Transcription of Application Security Verification Standard 3 - OWASP
1 Application Security Verification Standard October 2015 Table of Contents Table of Contents Acknowledgements Version , 2015 Version , 2014 Version 2009 About the Standard Copyright and License Preface What s new in Using the Application Security Verification Standard Application Security Verification Levels How to use this Standard Level 1: Opportunistic Level 2: Standard Level 3: Advanced Applying ASVS in Practice Case Studies Case Study 1: As a Security Testing Guide Case Study 2: As a secure SDLC Assessing software has achieved a Verification level OWASP s stance on ASVS Certifications and Trust Marks Guidance for certifying organizations OWASP Application Security Verification Standard 1 The role of automated penetration testing tools The role of penetration testing As detailed Security architecture guidance As a replacement for off the shelf secure coding checklists As a guide for automated unit and integration tests As secure development training OWASP Projects using ASVS Security Knowledge Framework OWASP Zed Attack Proxy OWASP
2 Cornucopia Detailed Verification Requirements V1: Architecture, design and threat modelling Control objective Requirements References V2: Authentication Verification Requirements Control objective Requirements References V3: Session Management Verification Requirements Control objective Requirements References V4: Access Control Verification Requirements OWASP Application Security Verification Standard 2 Control objective Requirements References V5: Malicious input handling Verification requirements Control objective Requirements References V6: Output encoding / escaping V7: Cryptography at rest Verification requirements Control objective Requirements References V8: Error handling and logging Verification requirements Control objective Requirements References V9: Data protection Verification requirements Control objective Requirements References V10: Communications Security Verification requirements Control objective Requirements References OWASP Application Security Verification Standard 3 V11: HTTP Security configuration Verification requirements Control objective Requirements References V12.
3 Security configuration Verification requirements V13: Malicious controls Verification requirements Control objective Requirements V14: Internal Security Verification requirements V15: Business logic Verification requirements Control objective Requirements References V16: Files and resources Verification requirements Control objective Requirements References V17: Mobile Verification requirements Control objective Requirements References V18: Web services Verification requirements Control objective Requirements OWASP Application Security Verification Standard 4 References V19.
4 Configuration Control objective Requirements References Appendix A: What ever happened Appendix B: Glossary Appendix C: References Appendix D: standards Mappings OWASP Application Security Verification Standard 5 Acknowledgements Version , 2015 Project Leads Lead Authors Contributors and reviewers Andrew van der Stock Daniel Cuthbert Jim Manico Boy Baukema Ari Kes niemi Colin Watson Fran ois-Eric Guyomarc h Cristinel Dumitru James Holland Gary Robinson Stephen de Vries Glenn Ten Cate Riccardo Ten Cate Martin Knobloch Abhinav Sejpal David Ryan Steven van der Baan Ryan Dewhurst Raoul Endres Roberto Martelloni Version.
5 2014 Project Leads Lead Authors Contributors and reviewers Daniel Cuthbert Sahba Kazerooni Andrew van der Stock Krishna Raja Antonio Fontes Colin Watson Jeff Sergeant Pekka Sillanp Archangel Cuison Dr Emin Tatli Jerome Athias Safuat Hamdy Ari Kes niemi Etienne Stalmans Jim Manico Scott Luc Boy Baukema Evan Gaustad Mait Peekma Sebastien Deleersnyder OWASP Application Security Verification Standard 6 Version 2009 Project Leads Lead Authors Contributors and reviewers Mike Boberski Jeff Williams Dave Wichers Andrew van der Stock Dr. Sarbari Gupta John Steven Pierre Parrend Barry Boyd Dr.
6 Thomas Braun Ken Huang Richard Campbell Bedirhan Urgun Eoin Keary Ketan Dilipkumar Vyas Scott Matsumoto Colin Watson Gaurang Shah Liz FongShouvik Bardhan Dan Cornell George Lawless Mandeep Khera Stan Wisseman Dave Hausladen Jeff LoSapio Matt Presson Stephen de Vries Theodore Winograd Jeremiah Grossman Nam Nguyen Steve Coyle Dave van Stein John Martin Paul Douthit Terrie Diaz OWASP Application Security Verification Standard 7 About the Standard TheApplicationSecurityVerificationStanda rdisalistofapplicationsecurityrequiremen tsorteststhatcanbe usedbyarchitects,developers,testers,secu rityprofessionals,andevenconsumerstodefi newhatasecure Application is.
7 Copyright and License Copyright 2008 ,youmustmakeclear to others the license terms of this work. OWASP Application Security Verification Standard 8 Preface WelcometotheApplicationSecurityVerificat ionStandard(ASVS) establishaframeworkofsecurityrequirement sandcontrolsthatfocusonnormalisingthefun ctionaland non-functional Security controls required when designing, developing and testing modern web applications . ,wefeltitwasimportantto standardplantheiradoptionoftheASVS,whils tassistingexistingcompaniesinlearningfro mtheexperienceof others.
8 Weexpectthattherewillmostlikelyneverbe10 0% tosomeextent, , wehopethatthelatestupdatesmadeinthisvers ionareastepintherightdirection,andrespec tfullyenhance the concepts introduced in this important industry Standard . What s new in ,wehaveaddedseveralnewsections,including Configuration,WebServices,Modern(Client) based applications ,tomaketheStandardmoreapplic abletomodernapplications,whicharecommonl yresponsive applications ,withanextensiveHTML5fronten dormobileclientthatcallsacommonsetofREST fulwebservices using SAML authentication.
9 Wehavealsodeduplicatedthestandard,forexa mple,toensurethatamobiledeveloperdoesnot needtore-test the same items multiple times. WehaveprovidedamappingtotheCWEcommonweak nessenumeration(CWE) canbeusedtoidentifyinformationsuchaslike lihoodofexploitation,consequenceofasucce ssfulexploitation andbroadlyspeakingtogaininsightonwhatcou ldgowrongifasecuritycontrolisnotusedorim plemented effectively and how to mitigate the weakness. Lastly,wereachedouttothecommunityandheld peerreviewsessionsatAppSecEU2015andafina lworking ,ifeditsto themeaningofacontrolchangedsubstantially , deliberatelychosentonotreuseanydeprecate dcontrolrequirements, have provided a comprehensive mapping of what has changed in Appendix A.
10 Takentogether, to the Standard useful, and use it in ways we can only imagine. OWASP Application Security Verification Standard 9 Using the Application Security Verification Standard ASVS has two main goals: help organizations develop and maintain secure applications allow Security service, Security tools vendors, and consumers to align their requirements and offerings Figure 1 - Uses of ASVS for organizations and tool/service providers OWASP Application Security Verification Standard 10 Application Security Verification Levels TheApplicationSecurityVerificationStanda rddefinesthreesecurityverificationlevels ,witheachlevelincreasing in depth.
