OWASP Application Security Verification Standard 3.1

Total Risk Safe Guard Index Target Level
712 0.00% 3
Area of Analysis Threats Vulns Risk % Total Risk % Thrt Risk
ARCHITECTURE, DESIGN AND THREAT MODELLING g 22 0 22 3% 100%
AUTHENTICATION n 109 5 114 16% 96%
SESSION MANAGEMENT t 46 7 53 7% 87%
ACCESS CONTROL l 57 0 57 8% 100%
MALICIOUS INPUT HANDLING g 122 0 122 17% 100%
CRYPTOGRAPHY AT REST t 42 0 42 6% 100%
ERROR HANDLING AND LOGGING g 34 0 34 5% 100%
DATA PROTECTION n 25 0 25 4% 100%
COMMUNICATIONS SECURITY y 50 0 50 7% 100%
HTTP SECURITY CONFIGURATION n 22 0 22 3% 100%
MALICIOUS CONTROLS s 10 0 10 1% 100%
BUSINESS LOGIC c 14 0 14 2% 100%
FILES AND RESOURCES s 57 0 57 8% 100%
MOBILE e 0 0 0 0% 0%
WEB SERVICES s 39 0 39 5% 100%
CONFIGURATION n 51 0 51 7% 100%
INTERNET OF THINGS (IOT) ) 0 0 0 0% 0%
700 12 712 100% 98%
Sanity Checks
Threat Check Error
OK
0.18 0.1601123596 0.1713483146
Target Level
0.16
0.14
3
0.12
% Vuln Risk 0.1 0.0800561798
0.0744382022 0.0800561798
0% 0.08 0.0702247191 0.07
0.058988764 0.054775
4% 0.06 0.047752809
13% 0.0308988764 0.0351123596
0.0308988764
0.04
0.0196629213
0.0140449438
0% 0.02
0% 0
0% 0
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
140
2%
120 0
5
100
80
60 0 122 0
109 0 0
7
40 0 0
0
57 0 50 57 51
20 0 46 42 0 39
34 25 0
22 22 0 14
10
0 0 0
g n t l g t g n y n s c s e s n )
n o s t l i il o (Iot
e llin atio me ontr dlin Re ggin ctio curi ratio ntro Log urce ob vice rati
od ntic age s C Ha
n
At Lo rote Se figu Co ss eso M er gu gs
M e n s t y d P s n s e S nfi hin
at th a e u p h n a n o u in R eb Co f T
hre Au n M Acc Inp gra ng A Dat atio y C licio Bus And W O
d
T s io u s
pto dli nic uri t
M
a
e s net
s io y n u c Fi
l er
An Se alic Cr r Ha m Se I nt
gn m p
si M ro Co Htt
De Er
e,
t ur
c
hit e
c
Ar
1.2
1 0.0438596491
0 0 0 0 0 0 0 0 0 0 0 0 0 0.0168539326
0.1320754717
0.8
0.6
1
0.9561403509 1 1 1 1 1 1 1 1 1 1 1 1 0.9831460674
0.4 0.8679245283
1.2
1 0.0438596491
0 0 0 0 0 0 0 0 0 0 0 0 0 0.0168539326
0.1320754717
0.8
0.6
1
0.9561403509 1 1 1 1 1 1 1 1 1 1 1 1 0.9831460674
0.4 0.8679245283
0.2
0 0 0
g n t
n ro l g t g n y n s c s e s n t)
o s o t l i il o
e llin ati me ont dlin Re ggin cti curi ratio ntro Log urce ob vice rati (Io
c n
od nti age s C Ha At Lo rot Se figu Co ss eso
e M er gu gs
S i in
a
M e n
t th a e pu ph An a s t y d P s n s
n o ou sin d R
e
eb onf Th
u M c a
re A n Ac In gr ng Da at y C lic Bu An t i o i W C f
Th io s to dli ic urit a s etO
d s u p n M e n
s io y n u c Fi
l er
An Se alic Cr r Ha m Se I nt
n m p
ig M ro Co Htt
Des Er
,
re
c tu
hit e
c
Ar
0.0800561798
0.0716292135
0.0547752809
88764
0.0196629213
140449438
0 0
0
0
0
57 51
39
0
14 Vulns
0 0
c s e s n ) Threats
gi rce bil ice tio (Iot
o v a
so
u M r ur gs
e Se nfig hin
R eb Co f T
W O
net
r
te
In
0 0 0.0168539326
1 1 0.9831460674
0 0 0.0168539326
1 1 0.9831460674
0 0 % Vuln Risk
e s n ) % Thrt Risk
il e io ot
ob rvic rat s (I
M e gu g
S fi hin
eb Con f T
W O
net
r
te
In
# Category
1.1 ARCHITECTURE, DESIGN AND THREAT MODELLING
2.1 AUTHENTICATION
2.2 AUTHENTICATION
2.4 AUTHENTICATION
2.6 AUTHENTICATION
2.7 AUTHENTICATION
2.8 AUTHENTICATION
2.9 AUTHENTICATION
2.12 AUTHENTICATION
2.13 AUTHENTICATION
2.16 AUTHENTICATION
2.17 AUTHENTICATION
2.18 AUTHENTICATION
2.19 AUTHENTICATION
2.20 AUTHENTICATION
2.21 AUTHENTICATION
2.22 AUTHENTICATION
2.23 AUTHENTICATION
2.24 AUTHENTICATION
2.25 AUTHENTICATION
2.26 AUTHENTICATION
2.27 AUTHENTICATION
2.28 AUTHENTICATION
2.29 AUTHENTICATION
2.31 AUTHENTICATION
2.32 AUTHENTICATION
2.33 AUTHENTICATION
3.1 SESSION MANAGEMENT
4.1 ACCESS CONTROL
4.4 ACCESS CONTROL
4.5 ACCESS CONTROL
4.8 ACCESS CONTROL
4.9 ACCESS CONTROL
4.10 ACCESS CONTROL
4.11 ACCESS CONTROL
4.12 ACCESS CONTROL
4.13 ACCESS CONTROL
4.14 ACCESS CONTROL
4.15 ACCESS CONTROL
4.16 ACCESS CONTROL
5.1 MALICIOUS INPUT HANDLING
7.2 CRYPTOGRAPHY AT REST
8.1 ERROR HANDLING AND LOGGING
9.1 DATA PROTECTION
9.2 DATA PROTECTION
9.3 DATA PROTECTION
9.4 DATA PROTECTION
9.5 DATA PROTECTION
9.6 DATA PROTECTION
9.7 DATA PROTECTION
9.8 DATA PROTECTION
9.9 DATA PROTECTION
9.10 DATA PROTECTION
9.11 DATA PROTECTION
10.1 COMMUNICATIONS SECURITY
11.1 HTTP SECURITY CONFIGURATION
13.1 MALICIOUS CONTROLS
13.2 MALICIOUS CONTROLS
15.1 BUSINESS LOGIC
15.2 BUSINESS LOGIC
16.1 FILES AND RESOURCES
17.1 MOBILE
17.2 MOBILE
17.3 MOBILE
17.4 MOBILE
17.5 MOBILE
17.6 MOBILE
17.7 MOBILE
17.8 MOBILE
17.9 MOBILE
17.10 MOBILE
17.11 MOBILE
18.1 WEB SERVICES
18.2 WEB SERVICES
18.3 WEB SERVICES
18.4 WEB SERVICES
18.5 WEB SERVICES
18.6 WEB SERVICES
18.7 WEB SERVICES
18.8 WEB SERVICES
18.9 WEB SERVICES
18.10 WEB SERVICES
19.1 CONFIGURATION
19.2 CONFIGURATION
19.3 CONFIGURATION
19.4 CONFIGURATION
19.5 CONFIGURATION
19.6 CONFIGURATION
19.7 CONFIGURATION
19.8 CONFIGURATION
19.9 CONFIGURATION
19.10 CONFIGURATION
19.11 CONFIGURATION
20.1 INTERNET OF THINGS (IOT)
Detail Level RelevanCR Impact Likeliho
Verify that all application components are identified
and 1 5M L
and are known
external to be needed.
systems, that are not part of the
application but that thearchitecture
application for relies 2 4M L
Verify that a high-level theon to operate
application
Verify
has been thatdefined.
all application components are defined in 2 3M L
terms of the business functions and/or security 3 0L L
application
functions they butprovide.
that the application relies on to operate
been produced
are defined and covers
in terms of the off risks associated
functions, with
and/or security 3 0L L
Spoofing, Tampering, Repudiation, Information
Verify all security controls (including libraries that call 3 0M L
Disclosure,
external security Denialservices)
of Service, haveand Elevation of privilege
a centralized 2 0M M
via a defined
implementation. security control, such as network
segmentation, 2 0M L
the data layer, controller layer and thebased
firewall rules, or cloud display security
layer,
Verify
such that security decisions can be enforced onsecret
that there is no sensitive business logic, trusted 2 0M L
keys
Verifyorthatother all proprietary
application information
components,inlibraries,
client side 2 5H M
code.
modules, frameworks, platform,
Verify all pages and resources byand
defaultoperating
requiresystems 2 0H L
are free from
authentication known
except vulnerabilities.
those
Ajax requests, or in forms, asspecifically
this impliesintended
plain text,to be 1 4H L
public
reversible(Principle of complete
or de-cryptable mediation).
password storage. Random 1 0H L
Verify all authentication
time limited controls areasenforced
nonces are acceptable stand ins, onsuch
the as
server side. 1 4H L
Verify all authentication controls fail securely to ensure
attackers cannot logand in. do not prevent password 1 0H M
use of passphrases,
(such
managers,as update profile, forgot
long passphrases orpassword,
highly complex disabled / lost 1 0H M
token,
Verify thathelpthe desk or IVR) that
changing mightfunctionality
password regain access to the 1 0H H
account
includes are the at oldleast as resistant
password, the newto attack as theand
password, primary
a 1 0H H
without storing
password confirmation. sensitive session identifiers or
Verify
passwords.that account
This should passwords
includeare one way
requests withhashed
relevantwith 2 0M L
a salt, and there is sufficient work factor to defeat brute 2 0H L
encrypted link and that
force and password hashallrecovery
pages/functions
attacks. that require
arecovery
user to paths
enter credentials are done so using an and 1 0H H
do not reveal the current password
that the new password is not sent in clear text to thevia 1 0H H
Verify that information enumeration is not possible
Verify there are no
login, password default
reset, passwords
or forgot account in functionality.
use for the 1 0L M
application framework or any components
Verify that anti-automation is in place to prevent used by the 1 0H L
application
breached (such as “admin/password”).
credential testing, brute forcing, and account 1 5H M
Verify that all authentication credentials for accessing
lockout
services attacks.
paths useexternal
a TOTP to or the
otherapplication
soft token, aremobile
encrypted
push,andor 2 0H L
stored in a protected location.
other offline recovery mechanism. Use of a random 1 0H M
lock
valuestatus, and these
in an e-mail or SMSare should
not mutually
be a last exclusive.
resort andIf anis
known
accountasis"secret
temporarily questions") are required,
soft locked out due to the
a brute 2 0M M
questions
Verify thatdo highnotvalue
violate privacy laws
applications canand are
be configured to 1 0H L
sufficiently
disallow the use of a configurable number ofmalicious
strong to protect accounts from previous 2 0M L
transaction
passwords. signing is in place for high value
transactions. (e.g. password changes, money 2 0H M
Verify that measures are in place to block the transfers,
use of
Verify
commonly that all authentication
chosen passwordschallenges, whether
and weak passphrases. 1 0H H
successful
Verify that or failed,API
secrets, should
keys,respond in the same
and passwords are not 3 5L L
average
included response time.
two-factor, biometric (Touch ID or similar), or code
in the source code, or online source 3 5H L
repositories.
equivalent multi-factor authentication mechanism that 2 4H L
Verify
provides that administrative
protection against interfaces
single factorare not accessible
credential
Verify that the
to untrusted application is compatible with browser
parties. 1 4H H
based and third
Verify that therepartyis no password
custom session managers,manager,unlessor that 1 4M M
prohibited by risk based policy.
the custom session manager is resistant against all 1 0H L
Verify
common thatsession
sessions are invalidated
management when the user logs
attacks.
out. 1 0M L
Verify that sessions timeout after a specified period of
Verify that sessions timeout after an administratively-
inactivity. 1 0M M
configurable maximum time period regardless of 2 0M L
Verify
activitythat
(anall pages that
absolute require authentication have
timeout).
easy 1 0L L
errorand visible access
messages, or logs.toThislogout functionality.
includes verifying that the
application 1 0H L
Verify that all successful authentication andof
does not support URL rewriting re-session
Verify that onlygenerates
authentication session IDs generated
a new session byandthesession id. 1 0M L
application framework are recognized as active by the 1 0M M
Verify that session ids are sufficiently long, random and
application.
unique 1 0H M
set to anacross the correct
appropriately active session
restrictive value forbase.the
application, and authentication session tokens 1 0H L
Verify that high value applications limit the number of
Verify
active that an active
concurrent session list is displayed in the
sessions. 3 0M L
account
Verify theprofile
for high or similar of each user.that
value applications, Thethe useruser
should
is 2 0L L
be able
prompted to terminate
with the any
option active
to session.
terminate all other active 3 0L L
should only be able to access functions, data files,
sessions
URLs, after a successful
controllers, services, change password process.
that only authorized objectsand other
or data isresources,
accessiblefor to 1 0H M
which
each they(for
user possess
example, specific
protectauthorization.
against usersThistampering
implies 1 0H M
deliberately desired. Additionally, applications should
with a parameter
not allow discovery toorsee or alter another
disclosure of file oruser's
directory 1 0L L
metadata, such as Thumbs.db,
Verify that access controls fail securely. .DS_Store, .git or .svn 1 0H L
Verify that the same access control rules implied by the
presentation layerby areaccess
enforced on the server 1 0H M
information used controls cannot beside.
Verify that there
manipulated by endis a users
centralized
unlessmechanism
specifically (including 2 0H H
libraries that call external authorization services) for 3 0M L
Verify that access
protecting all access control
to each type decisions
of protectedcan beresource.
logged
Verify
and allthat
failedthedecisions
application are or framework uses strong
logged. 2 0M L
random anti-CSRF tokens or has another transaction 1 0H M
data. For example,
protection mechanism. consider the use of a resource
as step uptoorlimit
governor adaptive authentication)
the number of edits per for hour
lowerorvalueto 2 0M L
systems,
Verify that andthe/ or segregation
application of duties
correctly for high
enforces value
context- 2 0M L
applications
sensitive to enforce anti-fraudas to notcontrols as per the
Verify thatauthorisation
the runtime so environment allow
is notunauthorised
susceptible 1 0H H
manipulation
to buffer overflows, by means or thatof parameter
security controlstampering. prevent 1 0H M
Verify
buffer that server side input validation failures result in
overflows.
request rejection and are logged. 1 0H H
Verify that input validation routines are enforced on the
server side. 1 0H H
Verify that a single input validation control is used by
stored procedures,
the application calling
for each of stored
type of dataprocedures
that is accepted.are 3 0M M
protected by the use of prepared
Verify that the application is not susceptible to LDAPstatements or query 1 0H H
parameterization,
Injection, and thus not susceptible to SQL
Verify thatorthe that security controls
application prevent LDAP
is not susceptible to OS 1 0H H
Injection.
Command Injection, or that security controlstoprevent 1 0H H
Verify that the application is not susceptible Remote
OS
FileCommand
Inclusion Injection.
(RFI) or Local File Inclusion (LFI) when 1 0H H
Verify that the application is not susceptible to
content
commonisXML usedattacks,
that is asuch pathastoXPatha file.query tampering, 1 0H H
encoded manually, or utilize
XML External Entity attacks, and XML injectiontemplates that attacks.
automatically 1 0H H
automatic variable binding) from the inboundthe
contextually encode to ensure request
parameter
to a model,pollution
verify that attacks,
security particularly if the such as
sensitive fields 2 0H M
application framework makes no distinction about the 2 0M M
Verify
sourcethat client side
of request validation
parameters is used
(GET, POST, as cookies,
a second line
query parameters,
of defense, in addition HTTPtoheaders,
server side cookies, batch files,
validation. 2 0L L
RSS feeds, etc; using positive validation (whitelisting), 2 0H L
characters,
then lesser length
forms of and pattern (e.g.
validation such credit
as greycard numbers
listing
generic safety or
or telephone, measures
validating suchthat astwo
allowed
related characters
fields areand 2 0M L
length, and characters potentially harmful in given 2 0M M
contextare
similar should be escaped
properly sanitized (e.g.
withnatural
an HTML names with
sanitizer
and handle it appropriately according to the input 1 0H H
templating AND auto-escaping is disabled, output
Verify
shouldthat where data
be manually is transferred
contextually from one
encoded DOM
or sanitized 2 0H H
context
Verify whento another,
parsingthe JSON transfer uses safe
in browsers, that JavaScript
JSON.parse 2 0H L
methods,
is to such
usedthat parse asJSON
using oninnerText
the orDo.val.
Verify authenticated dataclient.
is cleared not
fromuseclient
eval() to 2 0H M
parse
storage,JSONsuch on the client.
Verify that all as the browsermodules
cryptographic DOM, after fail the session
securely, andis 2 0M L
terminated.
errors are handled
random GUIDs, andinrandom
a way that does
strings arenot enable using
generated 1 0H L
Padding
the Oracle. module’s approved random number
cryptographic 2 0M L
Verify that cryptographic algorithms used by the
generator
application when
have these random values
been validated against areFIPS
intended to
Verify that cryptographic modules operate in140-2
their or 1 0H M
an equivalent
approved mode standard.
according to their published security 3 0M L
cryptographic
policies. keys are managed (e.g., generated,
not have direct
distributed, accessand
revoked, to key material.
expired). VerifyIsolate
that this key 2 0H L
cryptographic processes, including master secrets and 3 0H L
Verify
consider thatthesensitive
use of a and Personally
virtualized Identifiable
or physical hardware
Information is memory
stored encrypted at rest, andzeros
in transit. 2 0H M
maintained in is overwritten with as
soon as it is no longer required, to mitigate memory 2 0M L
Verify that all keys and passwords are replaceable, and
are generated or replaced at installation time. 2 0H L
entropy even when the application is under heavy load,
or 3 0M L
messages or stack traces containing sensitive such
that the application degrades gracefully in data that
could 1 0L M
Verify assist
that erroran attacker,
handlingincluding session id,
logic in security controls
denies access by default. 2 0H M
Verify security logging controls provide the ability to log
success
Verify thatandeach particularly
log eventfailureincludes events that are
necessary 2 0M L
identified
information asthat
security-relevant.
would allow for a detailed 2 0M L
Verify that all events that include untrusted data will
investigation
not execute as ofcode
the timeline when anlog
in the intended event
viewinghappens. 2 0H L
Verify that
software. security logs are protected from
unauthorized 2 0L L
organizationalaccess sensitive anddatamodification.
as defined by a risk
Verify that allornon-printable
assessment, symbols anddata
sensitive authentication fieldthat could 2 0M L
separators are properly encoded in log entries, to 3 0L L
Verify
prevent that
loglog fields from trusted and untrusted
injection.
sources arean distinguishable in log allows
entries.for non- 3 0L L
Verify that audit log or similar
Verify that security
repudiation logs have some form of integrity
of key transactions. 1 0M L
checking or controls to prevent unauthorized 3 0M L
Verify that logs are stored on a different partition than
modification.
the application 3 0M L
Verify that timeissources runningare with proper log to
synchronized rotation.
the correct
Verify
time andthattimeall forms
zone. containing sensitive information 1 0L L
have disabled
application client sideand
is identified, caching, including
that there is an explicit 1 0M L
autocomplete
policy for how features.
access to this data must be controlled, 3 0L L
Verify that all sensitive data is sent to the server in the
encrypted
HTTP message and enforced
body or headersunder relevant
(i.e., URLdata protection
parameters 1 0M M
information
are never used displayed
to sendby the application
sensitive data). or entered by
the user 1 0M L
copies ofshould
sensitive notdatabe cached
stored are on disk by mainstream
protected from
Verify that there
unauthorized is a method
access to remove each
or purged/invalidated aftertypetheof 2 0M L
sensitive data from the application
Verify the application minimizes the number of at the end of the 3 0L L
required
parameters retention policy.such as hidden fields, Ajax
in a request, 2 0L L
Verify the application has the ability to detect and alert
variables,
on abnormal cookies
numbers and header
of requests values.for data harvesting 3 0L M
HTML5 local storage,
for an example screen scraping. session storage, IndexedDB,
Verify
regularaccessing
cookies or sensitive data is logged,
Flash cookies) does notif contain
the data is 1 0M L
collected under relevant data protection
Verify that sensitive information maintained in memory directives or 2 0M L
where
is logging with
overwritten of accesses
zeros as issoon
required.
as it is no longer 2 0M L
Verify that a path can be built from a trusted CA to each
required,
Transport to Layermitigate
Securitymemory dumping
(TLS) server attacks. and
certificate, 1 0M M
authenticated or that involve
that each server certificate is valid. sensitive data or
functions, and does not fall back to insecure or 1 0H H
Verify
Verify that
that backend
certificateTLS connection
paths are builtfailures
and verified are logged.
for all 3 0L L
client certificates using configured
Verify that all connections to external systems that trust anchors and 3 0L L
revocation information.
involve sensitive information or functions are 2 0H H
implementation
authenticated. that is used by the application that is
Verify that TLS
configured certificate
to operate in an public key pinning
approved mode (HPKP) of is 3 0H L
implemented with production and backup public keys. 2 0H L
included
For moreon all requestsplease
information, and for seeallthesubdomains,
references such below.as
Strict-Transport-Security: max-age=15724800; 1 0H M
to preloaded list of Strict Transport Security domains
maintained by webforward
browsersecrecy vendors. Please see to the 3 0M L
Verify that perfect is configured
Verify
mitigatethat properattackers
passive certification
recording revocation,
traffic.such as 1 0M L
Online Certificate Status Protocol (OCSP) Stapling, is 1 0L L
protocols
enabled and areconfigured.
used, through all the certificate hierarchy,
including root andparticularly
intermediary certificates of your 1 0M L
leading practice, as common
configurations, 1 0M L
required HTTP request methods, such asbecome
ciphers, and algorithms GET and POST
Verify that every
are accepted, andHTTPunused response
methods contains a content
(e.g. TRACE, PUT, 1 0L M
type header specifying a safe character
Verify that HTTP headers added by a trusted proxy set (e.g., UTF-8,
or 1 0H L
ISO
SSO 8859-1).
devices, such as a bearer token, are authenticated 2 0L L
Verify that a suitable X-FRAME-OPTIONS header is in
by
use the application.
forthat
sitesthe where
Verify HTTPcontent
headersshould or anynot part beofviewed
the HTTP in a 2 0M L
3rd-party X-Frame.
response do not expose detailed version information of 1 0L M
Options: nosniff and Content-Disposition: attachment;
system components.
Verify that a content(or
filename="api.json" security
other policy (CSPv2)
appropriate is in place
filename for 1 0L L
that helps mitigate common DOM, XSS, JSON, and 1 0M M
Verify thatinjection
JavaScript the X-XSS-Protection:
vulnerabilities. 1; mode=block header
Verify all malicious
is in place to enableactivitybrowser is adequately
reflected XSS sandboxed,
filters. 1 0L L
containerized or isolated to delay
third party libraries as possible, does not contain and deter attackers
back 3 0M M
from
doors, attacking
Easter other
eggs, applications.
and logic flaws in authentication, 3 0H L
flows in sequential step order, with all steps being
access
processedcontrol, input validation,
in realistic human time, andand thenotbusiness
processlogic out 2 0H M
enforces on a persteps,
of order, skipped user basis,
process with configurable
steps from another alerting
Verify that URL redirects
and automated reactionsand forwards only
to automated allow
or unusual 2 0H M
whitelisted destinations, or show a warning when 1 0M M
redirecting to potentially untrusted content.
application is not used directly with file I/O commands,
particularly to protect against path traversal, local file 1 0H M
validated
include, fileto mime
be of expected type and
type, reflective file scanned
download, by and OS
Verify that
antivirus untrusted
scanners data is not
to prevent usedof
upload within
known inclusion, 1 0M M
class
Verifyloader, or reflection
that untrusted datacapabilities
is not used to prevent
within cross- 1 0H M
remote/local
domain code
resource execution
sharing (CORS)vulnerabilities.
to protect against 1 0H H
Verify that files obtained from untrusted sources are
arbitrary
stored remote
outside thecontent.
webroot, with limited permissions, 2 0H M
Verify that the web or application server is configured
preferably with
by default to deny strongaccess validation.
to remote resources or 2 0H L
Verify
systems the application
outside the web code ordoes not execute
application server.uploaded
data obtained from untrusted 1 0H M
side technologies are not used,sources.
such as NSAPI plugins,
Verify that ID values
Flash, Shockwave, stored on
Active-X, the device
Silverlight, andor client-
NACL, 1 0H M
retrievable by other applications,
Verify that the mobile app does not store sensitive such as the UDID data
or 1 NA 0M L
IMEI
onto number
potentially areunencrypted
not used as authentication
shared resources tokens.
on the 1 NA 0H L
Verify that sensitive data is not stored unprotected on
device (e.g. even
the device, SD card or shared
in system folders).areas such as key
protected 1 NA 0H L
Verify
chains. that secret keys, API tokens, or passwords are
dynamically generated in mobile applications. 1 NA 0M L
information (for example, screenshots are saved of the
current application as the application is minimal
backgrounded 2 NA 0L L
Verify that the application is requesting
permissions forapplication
required functionality andisresources. 2 NA 0M L
Verify that the sensitive code laid out
unpredictably in memory (For example ASLR). 1 NA 0M L
that are sufficient enough to deter or delay likely
Verify thatfrom
attackers the injecting
app doesdebuggersnot exportinto sensitive activities,
the mobile app 3 NA 0M L
intents, or content providers for other
Verify that sensitive information maintained in memory mobile apps on 1 NA 0M L
the same device
is overwritten withto zeros
exploit.as soon as it is no longer 2 NA 0M L
Verify thattothe
required, app validates
mitigate memoryinput dumpingto exported
attacks.
activities, 1 NA 0H M
Verify thatintents,
the same or content
encodingproviders.
style is used between
Verify thatand
the client access
the to administration and management
server. 1 0L L
functions within the Web Service Application is limited 1 0H M
Verify
to webthat XMLadministrators.
service or JSON schema is in place and verified
before accepting input. 1 0M M
Verify that all input is limited to an appropriate size
Verify that SOAP based web services are compliant with
limit. 1 0L L
Web Services-Interoperability (WS-I) Basic Profile at 1 0H M
authorization.
minimum. ThisPlease essentiallyrefermeans
to sections 2, 3 and 4 for
TLS encryption.
further guidance. Avoid the use of static "API 1 0M M
Request Forgery via the use of at least one or keys"
more andof
Verify the REST service explicitly
the following: ORIGIN checks, double submit cookie check the incoming 1 0H M
Content-Type
Verify that thetomessagebe the expected
payload isone, signedsuchtoasensure 2 0M L
application/xml or application/json.
reliable transport between client and service, using 2 5L L
Verify
JSON Webthat Signing
alternative and less secure
or WS-Security accessrequests.
for SOAP paths do
security
not exist.configuration(s) and version(s). This should 2 0M L
include
as betweenremoval of unneeded
the application configurations
server and the databaseand 1 0H L
folders such as sample applications,
server, are encrypted, particularly when the platform 2 0H L
as between the
components areapplication
in differentserver and the
containers or ondatabase
different
Verify
server,application
is authenticated deployments
using anare adequately
account with the least 2 0H L
sandboxed, containerized or isolated to delay and deter 2 0H L
processes
attackers fromare performed
attacking other in a secure and repeatable
applications.
Verify
method, that authorised
such as CI / CD administrators
automation and haveautomated
the 2 0H L
capability to verify the integrity of all security-relevant 3 0M L
configurations to detect tampering.
Verify that all application components are signed. 3 0M L
Verify that third party components come from trusted
Verify that build processes for system level languages
repositories. 3 0H M
have all security flags enabled, such as ASLR, DEP, and 3 0H L
application,
security checks.such as JavaScript libraries, CSS stylesheets
and webeachfontsuse aretheir
hosted 3 0H L
servers ownbylow theprivilege
application rather than
service
account, that is not shared 2 0H L
Verify that application layerbetween
debugging applications
interfaces nor such
USB or serial are disabled. 1 NA 0H L
Verify that cryptographic keys are unique to each
Verify thatdevice.
individual memory protection controls such as ASLR 1 NA 0H H
and DEP are enabled
Verify that on-chip by the IoTinterfaces
debugging operatingsuch system, if
as JTAG 1 NA 0M L
applicable.
or SWD are disabled or that available protection 1 NA 0M L
Verify that physical
mechanism is enabled debugandheaders
configured are appropriately.
not present on
the device. 1 NA 0H L
Verify that sensitive data is not stored unencrypted on
the device. 1 NA 0H L
Verify that the device prevents leaking of sensitive
information. 1 NA 0H M
Verify that the firmware apps protect data-in-transit
using transport security. 1 NA 0H H
Verify that the firmware apps validate the digital
signature 1 NA 0H H
Verify thatofwireless
server connections.
communications are mutually
authenticated. 1 NA 0H H
Verify that wireless communications are sent over an
encrypted 1 NA 0H H
Verify that channel.
the firmware apps pin the digital signature
to a trusted server(s). 2 NA 0H L
Verify the presence of physical tamper resistance
and/or tamper detection features, 2 NA 0H L
Verify that identifying markings on including
chips haveepoxy.
been
Verify that
removed. any available Intellectual Property 2 NA 0H L
protection technologies
Verify security controls are provided
in placebytothe chip firmware
hinder 2 NA 0M L
manufacturer are enabled.
reverse engineering (e.g., removal of verbose 2 NA 0M L
Verify the device
debugging validates the boot image signature
strings).
before loading. 2 NA 0H M
Verify that the firmware update process is not
vulnerable to time-of-check vs time-of-use attacks. 2 NA 0H L
Verify the device uses code signing and validates
firmware upgrade files before installing. 2 NA 0H M
Verify that the device cannot be downgraded to old
Verify usage
versions of cryptographically
of valid firmware. secure pseudo- 2 NA 0H L
random
Verify that the device wipes firmware and device
number generator on embedded (e.g.,
sensitive 2 NA 0M L
using chip-provided
data upon detectionrandom number
of tampering generators).
or receipt of invalid 3 NA 0M M
Verify that only microcontrollers that support disabling
message.
Verify that only
debugging microcontrollers
interfaces that provide
(e.g. JTAG, SWD) are used. 3 NA 0M L
substantial protection from de-capping and side 3 NA 0M L
Verify
channelthat sensitive
attacks traces are not exposed to outer
are used.
layers of the printed circuit board. 3 NA 0M L
Verify that inter-chip communication is encrypted. 3 NA 0L L
Verify the device uses code signing and validates code
Verify
beforethat sensitive information maintained in memory
execution. 3 NA 0H H
is overwritten with zeros as soon as it is no longer 3 NA 0M L
Verify that the firmware apps utilize kernel containers
required.
for isolation between apps. 3 NA 0M L
Risk al Risk Score
L I 0
L I 0
L L 2
L L 2
L L 2
L L 2
M M 5
L L 2
L L 2
H I 0
M M 5
M L 2
M M 5
M L 2
H H 7
H H 7
H H 7
H H 7
L L 2
M M 5
H H 7
H H 7
L L 2
M M 5
H I 0
M M 5
H H 7
M M 5
M M 5
L L 2
H H 7
H H 7
L I 0
M I 0
M L 2
H L 2
M L 2
M M 5
L L 2
M M 5
L L 2
L L 2
M M 5
L L 2
M M 5
H H 7
M M 5
L L 2
L L 2
L L 2
H H 7
H H 7
L L 2
M M 5
H H 7
H H 7
L L 2
L L 2
H H 7
L L 2
L L 2
H H 7
H H 7
H H 7
H H 7
M M 5
H H 7
H H 7
H H 7
H H 7
H H 7
H H 7
H H 7
M M 5
L L 2
M M 5
L L 2
M M 5
H H 7
H H 7
M M 5
H H 7
L L 2
M M 5
L L 2
H H 7
L L 2
M M 5
M M 5
H H 7
L L 2
M M 5
L L 2
L L 2
H H 7
L L 2
L L 2
M M 5
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
M M 5
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
M M 5
H H 7
L L 2
L L 2
H H 7
M M 5
M M 5
H H 7
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
M M 5
L L 2
L L 2
L L 2
L L 2
M M 5
L L 2
M M 5
M M 5
H H 7
H H 7
M M 5
H H 7
M M 5
H H 7
H H 7
H H 7
M M 5
H H 7
H H 7
L L 2
M M 5
M M 5
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
L L 2
H H 7
L L 2
H H 7
M M 5
L L 2
H H 7
M M 5
H H 7
L L 2
L I 0
L L 2
M M 5
M M 5
M M 5
M M 5
M M 5
L L 2
L L 2
H H 7
M M 5
M M 5
M M 5
M M 5
H H 7
L L 2
L L 2
M M 5
M M 5
H H 7
H H 7
H H 7
H H 7
H H 7
M M 5
M M 5
M M 5
L L 2
L L 2
H H 7
M M 5
H H 7
M M 5
L L 2
M M 5
L L 2
L L 2
L L 2
L L 2
H H 7
L L 2
L L 2
Notes
Application does not have a mobile interface
The application really should be using TLS, making this sort of signing
irrelevant. If application uses TLS everywhere set CR = 5
Application does not have IoT components

Vuln # Category Vuln ID Title
Brute force attack
1 AUTHENTICATION
Session cookies are non-

random
SESSION
2
MANAGEMENT
7
8
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Description ImpaLikeSeveritScore
M M M 5
H H H 7
0
0
0
0
0
12
Residual Risk Look Up Table
RISK SCORE
L M H
0 L M H
L M H
Control Rating
2 L M H
3 L M M
4 I L L
5 I I I
DO NOT MODIFY THIS PAGE, THIS TABLE IS A LOOK UP TABLE
Severity
Impact
L M H
L L L M
Likelihood
M L M H
H M H H
Numeric Risk
Score
Severity Numeric
I 0
L 2
M 5
H 7
Threat CR Potential CR
1.1 5
1.2 5
1.3 5
1.4 5 TOTALS
1.5 5 CR 0
1.6 5 Pot. CR 1055
1.7 5 Safe Guard Inde 0.00%
1.8 5
1.9 5
1.11 5
2.1 5
2.2 5
2.4 5
2.6 5
2.7 5
2.8 5
2.9 5
2.12 5
2.13 5
2.16 5
2.17 5
2.18 5
2.19 5
2.20 5
2.21 5
2.22 5
2.23 5
2.24 5
2.25 5
2.26 5
2.27 5
2.28 5
2.29 5
2.31 5
2.32 5
2.33 5
3.1 5
3.2 5
3.3 5
3.4 5
3.5 5
3.6 5
3.7 5
3.10 5
3.11 5
3.12 5
3.16 5
3.17 5
3.18 5
4.1 5
4.4 5
4.5 5
4.8 5
4.9 5
4.10 5
4.11 5
4.12 5
4.13 5
4.14 5
4.15 5
4.16 5
5.1 5
5.3 5
5.5 5
5.6 5
5.10 5
5.11 5
5.12 5
5.13 5
5.14 5
5.15 5
5.16 5
5.17 5
5.18 5
5.19 5
5.20 5
5.21 5
5.22 5
5.23 5
5.24 5
5.25 5
5.26 5
7.2 5
7.6 5
7.7 5
7.8 5
7.9 5
7.11 5
7.12 5
7.13 5
7.14 5
7.15 5
8.1 5
8.2 5
8.3 5
8.4 5
8.5 5
8.6 5
8.7 5
8.8 5
8.9 5
8.10 5
8.11 5
8.12 5
8.13 5
9.1 5
9.2 5
9.3 5
9.4 5
9.5 5
9.6 5
9.7 5
9.8 5
9.9 5
9.10 5
9.11 5
10.1 5
10.3 5
10.4 5
10.5 5
10.6 5
10.8 5
10.10 5
10.11 5
10.12 5
10.13 5
10.14 5
10.15 5
10.16 5
11.1 5
11.2 5
11.3 5
11.4 5
11.5 5
11.6 5
11.7 5
11.8 5
13.1 5
13.2 5
15.1 5
15.2 5
16.1 5
16.2 5
16.3 5
16.4 5
16.5 5
16.6 5
16.7 5
16.8 5
16.9 5
17.1 NA 5
17.2 NA 5
17.3 NA 5
17.4 NA 5
17.5 NA 5
17.6 NA 5
17.7 NA 5
17.8 NA 5
17.9 NA 5
17.10 NA 5
17.11 NA 5
18.1 5
18.2 5
18.3 5
18.4 5
18.5 5
18.6 5
18.7 5
18.8 5
18.9 5
18.10 5
19.1 5
19.2 5
19.3 5
19.4 5
19.5 5
19.6 5
19.7 5
19.8 5
19.9 5
19.10 5
19.11 5
20.1 NA 5
20.2 NA 5
20.3 NA 5
20.4 NA 5
20.5 NA 5
20.6 NA 5
20.7 NA 5
20.8 NA 5
20.9 NA 5
20.10 NA 5
20.11 NA 5
20.12 NA 5
20.13 NA 5
20.14 NA 5
20.15 NA 5
20.16 NA 5
20.17 NA 5
20.18 NA 5
20.19 NA 5
20.20 NA 5
20.21 NA 5
20.22 NA 5
20.23 NA 5
20.24 NA 5
20.25 NA 5
20.26 NA 5
20.27 NA 5
20.28 NA 5
20.29 NA 5
Original
2.3
2.5
2.10
2.11
2.14
2.15
2.30
3.8
3.9
3.13
3.14
3.15
4.2
4.3
4.13
4.15
5.2
5.4
5.7
5.8
5.9
5.14
5.15
5.19
7.1
7.3
7.4
7.5
7.10
8.2
8.3
8.9
8.11
8.12
8.15
10.2
10.7
10.9
V11.1
V11.4
V11.5
V11.6
V11.7
V11.8
V11.4
V13.1
V13.2
V13.3
V13.4
V13.5
V13.6
V13.7
V13.8
V13.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
15.9
15.11
16.4
17.1
V17.7
V17.8
V17.10
V17.11
V17.12
V17.13
V17.14
V17.15
V17.16
V17.17
V17.18
V17.19
V17.20
V17.22
V17.23
V17.24
Description
Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks
Verify that all authentication controls (including libraries that call external authentication services) have a centralized implementation.
Verify that re-authentication is required before any application- specific sensitive operations are permitted.
Verify that after an administratively- configurable period of time, authentication credentials expire.
Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location (not in source co
Verify that all code implementing or using authentication controls is not affected by any malicious code.
Verify that if an application allows users to authenticate, they use a proven secure authentication mechanism.
Verify that the session id is changed upon re-authentication
Verify that the session id is changed or cleared on logout
Verify that all code implementing or using session management controls is not affected by any malicious code
Verify that authenticated session tokens using cookies are protected by the use of "HttpOnly".
Verify that authenticated session tokens using cookies are protected with the "secure" attribute.
Verify that users can only access secured URLs for which they possess specific authorization.
Verify that users can only access secured data files for which they possess specific authorization.
Verify that limitations on input and access imposed by the business on the application (such as daily transaction limits or sequencing of tasks) cannot be by
Verify that all code implementing or using access controls is not affected by any malicious code.
Verify that a positive validation pattern is defined and applied to all input
Verify that a character set, such as UTF-8, is specified for all sources of input
Verify that all input validation failures are logged.
Verify that all input data is canonicalized for all downstream decoders or interpreters prior to validation.
Verify that all input validation controls are not affected by any malicious code
Verify that the runtime environment is not susceptible to XML Injections or that security controls prevents XML Injections
-- EMPTY REQUIREMENT --
Verify that for each type of output encoding/escaping performed by the application, there is a single security control for that type of output for the intende
Verify that all cryptographic functions used to protect secrets from the application user are implemented server side
Verify that access to any master secret(s) is protected from unauthorized access (A master secret is an application credential stored as plaintext on disk that
Verify that password hashes are salted when they are created
Verify that cryptographic module failures are logged
Verify that all code supporting or using a cryptographic module is not affected by any malicious code
Verify that all error handling is performed on trusted devices
Verify that all logging controls are implemented on the server.
Verify that there is a single application-level logging implementation that is used by the software.
Verify that a log analysis tool is available which allows the analyst to search for log events based on combinations of search criteria across all fields in the
Verify that all code implementing or using error handling and logging controls is not affected by any malicious code.
Verify that logging is performed before executing the transaction. If logging was unsuccessful (e.g. disk full, insufficient permissions) the application fails sa
Verify that failed TLS connections do not fall back to an insecure HTTP connection
Verify that all connections to external systems that involve sensitive information or functions use an account that has been set up to have the minimum privileges nece
Verify that specific character encodings are defined for all connections (e.g., UTF-8).
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Business Logic Section.
Verify that the application covers off risks associated with Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of privilege (STRIDE).
Verify that parameters obtained from untrusted sources are not used in manipulating filenames, pathnames or any file system object without first being canoni
Verify that the client validates SSL certificates
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Deprecated
Status Removed Reason
Deprecated 2.0 A more complex requirement replaced it (v2.20)
Merged 3.0 Genericized to include all security controls and moved to 1.10
Deprecated 2.0 Re-authentication is so rarely observed that we decided to remove the control
Deprecated 2.0 Absolute timeouts and credential expiry removed as not being an effective control.
Updated 2.0 Became V2.21
Moved 2.0 Moved to V13 - Malicious Code
Deprecated 3.0.1 Too ambiguous to be tested, actually a summary of all the V2 requirements
Updated 3.0 Rolled into 3.7
Moved 2.0 Moved to V13 - Malicious code
Updated 3.0 Moved into 3.13
Updated 3.0 Moved into 3.13
Moved 3.0 Moved to V15 Business Logic
Moved 2.0 Moved to V13 Malicious Controls
Deprecated 2.0 Removed as too difficult to implement particularly for free form text inputs
Deprecated 3.0 Removed as too difficult to implement in most languages
Deprecated 3.0 Removed as would create too many useless logs that would be ignored
Deprecated 3.0 Removed as Type 1 JSP technology specific and not an issue for most modern frameworks
Moved 2.0 Moved to V13 Malicious controls
Merged 3.0 Merged with V5.13
Deleted 3.0 This requirement never existed
Merged 3.0 Genericized to include all security controls and moved to 1.10
Deprecated 3.0 Many modern responsive and mobile apps include this by design
Moved 3.0 Moved to V2.29
Deprecated 2.0 Creating unnecessary logs that are never reviewed is counterproductive
Moved 2.0 Moved to V13
3.0 Deprecated
Moved 3.0 Became a more generic architectural control V1.13
Moved 3.0 Became a more generic architectural control V1.13
Deprecated 3.0 Removed as not required for secure software
Moved 2.0 Moved to V13 Malicious Controls
Deprecated 3.0 Removed as too detailed a control that would only be applicable to small percentage of all apps
Merged 3.0 Merged with 10.3
inimum privileges necessary for the application to function properly
Merged 3.0 Most of section 15 has been merged into 15.8 and 15.10.
Duplicate 3.0 Duplicated requirement. Captured by V1.6
Deprecated 3.0 Duplicated requirement. General requirement already captured by V10.

OWASP Application Security Verification Standard 3.1

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

OWASP Application Security Verification Standard 3.1

Diunggah oleh

Hak Cipta:

Format Tersedia

Total Risk Safe Guard Index Target Level

Application does not have IoT components

Session cookies are non-

DO NOT MODIFY THIS PAGE, THIS TABLE IS A LOOK UP TABLE

Anda mungkin juga menyukai