V9.1.3
Server Communication Security V9.2.1
Server Communication Security V9.2.2
Server Communication Security V9.2.3
Server Communication Security V9.2.4
Server Communication Security V9.2.5
Code Integrity V10.1.1
Malicious Code Search V10.2.1
Malicious Code Search V10.2.2
Malicious Code Search V10.2.3
Malicious Code Search V10.2.4
Malicious Code Search V10.2.5
Malicious Code Search V10.2.6
Application Integrity V10.3.1
Application Integrity V10.3.2
Application Integrity V10.3.3
Business Logic Security V11.1.1
Business Logic Security V11.1.2
Business Logic Security V11.1.3
Business Logic Security V11.1.4
Business Logic Security V11.1.5
Business Logic Security V11.1.6
Business Logic Security V11.1.7
Business Logic Security V11.1.8
File Upload V12.1.1
File Upload V12.1.2
File Upload V12.1.3
File Integrity V12.2.1
File Execution V12.3.1
File Execution V12.3.2
File Execution V12.3.3
File Execution V12.3.4
File Execution V12.3.5
File Execution V12.3.6
File Storage V12.4.1
File Storage V12.4.2
File Download V12.5.1
File Download V12.5.2
SSRF Protection V12.6.1
Generic Web Service Security V13.1.1
Generic Web Service Security V13.1.2
Generic Web Service Security V13.1.3
Generic Web Service Security V13.1.4
Generic Web Service Security V13.1.5
RESTful Web Service V13.2.1
RESTful Web Service V13.2.2
RESTful Web Service V13.2.3
RESTful Web Service V13.2.4
RESTful Web Service V13.2.5
RESTful Web Service V13.2.6
SOAP Web Service V13.3.1
SOAP Web Service V13.3.2
GraphQL V13.4.1
GraphQL V13.4.2
Build and Deploy V14.1.1
Build and Deploy V14.1.2
Build and Deploy V14.1.3
Build and Deploy V14.1.4
Build and Deploy V14.1.5
Dependency V14.2.1
Dependency V14.2.2
Dependency V14.2.3
Dependency V14.2.4
Dependency V14.2.5
Dependency V14.2.6
Unintended Security Disclosure V14.3.1
Unintended Security Disclosure V14.3.2
Unintended Security Disclosure V14.3.3
HTTP Security Headers V14.4.1
HTTP Security Headers V14.4.2
HTTP Security Headers V14.4.3
HTTP Security Headers V14.4.4
HTTP Security Headers V14.4.5
HTTP Security Headers V14.4.6
HTTP Security Headers V14.4.7
HTTP Request Header Validation V14.5.1
HTTP Request Header Validation V14.5.2
HTTP Request Header Validation V14.5.3
HTTP Request Header Validation V14.5.4
req_description level1 level2
Verify the use of a secure software development lifecycle that addresses secur ✓
Verify the use of threat modeling for every design change or sprint planning to â i œ“
Verify that all user stories and features contain functional security constraints, ✓
Verify documentation and justification of all the application's trust boundaries, ✓
Verify definition and security analysis of the application's high-level architec ✓
Verify implementation of centralized, simple (economy of design), vetted, secur✓
Verify availability of a secure coding checklist, security requirements, guideline,✓
Verify the use of unique or special low-privilege operating system accounts for ✓
Verify that communications between application components, including APIs, m✓
Verify that the application uses a single vetted authentication mechanism that ✓
Verify that all authentication pathways and identity management APIs implement ✓
Verify that trusted enforcement points, such as access control gateways, servers ✓
[DELETED, NOT ACTIONABLE]
[DELETED, DUPLICATE OF 4.1.3]
Verify the application uses a single and well-vetted access control mechanism ✓
Verify that attribute or feature-based access control is used whereby the code c✓
Verify that input and output requirements clearly define how to handle and proc✓
Verify that serialization is not used when communicating with untrusted clients.✓ I
Verify that input validation is enforced on a trusted service layer. ([C5](https ✓
Verify that output encoding occurs close to or by the interpreter for which it i ✓
Verify that there is an explicit policy for management of cryptographic keys a ✓
Verify that consumers of cryptographic services protect key material and other ✓
Verify that all keys and passwords are replaceable and are part of a well-define✓
Verify that the architecture treats client-side secrets--such as symmetric keys, ✓
Verify that a common logging format and approach is used across the system. ✓
Verify that logs are securely transmitted to a preferably remote system for ana ✓
Verify that all sensitive data is identified and classified into protection levels. ✓
Verify that all protection levels have an associated set of protection requireme ✓
Verify the application encrypts communications between components, particularl ✓
Verify that application components verify the authenticity of each side in a co ✓
Verify that a source code control system is in use, with procedures to ensure t ✓
Verify the definition and documentation of all application components in terms â oœ“
Verify that all high-value business logic flows, including authentication, sess ✓
Verify that all high-value business logic flows, including authentication, session managem
[DELETED, DUPLICATE OF 12.4.1]
Verify that user-uploaded files - if required to be displayed or downloaded from✓
Verify the segregation of components of differing trust levels through well-defi ✓
Verify that binary signatures, trusted connections, and verified endpoints are u ✓
Verify that the build pipeline warns of out-of-date or insecure components and ✓
Verify that the build pipeline contains a build step to automatically build and ve✓
Verify that application deployments adequately sandbox, containerize and/or iso ✓
Verify the application does not use unsupported, insecure, or deprecated client-✓
Verify that user set passwords are at least 12 characters in length ✓ ✓
Verify that passwords of at least 64 characters are permitted, and ✓ ✓
Verify that password truncation is not performed. However, consecut✓ ✓
Verify that any printable Unicode character, including language neut✓ ✓
Verify users can change their password. ✓ ✓
Verify that password change functionality requires the user's curre ✓ ✓
Verify that passwords submitted during account registration, login, ✓ ✓
Verify that a password strength meter is provided to help users set ✓ ✓
Verify that there are no password composition rules limiting the typ ✓ ✓
Verify that there are no periodic credential rotation or password his ✓ ✓
Verify that "paste" functionality, browser password helpers, and ex ✓ ✓
Verify that the user can choose to either temporarily view the entire ✓ ✓
Verify that anti-automation controls are effective at mitigating brea ✓ ✓
Verify that the use of weak authenticators (such as SMS and email) i ✓ ✓
Verify that secure notifications are sent to users after updates to aut✓ ✓
Verify impersonation resistance against phishing, such as the use of multi-factor authentica
Verify that where a Credential Service Provider (CSP) and the application verifying authen
Verify replay resistance through the mandated use of One-time Passwords (OTP) devices, c
Verify intent to authenticate by requiring the entry of an OTP token or user-initiated acti
Verify system generated initial passwords or activation codes SHOUL✓ ✓
Verify that enrollment and use of user-provided authentication devices are sup ✓
Verify that renewal instructions are sent with sufficient time to renew time bou ✓
Verify that passwords are stored in a form that is resistant to offline attack ✓
Verify that the salt is at least 32 bits in length and be chosen arbitrarily to ✓
Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verific ✓
Verify that if bcrypt is used, the work factor SHOULD be as large as verificati ✓
Verify that an additional iteration of a key derivation function is performed, u ✓
Verify that a system generated initial activation or recovery secret i ✓ ✓
Verify password hints or knowledge-based authentication (so-called "✓ ✓
Verify password credential recovery does not reveal the current pas ✓ ✓
Verify shared or default accounts are not present (e.g. "root", "admin" ✓ ✓
Verify that if an authentication factor is changed or replaced, that the ✓ ✓
Verify forgotten password, and other recovery paths use a secure re ✓ ✓
Verify that if OTP or multi-factor authentication factors are lost, that evidence ✓
Verify that lookup secrets can be used only once. ✓
Verify that lookup secrets have sufficient randomness (112 bits of entropy), or ✓
Verify that lookup secrets are resistant to offline attacks, such as predictable v ✓
Verify that clear text out of band (NIST "restricted") authenticators, ✓ ✓
Verify that the out of band verifier expires out of band authenticatio ✓ ✓
Verify that the out of band verifier authentication requests, codes, o ✓ ✓
Verify that the out of band authenticator and verifier communicates ✓ ✓
Verify that the out of band verifier retains only a hashed version of the authent ✓
Verify that the initial authentication code is generated by a secure random numbe ✓
Verify that time-based OTPs have a defined lifetime before expiring. ✓ ✓
Verify that symmetric keys used to verify submitted OTPs are highly protected ✓
Verify that approved cryptographic algorithms are used in the generation, seedi✓
Verify that time-based OTP can be used only once within the validity period. ✓
Verify that if a time-based multi-factor OTP token is re-used during the validity ✓
Verify physical single-factor OTP generator can be revoked in case of theft or ot✓
Verify that biometric authenticators are limited to use only as secondary fact o
Verify that cryptographic keys used in verification are stored securely and pro ✓
Verify that the challenge nonce is at least 64 bits in length, and statistically u ✓
Verify that approved cryptographic algorithms are used in the generation, seedi✓
Verify that intra-service secrets do not rely on unchanging credentials such as OS assiste
Verify that if passwords are required for service authentication, the service acc OS assiste
Verify that passwords are stored with sufficient protection to prevent offline re OS assiste
Verify passwords, integrations with databases and third-party systems, seeds aOS assiste
Verify the application never reveals session tokens in URL parameter✓ ✓
Verify the application generates a new session token on user authen✓ ✓
Verify that session tokens possess at least 64 bits of entropy. ([C6 ✓ ✓
Verify the application only stores session tokens in the browser usi ✓ ✓
Verify that session tokens are generated using approved cryptographic algorit ✓
Verify that logout and expiration invalidate the session token, such ✓ ✓
If authenticators permit users to remain logged in, verify that re-au 30 days 12 hours or
Verify that the application gives the option to terminate all other active sessio ✓
Verify that users are able to view and (having re-entered login credentials) log ✓
Verify that cookie-based session tokens have the 'Secure' attribute ✓ ✓
Verify that cookie-based session tokens have the 'HttpOnly' attribut ✓ ✓
Verify that cookie-based session tokens utilize the 'SameSite' attrib ✓ ✓
Verify that cookie-based session tokens use the "__Host-" prefix so coo ✓ ✓
Verify that if the application is published under a domain name with ✓ ✓
Verify the application allows users to revoke OAuth tokens that form trust relati✓
Verify the application uses session tokens rather than static API secrets and k ✓
Verify that stateless session tokens use digital signatures, encryption, and oth ✓
Verify that Relying Parties (RPs) specify the maximum authentication time to Credential Se
Verify that Credential Service Providers (CSPs) inform Relying Parties (RPs) of the last aut
Verify the application ensures a full, valid login session or requires ✓ ✓
Verify that the application enforces access control rules on a trusted ✓ ✓
Verify that all user and data attributes and policy information used ✓ ✓
Verify that the principle of least privilege exists - users should onl ✓ ✓
[DELETED, DUPLICATE OF 4.1.3]
Verify that access controls fail securely including when an exceptio ✓ ✓
Verify that sensitive data and APIs are protected against Insecure Di ✓ ✓
Verify that the application or framework enforces a strong anti-CSRF ✓ ✓
Verify administrative interfaces use appropriate multi-factor authent✓ ✓
Verify that directory browsing is disabled unless deliberately desired.✓ ✓
Verify the application has additional authorization (such as step up or adaptive ✓
Verify that the application has defenses against HTTP parameter poll✓ ✓
Verify that frameworks protect against mass parameter assignment at ✓ ✓
Verify that all input (HTML form fields, REST requests, URL parameter✓ ✓
Verify that structured data is strongly typed and validated against ✓ ✓
Verify that URL redirects and forwards only allow destinations which ✓ ✓
Verify that all untrusted HTML input from WYSIWYG editors or similar✓ ✓
Verify that unstructured data is sanitized to enforce safety measure ✓ ✓
Verify that the application sanitizes user input before passing to mai ✓ ✓
Verify that the application avoids the use of eval() or other dynami ✓ ✓
Verify that the application protects against template injection attac ✓ ✓
Verify that the application protects against SSRF attacks, by validati ✓ ✓
Verify that the application sanitizes, disables, or sandboxes user-sup✓ ✓
Verify that the application sanitizes, disables, or sandboxes user-s ✓ ✓
Verify that output encoding is relevant for the interpreter and context ✓
required.✓
For example, use enc
Verify that output encoding preserves the user's chosen character se✓ ✓
Verify that context-aware, preferably automated - or at worst, manu ✓ ✓
Verify that data selection or database queries (e.g. SQL, HQL, ORM, ✓ ✓
Verify that where parameterized or safer mechanisms are not present, ✓ ✓
Verify that the application protects against JSON injection attacks, ✓ ✓
Verify that the application protects against LDAP injection vulnerabi ✓ ✓
Verify that the application protects against OS command injection a ✓ ✓
Verify that the application protects against Local File Inclusion (LFI) ✓ ✓
Verify that the application protects against XPath injection or XML i ✓ ✓
Verify that the application uses memory-safe string, safer memory copy and poin ✓
Verify that format strings do not take potentially hostile input, and are constant✓
Verify that sign, range, and input validation techniques are used to prevent int ✓
Verify that serialized objects use integrity checks or are encrypted ✓ ✓
Verify that the application correctly restricts XML parsers to only us ✓ ✓
Verify that deserialization of untrusted data is avoided or is protec ✓ ✓
Verify that when parsing JSON in browsers or JavaScript-based backe✓ ✓
Verify that regulated private data is stored encrypted while at rest, such as Pers✓
Verify that regulated health data is stored encrypted while at rest, such as me ✓
Verify that regulated financial data is stored encrypted while at rest, such as f ✓
Verify that all cryptographic modules fail securely, and errors are h ✓ ✓
Verify that industry proven or government approved cryptographic algorithms, ✓
Verify that encryption initialization vector, cipher configuration, and block mod ✓
Verify that random number, encryption or hashing algorithms, key lengths, rou ✓
Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKC ✓
Verify that nonces, initialization vectors, and other single use numbers must ✓
Verify that encrypted data is authenticated via signatures, authenticated cipher modes, o
Verify that all cryptographic operations are constant-time, with no 'short-circuit' operation
Verify that all random numbers, random file names, random GUIDs, and random✓
Verify that random GUIDs are created using the GUID v4 algorithm, and a Cr ✓
Verify that random numbers are created with proper entropy even when the application is
Verify that a secrets management solution such as a key vault is used to secure✓
Verify that key material is not exposed to the application but instead uses an ✓
Verify that the application does not log credentials or payment detai ✓ ✓
Verify that the application does not log other sensitive data as defi ✓ ✓
Verify that the application logs security relevant events including successful an✓
Verify that each log event includes necessary information that would allow for ✓
Verify that all authentication decisions are logged, without storing sensitive s ✓
Verify that all access control decisions can be logged and all failed decisions ✓
Verify that all logging components appropriately encode data to prevent log in ✓
[DELETED, DUPLICATE OF 7.3.1]
Verify that security logs are protected from unauthorized access and modificat ✓
Verify that time sources are synchronized to the correct time and time zone. Str✓
Verify that a generic message is shown when an unexpected or securit ✓ ✓
Verify that exception handling (or a functional equivalent) is used across the ✓
Verify that a "last resort" error handler is defined which will catch all unhand ✓
Verify the application protects sensitive data from being cached in server com ✓
Verify that all cached or temporary copies of sensitive data stored on the serv ✓
Verify the application minimizes the number of parameters in a request, such as ✓
Verify the application can detect and alert on abnormal numbers of requests, su✓
Verify that regular backups of important data are performed and that test restoration of d
Verify that backups are stored securely to prevent data from being stolen or corrupted.
Verify the application sets sufficient anti-caching headers so that se ✓ ✓
Verify that data stored in browser storage (such as localStorage, ses ✓ ✓
Verify that authenticated data is cleared from client storage, such as✓ ✓
Verify that sensitive data is sent to the server in the HTTP message ✓ ✓
Verify that users have a method to remove or export their data on ✓ ✓
Verify that users are provided clear language regarding collection an✓ ✓
Verify that all sensitive data created and processed by the applicati ✓ ✓
Verify accessing sensitive data is audited (without logging the sensitive data its✓
Verify that sensitive information contained in memory is overwritten as soon a ✓
Verify that sensitive or private information that is required to be encrypted, i ✓
Verify that sensitive personal information is subject to data retention classificat✓
Verify that TLS is used for all client connectivity, and does not fal ✓ ✓
Verify using up to date TLS testing tools that only strong cipher suite✓ ✓
Verify that only the latest recommended versions of the TLS protocol✓ ✓
Verify that connections to and from the server use trusted TLS certificates. Where ✓
Verify that encrypted communications such as TLS is used for all inbound and ou ✓
Verify that all encrypted connections to external systems that involve sensitive✓
Verify that proper certification revocation, such as Online Certificate Status Pr ✓
Verify that backend TLS connection failures are logged.
Verify that a code analysis tool is in use that can detect potentially malicious code, such
Verify that the application source code and third party libraries do not contain ✓
Verify that the application does not ask for unnecessary or excessive permissio✓
Verify that the application source code and third party libraries do not contain back door
Verify that the application source code and third party libraries do not contain time bombs
Verify that the application source code and third party libraries do not contain malicious
Verify that the application source code and third party libraries do not contain Easter egg
Verify that if the application has a client or server auto-update fea ✓ ✓
Verify that the application employs integrity protections, such as co ✓ ✓
Verify that the application has protection from subdomain takeovers ✓ ✓
Verify that the application will only process business logic flows for ✓ ✓
Verify that the application will only process business logic flows with ✓ ✓
Verify the application has appropriate limits for specific business ac ✓ ✓
Verify that the application has anti-automation controls to protect aga ✓ ✓
Verify the application has business logic limits or validation to prote ✓ ✓
Verify that the application does not suffer from "Time Of Check to Time Of Use"✓
Verify that the application monitors for unusual events or activity from a busi ✓
Verify that the application has configurable alerting when automated attacks or✓
Verify that the application will not accept large files that could fill u ✓ ✓
Verify that the application checks compressed files (e.g. zip, gz, docx, odt) ✓
Verify that a file size quota and maximum number of files per user is enforced to ✓
Verify that files obtained from untrusted sources are validated to be of expecte✓
Verify that user-submitted filename metadata is not used directly by✓ ✓
Verify that user-submitted filename metadata is validated or ignored✓ t ✓
Verify that user-submitted filename metadata is validated or ignored✓ ✓
Verify that the application protects against Reflective File Downloa ✓ ✓
Verify that untrusted file metadata is not used directly with system A✓ ✓
Verify that the application does not include and execute functionality from untru ✓
Verify that files obtained from untrusted sources are stored outside ✓ ✓
Verify that files obtained from untrusted sources are scanned by ant ✓ ✓
Verify that the web tier is configured to serve only files with specif ✓ ✓
Verify that direct requests to uploaded files will never be executed ✓ ✓
Verify that the web or application server is configured with an allow ✓ ✓
Verify that all application components use the same encodings and par ✓ ✓
[DELETED, DUPLICATE OF 4.3.1]
Verify API URLs do not expose sensitive information, such as the API ✓ ✓
Verify that authorization decisions are made at both the URI, enforced by progr✓
Verify that requests containing unexpected or missing content types are reje ✓
Verify that enabled RESTful HTTP methods are a valid choice for the ✓ ✓
Verify that JSON schema validation is in place and verified before acc✓ ✓
Verify that RESTful web services that utilize cookies are protected f ✓ ✓
[DELETED, DUPLICATE OF 11.1.4]
Verify that REST services explicitly check the incoming Content-Type to be the ✓
Verify that the message headers and payload are trustworthy and not modified ✓ in
Verify that XSD schema validation takes place to ensure a properly f ✓ ✓
Verify that the message payload is signed using WS-Security to ensure reliable ✓
Verify that a query allow list or a combination of depth limiting and amount li ✓
Verify that GraphQL or other data layer authorization logic should be implement✓
Verify that the application build and deployment processes are performed in ✓
Verify that compiler flags are configured to enable all available buffer overflo ✓
Verify that server configuration is hardened as per the recommendations of the✓
Verify that the application, configuration, and all dependencies can be re-dep ✓
Verify that authorized administrators can verify the integrity of all security-relevant confi
Verify that all components are up to date, preferably using a depen ✓ ✓
Verify that all unneeded features, documentation, sample applicatio ✓ ✓
Verify that if application assets, such as JavaScript libraries, CSS or ✓ ✓
Verify that third party components come from pre-defined, trusted and continua✓
Verify that a Software Bill of Materials (SBOM) is maintained of all third party ✓
Verify that the attack surface is reduced by sandboxing or encapsulating third ✓
[DELETED, DUPLICATE OF 7.4.1]
Verify that web or application server and application framework deb ✓ ✓
Verify that the HTTP headers or any part of the HTTP response do no✓ ✓
Verify that every HTTP response contains a Content-Type header. Also ✓ ✓
Verify that all API responses contain a Content-Disposition: attachme✓ ✓
Verify that a Content Security Policy (CSP) response header is in plac✓ ✓
Verify that all responses contain a X-Content-Type-Options: nosniff h✓ ✓
Verify that a Strict-Transport-Security header is included on all re ✓ ✓
Verify that a suitable Referrer-Policy header is included to avoid ex ✓ ✓
Verify that the content of a web application cannot be embedded in ✓ ✓
Verify that the application server only accepts the HTTP methods in us ✓ ✓
Verify that the supplied Origin header is not used for authentication ✓ ✓
Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-✓ ✓
Verify that HTTP headers added by a trusted proxy or SSO devices, such as a be✓
level3 cwe nist
✓
✓ 1053
✓ 1110
✓ 1059
✓ 1059
✓ 637
✓ 637
✓ 250
✓ 306
✓ 306
✓ 306
✓ 602

✓ 284
✓ 275
✓ 1029
✓ 502
✓ 602
✓ 116
✓ 320
✓ 320
✓ 320
✓ 320
✓ 1009
✓
✓
✓
✓ 319
✓ 295
✓ 284
✓ 1059
✓ 362
✓ 367

✓ 646
✓ 923
✓ 494
✓ 1104
✓
✓ 265
✓ 477
✓ 521 5.1.1.2
✓ 521 5.1.1.2
✓ 521 5.1.1.2
✓ 521 5.1.1.2
✓ 620 5.1.1.2
✓ 620 5.1.1.2
✓ 521 5.1.1.2
✓ 521 5.1.1.2
✓ 521 5.1.1.2
✓ 263 5.1.1.2
✓ 521 5.1.1.2
✓ 521 5.1.1.2
✓ 307 5.2.2 / 5.1.1.2 / 5.1.4.2 / 5.1.5.2
✓ 304 5.2.10
✓ 620
✓ 308 5.2.5
✓ 319 5.2.6
✓ 308 5.2.8
✓ 308 5.2.9
✓ 330 5.1.1.2 / A.3
✓ 308 6.1.3
✓ 287 6.1.4
✓ 916 5.1.1.2
✓ 916 5.1.1.2
✓ 916 5.1.1.2
✓ 916 5.1.1.2
✓ 916 5.1.1.2
✓ 640 5.1.1.2
✓ 640 5.1.1.2
✓ 640 5.1.1.2
✓ 16 5.1.1.2 / A.3
✓ 304 6.1.2.3
✓ 640 5.1.1.2
✓ 308 6.1.2.3
✓ 308 5.1.2.2
✓ 330 5.1.2.2
✓ 310 5.1.2.2
✓ 287 5.1.3.2
✓ 287 5.1.3.2
✓ 287 5.1.3.2
✓ 523 5.1.3.2
✓ 256 5.1.3.2
✓ 310 5.1.3.2
✓ 613 5.1.4.2 / 5.1.5.2
✓ 320 5.1.4.2 / 5.1.5.2
✓ 326 5.1.4.2 / 5.1.5.2
✓ 287 5.1.4.2 / 5.1.5.2
✓ 287 5.1.5.2
✓ 613 5.2.1
✓ 308 5.2.3
✓ 320 5.1.7.2
✓ 330 5.1.7.2
✓ 327 5.1.7.2
HSM 287 5.1.1.1
HSM 255 5.1.1.1
HSM 522 5.1.1.1
HSM 798
✓ 598
✓ 384 7.1
✓ 331 7.1
✓ 539 7.1
✓ 331 7.1
✓ 613 7.1
12 hours or 613 7.2
✓ 613
✓ 613 7.1
✓ 614 7.1.1
✓ 1004 7.1.1
✓ 1275 7.1.1
✓ 16 7.1.1
✓ 16 7.1.1
✓ 290 7.1.2
✓ 798
✓ 345
✓ 613 7.2.1
✓ 613 7.2.1
✓ 306
✓ 602
✓ 639
✓ 285

✓ 285
✓ 639
✓ 352
✓ 419
✓ 548
✓ 732
✓ 235
✓ 915
✓ 20
✓ 20
✓ 601
✓ 116
✓ 138
✓ 147
✓ 95
✓ 94
✓ 918
✓ 159
✓ 94
✓ 116
✓ 176
✓ 79
✓ 89
✓ 89
✓ 830
✓ 90
✓ 78
✓ 829
✓ 643
✓ 120
✓ 134
✓ 190
✓ 502
✓ 611
✓ 502
✓ 95
✓ 311
✓ 311
✓ 311
✓ 310
✓ 327
✓ 326
✓ 326
✓ 326
✓ 326
✓ 326
✓ 385
✓ 338
✓ 338
✓ 338
✓ 798
✓ 320
✓ 532
✓ 532
✓ 778
✓ 778
✓ 778
✓ 285
✓ 117

✓ 200
✓
✓ 210
✓ 544
✓ 431
✓ 524
✓ 524
✓ 233
✓ 770
✓ 19
✓ 19
✓ 525
✓ 922
✓ 922
✓ 319
✓ 212
✓ 285
✓ 200
✓ 532
✓ 226
✓ 327
✓ 285
✓ 319
✓ 326
✓ 326
✓ 295
✓ 319
✓ 287
✓ 299
✓ 544
✓ 749
✓ 359
✓ 272
✓ 507
✓ 511
✓ 511
✓ 507
✓ 16
✓ 353
✓ 350
✓ 841
✓ 799
✓ 770
✓ 770
✓ 841
✓ 367
✓ 754
✓ 390
✓ 400
✓ 409
✓ 770
✓ 434
✓ 22
✓ 73
✓ 98
✓ 641
✓ 78
✓ 829
✓ 552
✓ 509
✓ 552
✓ 434
✓ 918
✓ 116

✓ 598
✓ 285
✓ 434
✓ 650
✓ 20
✓ 352

✓ 436
✓ 345
✓ 20
✓ 345
✓ 770
✓ 285
✓
✓ 120
✓ 16
✓
✓
✓ 1026
✓ 1002
✓ 829
✓ 829
✓
✓ 265

✓ 497
✓ 200
✓ 173
✓ 116
✓ 1021
✓ 116
✓ 523
✓ 116
✓ 1021
✓ 749
✓ 346
✓ 346
✓ 306

You might also like