├── .gitattributes ├── .github ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── config.yml │ └── standard-asvs-issue.md ├── pull_request_template.md └── workflows │ ├── build-and-publish-docker-image.yml │ ├── build-documents.yml │ ├── config │ ├── cspell.json │ ├── local-custom.txt │ └── url-checker-config.json │ ├── create-4.0-outputs.yml │ ├── create-5.0-outputs-debug.yml │ ├── create-5.0-outputs.yml │ ├── markdown-linter.yml │ ├── spell-check.yml │ └── url-checker.yml ├── .gitignore ├── .markdownlint.jsonc ├── 1.0 ├── About_OWASP_ASVS_Executive_Presentation.ppt ├── OWASP_ASVS_Presentation_Abstract.doc ├── asvs-covers-fr-texts.txt ├── asvs-pictures-pt-br.zip ├── asvs-pictures.odp ├── asvs-pictures.ppt ├── asvs-pictures.vsd ├── asvs-scale.vsd ├── asvs-translating.pdf ├── asvs-webapp-alpha-2008.doc ├── asvs-webapp-alpha-2008.pdf ├── asvs-webapp-beta-2008.doc ├── asvs-webapp-beta-2008.pdf ├── asvs-webapp-presentation-fr.ppt ├── asvs-webapp-release-2009-de.doc ├── asvs-webapp-release-2009-de.pdf ├── asvs-webapp-release-2009-en.doc ├── asvs-webapp-release-2009-en.pdf ├── asvs-webapp-release-2009-fr.odt ├── asvs-webapp-release-2009-fr.pdf ├── asvs-webapp-release-2009-id.pdf ├── asvs-webapp-release-2009-jp.doc ├── asvs-webapp-release-2009-jp.pdf ├── asvs-webapp-release-2009-pl.pdf ├── asvs-webapp-release-2009-pt-br.pdf ├── asvs-wiki-cover-bug.JPG ├── asvs-wiki-figure1.JPG ├── asvs-wiki-figure10.JPG ├── asvs-wiki-figure11.JPG ├── asvs-wiki-figure2.JPG ├── asvs-wiki-figure3.JPG ├── asvs-wiki-figure4.JPG ├── asvs-wiki-figure5.JPG ├── asvs-wiki-figure6.JPG ├── asvs-wiki-figure7.JPG ├── asvs-wiki-figure8.JPG ├── asvs-wiki-figure9.JPG ├── asvs-wiki-license.JPG ├── asvs-xml.zip ├── asvs-xml │ ├── asvs.xml │ ├── asvs.xsl │ ├── content.xml │ ├── odt2asvs.xsl │ └── readme.txt ├── owasp-google-code-asvs.JPG ├── owasp-google-code-asvs.doc └── wiki.zip ├── 2.0 ├── Asvs_2_PL.xlsx ├── OWASPApplicationSecurityVerificationStandard3.0.pdf ├── OWASP_ASVS_Version_2.docx └── OWASP_ASVS_Version_2_Persian.pdf ├── 3.0.1 ├── ASVS-excel-v3.0.1.xlsx ├── NIST_800-53_Mapping_to_ASVS_301.html ├── OWASP Application Security Verification Standard 3.0.1 in Hebrew.pdf ├── OWASP Application Security Verification Standard 3.0.1.docx ├── OWASP Application Security Verification Standard 3.0.1.pdf ├── OWASP Application Security Verification Standard Checklist 3.0.1.xlsx ├── OWASP_Application_Security_Verification_Standard_3.0.1 in Arabic.docx └── תקן אימות אבטחת היישומים.docx ├── 3.0 ├── OWASP Application Security Verification Standard 3.0.docx ├── OWASP Application Security Verification Standard 3.0.pdf ├── drafts │ ├── OWASP Application Security Verification Standard 3.0-5.docx │ └── OWASP Application Security Verification Standard v3.0.1 Redline.docx ├── spreadsheets │ ├── README.md │ ├── V02 - Authentication.xlsx │ ├── V03 - Session management.xlsx │ ├── V04 - Access Control.xlsx │ ├── V05 - Input validation malicious controls.xlsx │ ├── V06 - Client Side Security.xlsx │ ├── V08 - Error handling.xlsx │ ├── V10 - Communications Security.xlsx │ ├── V11 - HTTP Security.xlsx │ ├── V13 - Malicious Code Controls.xlsx │ ├── V15 - Business Logic Flaws.xlsx │ ├── V16 - File and resource.xlsx │ └── V17 - Mobile Controls.xlsx └── training │ └── AppSec EU 2016 ASVS 3.0 2 day training.pptx ├── 4.0 ├── .gitignore ├── OWASP Application Security Verification Standard 4.0.1-fa.pdf ├── OWASP Application Security Verification Standard 4.0.1-ja.pdf ├── OWASP Application Security Verification Standard 4.0.1-tr.pdf ├── OWASP Application Security Verification Standard 4.0.2-de.pdf ├── OWASP Application Security Verification Standard 4.0.2-ru.pdf ├── OWASP Application Security Verification Standard 4.0.3-ar.pdf ├── OWASP Application Security Verification Standard 4.0.3-de.pdf ├── OWASP Application Security Verification Standard 4.0.3-en.pdf ├── OWASP Application Security Verification Standard 4.0.3-es.pdf ├── OWASP Application Security Verification Standard 4.0.3-fr.pdf ├── OWASP Application Security Verification Standard 4.0.3-it.pdf ├── OWASP Application Security Verification Standard 4.0.3-pt.pdf ├── OWASP Application Security Verification Standard 4.0.3-ru.pdf ├── OWASP Application Security Verification Standard 4.0.3-zh-cn.pdf ├── TRANSLATIONS.md ├── ar │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── cre_mapping_table.md ├── de │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── docs_ar │ ├── OWASP Application Security Verification Standard 4.0.3-ar.csv │ ├── OWASP Application Security Verification Standard 4.0.3-ar.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-ar.json │ └── OWASP Application Security Verification Standard 4.0.3-ar.xml ├── docs_de │ ├── OWASP Application Security Verification Standard 4.0.2-de.docx │ ├── OWASP Application Security Verification Standard 4.0.3-de.csv │ ├── OWASP Application Security Verification Standard 4.0.3-de.docx │ ├── OWASP Application Security Verification Standard 4.0.3-de.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-de.json │ ├── OWASP Application Security Verification Standard 4.0.3-de.xml │ └── de ├── docs_en │ ├── OWASP Application Security Verification Standard 4.0.3-en.csv │ ├── OWASP Application Security Verification Standard 4.0.3-en.docx │ ├── OWASP Application Security Verification Standard 4.0.3-en.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-en.json │ ├── OWASP Application Security Verification Standard 4.0.3-en.xml │ └── en ├── docs_es │ ├── OWASP Application Security Verification Standard 4.0.3-es.csv │ ├── OWASP Application Security Verification Standard 4.0.3-es.docx │ ├── OWASP Application Security Verification Standard 4.0.3-es.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-es.json │ ├── OWASP Application Security Verification Standard 4.0.3-es.xml │ └── es ├── docs_fr │ ├── OWASP Application Security Verification Standard 4.0.3-fr.csv │ ├── OWASP Application Security Verification Standard 4.0.3-fr.docx │ ├── OWASP Application Security Verification Standard 4.0.3-fr.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-fr.json │ ├── OWASP Application Security Verification Standard 4.0.3-fr.xml │ └── fr ├── docs_it │ ├── OWASP Application Security Verification Standard 4.0.3-it.csv │ ├── OWASP Application Security Verification Standard 4.0.3-it.docx │ ├── OWASP Application Security Verification Standard 4.0.3-it.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-it.json │ ├── OWASP Application Security Verification Standard 4.0.3-it.xml │ └── it ├── docs_pt │ ├── OWASP Application Security Verification Standard 4.0.3-pt.csv │ ├── OWASP Application Security Verification Standard 4.0.3-pt.docx │ ├── OWASP Application Security Verification Standard 4.0.3-pt.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-pt.json │ └── OWASP Application Security Verification Standard 4.0.3-pt.xml ├── docs_ru │ ├── OWASP Application Security Verification Standard 4.0.2-ru.docx │ ├── OWASP Application Security Verification Standard 4.0.3-ru.csv │ ├── OWASP Application Security Verification Standard 4.0.3-ru.docx │ ├── OWASP Application Security Verification Standard 4.0.3-ru.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-ru.json │ └── OWASP Application Security Verification Standard 4.0.3-ru.xml ├── docs_zh-cn │ ├── OWASP Application Security Verification Standard 4.0.3-zh-cn.csv │ ├── OWASP Application Security Verification Standard 4.0.3-zh-cn.docx │ ├── OWASP Application Security Verification Standard 4.0.3-zh-cn.flat.json │ ├── OWASP Application Security Verification Standard 4.0.3-zh-cn.json │ └── OWASP Application Security Verification Standard 4.0.3-zh-cn.xml ├── en │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── es │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ ├── 0x93-Appendix-C_IoT.md │ └── es ├── fr │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── generate-all.sh ├── generate_document.sh ├── images │ ├── asvs_40_levels.png │ ├── license.png │ └── owasp_logo_1c_notext.png ├── it │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── presentations │ ├── ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San Francisco 2022 - Josh Grossman.pdf │ ├── AppSec DC 2019 ASVS 4.0 Final.pptx │ ├── MyDevSecOps Jan 2020 Webinar - ASVS.pptx │ ├── NullCon 2019 ASVS 4.0 Release.pptx │ ├── OWASP Helsinki Sep 2019 ASVS 4.0.pptx │ ├── OWASP Israel Nov 2019 ASVS.pptx │ └── README.md ├── pt │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── ru │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── templates │ └── reference.docx ├── tools │ ├── asvs.py │ ├── cyclonedx.py │ ├── export.py │ ├── install_deps.sh │ └── requirements.txt └── zh-cn │ ├── 0x00-Header.md │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-V1-Architecture.md │ ├── 0x11-V2-Authentication.md │ ├── 0x12-V3-Session-management.md │ ├── 0x12-V4-Access-Control.md │ ├── 0x13-V5-Validation-Sanitization-Encoding.md │ ├── 0x14-V6-Cryptography.md │ ├── 0x15-V7-Error-Logging.md │ ├── 0x16-V8-Data-Protection.md │ ├── 0x17-V9-Communications.md │ ├── 0x18-V10-Malicious.md │ ├── 0x19-V11-BusLogic.md │ ├── 0x20-V12-Files-Resources.md │ ├── 0x21-V13-API.md │ ├── 0x22-V14-Config.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ └── 0x93-Appendix-C_IoT.md ├── 5.0 ├── .gitignore ├── Makefile ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf ├── docs_en │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.cdx.json │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.csv │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.docx │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.flat.json │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.flat.legacy.json │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.json │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.legacy.csv │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.legacy.json │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.legacy.xml │ ├── OWASP_Application_Security_Verification_Standard_5.0.0_en.xml │ └── en ├── en │ ├── 0x00-Header.yaml │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-What-is-the-ASVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x05-For-Users-Of-4.0.md │ ├── 0x10-V1-Encoding-and-Sanitization.md │ ├── 0x11-V2-Validation-and-Business-Logic.md │ ├── 0x12-V3-Web-Frontend-Security.md │ ├── 0x13-V4-API-and-Web-Service.md │ ├── 0x14-V5-File-Handling.md │ ├── 0x15-V6-Authentication.md │ ├── 0x16-V7-Session-Management.md │ ├── 0x17-V8-Authorization.md │ ├── 0x18-V9-Self-contained-Tokens.md │ ├── 0x19-V10-OAuth-and-OIDC.md │ ├── 0x20-V11-Cryptography.md │ ├── 0x21-V12-Secure-Communication.md │ ├── 0x22-V13-Configuration.md │ ├── 0x23-V14-Data-Protection.md │ ├── 0x24-V15-Secure-Coding-and-Architecture.md │ ├── 0x25-V16-Security-Logging-and-Error-Handling.md │ ├── 0x26-V17-WebRTC.md │ ├── 0x90-Appendix-A_Glossary.md │ ├── 0x91-Appendix-B_References.md │ ├── 0x92-Appendix-C_Cryptography.md │ ├── 0x93-Appendix-D_Recommendations.md │ └── 0x94-Appendix-E_Contributors.md ├── generate-all.sh ├── images │ ├── asvs_40_levels.png │ ├── license.png │ ├── owaspLogo.png │ ├── owasp_logo_1c_notext.png │ └── owasp_logo_header.png ├── mappings │ ├── README.md │ ├── mapping_v4.0.3_to_v5.0.0.yml │ ├── mapping_v4.0.3_to_v5.0.be.yml │ ├── mapping_v5.0.0_to_v4.0.3.yml │ ├── mapping_v5.0.be_to_v4.0.3.yml │ ├── mapping_v5.0.be_to_v5.0.0.yml │ ├── nist.md │ └── v5.0.be_cwe_mapping.json ├── presentations │ └── OWASP-ASVS-v5.0.0-release-at-Global-AppSec-Barcelona-by-Elar-Lang.pdf ├── templates │ ├── eisvogel.tex │ ├── header-eisvogel.tex │ └── reference.docx └── tools │ ├── asvs.py │ ├── cyclonedx.py │ ├── export.py │ ├── generate_document.sh │ └── install_deps.sh ├── COMPILING.md ├── CONTRIBUTING.md ├── LICENSE.md ├── Makefile ├── README.md ├── SUPPORTERS.md ├── Security.md ├── docker ├── Dockerfile └── run.sh ├── hall_of-fame.md └── images ├── 1.png ├── 1.psd ├── 2.png ├── 2.psd ├── 3.png ├── 3.psd ├── 4.png ├── 4.psd ├── 5.png ├── 5.psd ├── 6.png ├── 6.psd ├── old ├── ASVS_uses.png └── levels.png └── supporters ├── apiiro.svg ├── bounce.svg ├── clarifiedlogo.png ├── crestlogo.png ├── forwardseclogo.jpg ├── googlelogo.png ├── jitlogo.svg ├── manicode.svg ├── omegapointlogo.png └── oneconsult.svg /.gitattributes: -------------------------------------------------------------------------------- 1 | # Let git fix markdown files to the appropriate ending for the platform 2 | *.md text 3 | 4 | # Images are blobs. Don't touch 5 | *.jpg binary 6 | *.png binary 7 | 8 | # Make git leave Python and shell scripts alone to prevent bugs when running them under Windows Subsystem for Linux bash 9 | *.py -text 10 | *.sh -text 11 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: https://owasp.org/donate/?reponame=www-project-application-security-verification-standard&title=OWASP+Application+Security+Verification+Standard 2 | github: OWASP 3 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/standard-asvs-issue.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Standard ASVS issue 3 | about: This template should be used for all ASVS issues. 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 21 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | This Pull Request relates to issue #... 9 | -------------------------------------------------------------------------------- /.github/workflows/build-and-publish-docker-image.yml: -------------------------------------------------------------------------------- 1 | # Name of this GitHub Actions workflow. 2 | name: Build & Publish Image 3 | 4 | on: 5 | # Scan on workflow call 6 | workflow_call: 7 | # Scan on-demand through GitHub Actions interface: 8 | workflow_dispatch: {} 9 | 10 | jobs: 11 | build_and_push: 12 | runs-on: ubuntu-latest 13 | permissions: 14 | packages: write 15 | name: Build and publish 16 | steps: 17 | - uses: actions/checkout@v4.1.1 18 | 19 | - name: 'Login to GitHub Container Registry' 20 | uses: docker/login-action@v3.0.0 21 | with: 22 | registry: ghcr.io 23 | username: ${{github.actor}} 24 | password: ${{secrets.GITHUB_TOKEN}} 25 | 26 | - name: 'Build and publish Docker image' 27 | run: | 28 | docker build ./docker/ --tag ghcr.io/owasp/asvs/documentbuilder:latest 29 | docker push ghcr.io/owasp/asvs/documentbuilder:latest 30 | 31 | -------------------------------------------------------------------------------- /.github/workflows/build-documents.yml: -------------------------------------------------------------------------------- 1 | name: Build Documents 2 | 3 | on: 4 | workflow_dispatch: 5 | pull_request: 6 | push: 7 | branches: 8 | - master 9 | 10 | concurrency: 11 | group: ${{ github.workflow }}-${{ github.ref }} 12 | cancel-in-progress: true 13 | 14 | jobs: 15 | filters: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - uses: actions/checkout@v4.1.1 19 | - uses: dorny/paths-filter@v3.0.0 20 | id: filter 21 | with: 22 | filters: | 23 | docker: 24 | - 'docker/**/*' 25 | v5: 26 | - '5.0/**/*' 27 | v4: 28 | - '4.0/**/*' 29 | outputs: 30 | docker: ${{ steps.filter.outputs.docker }} 31 | v4: ${{ steps.filter.outputs.v4 }} 32 | v5: ${{ steps.filter.outputs.v5 }} 33 | 34 | build-image: 35 | if: needs.filters.outputs.docker == 'true' 36 | needs: filters 37 | uses: owasp/asvs/.github/workflows/build-and-publish-docker-image.yml@master 38 | 39 | build-v4: 40 | if: ${{ always() && needs.filters.outputs.v4 == 'true' }} 41 | needs: 42 | - build-image 43 | - filters 44 | uses: owasp/asvs/.github/workflows/create-4.0-outputs.yml@master 45 | 46 | build-v5: 47 | if: ${{ always() && needs.filters.outputs.v5 == 'true' }} 48 | needs: 49 | - build-image 50 | - filters 51 | uses: owasp/asvs/.github/workflows/create-5.0-outputs.yml@master 52 | -------------------------------------------------------------------------------- /.github/workflows/config/cspell.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "0.2", 3 | "ignorePaths": [ 4 | "**/0x94-Appendix-E_Contributors.md", 5 | "**/LICENSE.md", 6 | "**/SUPPORTERS.md" 7 | ], 8 | "dictionaries": [ 9 | "en_US", 10 | "local-custom" 11 | ], 12 | "dictionaryDefinitions": [ 13 | { 14 | "name": "local-custom", 15 | "path": "local-custom.txt" 16 | } 17 | ] 18 | } 19 | -------------------------------------------------------------------------------- /.github/workflows/config/local-custom.txt: -------------------------------------------------------------------------------- 1 | asvs 2 | ASVS 3 | Elar 4 | Grossman 5 | Manico 6 | Ahnoff 7 | Andalis 8 | Jacquot 9 | Shanni 10 | Prutchi 11 | Iman 12 | Sharafaldin 13 | Yardeni 14 | Sjoerd 15 | Langkemper 16 | Sandro 17 | Gauci 18 | Boberski 19 | Wichers 20 | frontends 21 | metacharacters 22 | scriptable 23 | JNDI 24 | Tsai 25 | exfiltration 26 | HSTS 27 | nosniff 28 | CORB 29 | Referer 30 | tabnabbing 31 | safelisted 32 | hostnames 33 | XSSI 34 | Subresource 35 | NSAPI 36 | Silverlight 37 | NACL 38 | codenames 39 | IDAS 40 | CSPRNG 41 | TOTP 42 | PSTN 43 | CISA 44 | POLP 45 | IDOR 46 | BOPLA 47 | PKCE 48 | backchannel 49 | ciba 50 | FAPI 51 | CHACHA 52 | PKCS 53 | HMAC 54 | Diffie 55 | ECDH 56 | cryptosystem 57 | FIPS 58 | OCSP 59 | Saft 60 | sandboxing 61 | TOCTOU 62 | livelocks 63 | SIEMs 64 | SIEM 65 | Multipoint 66 | Datagram 67 | DTLS 68 | SRTP 69 | CRNG 70 | RTCP 71 | SRTCP 72 | SDLC 73 | SAMM 74 | Cryptobom 75 | TDEA 76 | FFDH 77 | urandom 78 | DRBG 79 | getentropy 80 | codebook 81 | HKDF 82 | secp 83 | MODP 84 | ffdhe 85 | KMAC 86 | CMAC 87 | GMAC 88 | RSSA 89 | mlkem 90 | backdoors 91 | documentbuilder 92 | creativecommons -------------------------------------------------------------------------------- /.github/workflows/config/url-checker-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "ignorePatterns": [ 3 | { 4 | "pattern": "changelog" 5 | } 6 | ], 7 | "httpHeaders": [ 8 | { 9 | "urls": [ 10 | "https://", 11 | "http://" 12 | ], 13 | "headers": { 14 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" 15 | } 16 | } 17 | ], 18 | "retryOn429": true, 19 | "aliveStatusCodes": [200, 403], 20 | "fallbackRetryDelay": "30s", 21 | "see": "https://github.com/tcort/markdown-link-check#config-file-format" 22 | } 23 | -------------------------------------------------------------------------------- /.github/workflows/create-4.0-outputs.yml: -------------------------------------------------------------------------------- 1 | # Name of this GitHub Actions workflow. 2 | name: Generate 4.0 Outputs 3 | 4 | on: 5 | # Scan on workflow call 6 | workflow_call: 7 | # Scan on-demand through GitHub Actions interface: 8 | workflow_dispatch: {} 9 | 10 | jobs: 11 | prepare_outputs: 12 | runs-on: ubuntu-latest 13 | name: Generate 4.0 outputs 14 | steps: 15 | - uses: docker/login-action@v3.0.0 16 | with: 17 | registry: ghcr.io 18 | username: ${{github.actor}} 19 | password: ${{secrets.GITHUB_TOKEN}} 20 | - uses: actions/checkout@v4.1.1 21 | - run: make 4.0 22 | - uses: actions/upload-artifact@v4.3.0 23 | with: 24 | name: ASVS 4.0.3 25 | path: 4.0/docs_* 26 | -------------------------------------------------------------------------------- /.github/workflows/create-5.0-outputs-debug.yml: -------------------------------------------------------------------------------- 1 | # Name of this GitHub Actions workflow. 2 | name: Generate 5.0 Outputs (Debug) 3 | 4 | on: 5 | # Scan on-demand through GitHub Actions interface: 6 | workflow_dispatch: 7 | inputs: 8 | debug_enabled: 9 | type: boolean 10 | description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)' 11 | required: false 12 | default: false 13 | 14 | jobs: 15 | prepare_container: 16 | uses: owasp/asvs/.github/workflows/create-5.0-outputs.yml@master 17 | 18 | debug: 19 | needs: prepare_container 20 | runs-on: ubuntu-latest 21 | steps: 22 | - name: Setup tmate session 23 | uses: mxschmitt/action-tmate@v3 24 | if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} 25 | -------------------------------------------------------------------------------- /.github/workflows/create-5.0-outputs.yml: -------------------------------------------------------------------------------- 1 | # Name of this GitHub Actions workflow. 2 | name: Generate 5.0 Outputs 3 | 4 | on: 5 | # Scan on workflow call 6 | workflow_call: 7 | # Scan on-demand through GitHub Actions interface: 8 | workflow_dispatch: {} 9 | 10 | jobs: 11 | prepare_outputs: 12 | runs-on: ubuntu-latest 13 | name: Generate 5.0 outputs 14 | steps: 15 | - uses: docker/login-action@v3.0.0 16 | with: 17 | registry: ghcr.io 18 | username: ${{github.actor}} 19 | password: ${{secrets.GITHUB_TOKEN}} 20 | - uses: actions/checkout@v4.1.1 21 | - run: make 5.0 22 | - uses: actions/upload-artifact@v4.3.0 23 | with: 24 | name: ASVS 5.0.0 25 | path: 5.0/dist/en/ 26 | -------------------------------------------------------------------------------- /.github/workflows/markdown-linter.yml: -------------------------------------------------------------------------------- 1 | name: Markdown Linter 2 | 3 | on: 4 | # Scan changed files in PRs (diff-aware scanning): 5 | pull_request: {} 6 | # Scan mainline branches and report all findings: 7 | push: 8 | branches: ["master", "main"] 9 | 10 | jobs: 11 | markdown-lint-check: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Checkout 15 | uses: actions/checkout@v3 16 | with: 17 | fetch-depth: 1 18 | - name: markdownlint-cli 19 | uses: nosborn/github-action-markdown-cli@v2.0.0 20 | with: 21 | files: './5.0*' 22 | config_file: ".markdownlint.jsonc" 23 | ignore_files: "tools, templates, images" 24 | -------------------------------------------------------------------------------- /.github/workflows/spell-check.yml: -------------------------------------------------------------------------------- 1 | name: Spell Check Markdown 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | paths: 8 | - '**/*.md' 9 | - '**/*.markdown' 10 | pull_request: 11 | branches: 12 | - master 13 | paths: 14 | - '**/*.md' 15 | - '**/*.markdown' 16 | workflow_dispatch: 17 | 18 | jobs: 19 | spellcheck: 20 | runs-on: ubuntu-latest 21 | steps: 22 | - name: Checkout code 23 | uses: actions/checkout@v4 24 | 25 | - name: Set up Node.js 26 | uses: actions/setup-node@v4 27 | with: 28 | node-version: '20' 29 | 30 | - name: Install cspell 31 | run: npm install -g cspell 32 | 33 | # cspell config is now in .github/workflows/config/cspell.json 34 | 35 | - name: Get changed files (PR only) 36 | if: github.event_name == 'pull_request' 37 | id: files 38 | uses: tj-actions/changed-files@v46 39 | with: 40 | files: | 41 | 5.0/en/**/*.md 42 | *.md 43 | separator: '\n' 44 | 45 | - name: Run cspell on changed files (PR) 46 | if: github.event_name == 'pull_request' && steps.files.outputs.any_changed == 'true' 47 | run: | 48 | # Convert literal '\n' to real newlines for safe file splitting 49 | files_string="${{ steps.files.outputs.all_changed_files }}" 50 | files_string="${files_string//\\n/$'\n'}" 51 | files=() 52 | while IFS= read -r file; do 53 | [ -n "$file" ] && files+=("$file") 54 | done <<< "$files_string" 55 | # Exit early if no files to check 56 | if [ ${#files[@]} -eq 0 ]; then 57 | echo "No files to check." 58 | exit 0 59 | fi 60 | # Run cspell on all changed files; its exit code will control the workflow outcome 61 | cspell --config .github/workflows/config/cspell.json "${files[@]}" 62 | 63 | - name: Run cspell on all markdown files (push to main or manual) 64 | if: github.event_name != 'pull_request' 65 | run: | 66 | cspell --config .github/workflows/config/cspell.json "5.0/en/**/*.md" "*.md" 67 | -------------------------------------------------------------------------------- /.github/workflows/url-checker.yml: -------------------------------------------------------------------------------- 1 | name: URL Checker 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - '5.0/**' 7 | push: 8 | branches: 9 | - master 10 | paths: 11 | - '5.0/**' 12 | workflow_dispatch: 13 | 14 | jobs: 15 | markdown-link-check: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v4 20 | 21 | - name: Set options 22 | id: options 23 | run: | 24 | if [[ "${{ github.event_name }}" == "pull_request" ]]; then 25 | echo "check-modified-files-only=yes" >> $GITHUB_OUTPUT 26 | echo "use-verbose-mode=yes" >> $GITHUB_OUTPUT 27 | else 28 | echo "check-modified-files-only=no" >> $GITHUB_OUTPUT 29 | echo "use-verbose-mode=no" >> $GITHUB_OUTPUT 30 | fi 31 | 32 | - name: Check URLs 33 | uses: gaurav-nelson/github-action-markdown-link-check@v1 34 | with: 35 | check-modified-files-only: ${{ steps.options.outputs.check-modified-files-only }} 36 | config-file: .github/workflows/config/url-checker-config.json 37 | folder-path: '5.0' 38 | use-quiet-mode: yes 39 | use-verbose-mode: ${{ steps.options.outputs.use-verbose-mode }} 40 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | docker/cert 2 | */build/* 3 | *.db 4 | .DS_Store 5 | .vscode/settings.json 6 | */dist/* 7 | */__pycache__/* 8 | -------------------------------------------------------------------------------- /.markdownlint.jsonc: -------------------------------------------------------------------------------- 1 | { 2 | // https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md 3 | 4 | "MD004": {"style": "asterisk"}, // ul-style 5 | "MD007": {"indent": "4"}, // ul-style 6 | "MD013": false, // line-length 7 | "MD024": {"allow_different_nesting": true}, // no-duplicate-header 8 | "MD026": {"punctuation": ".,;:"}, // no-trailing-punctuation (allows !?) 9 | "MD033": false, // no-inline-html 10 | "MD034": false, // bare URLs 11 | "MD035": {"style": "---"}, // hr-style 12 | "MD036": {"punctuation": ".,;:!。"}, // no-emphasis-as-header 13 | "MD041": false, // first-line-h1 14 | "MD046": {"style": "fenced"} , // code-block-style 15 | "MD049": {"style": "underscore"}, // emphasis-style 16 | "MD050": {"style": "asterisk"} // strong-style 17 | 18 | 19 | } -------------------------------------------------------------------------------- /1.0/About_OWASP_ASVS_Executive_Presentation.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/About_OWASP_ASVS_Executive_Presentation.ppt -------------------------------------------------------------------------------- /1.0/OWASP_ASVS_Presentation_Abstract.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/OWASP_ASVS_Presentation_Abstract.doc -------------------------------------------------------------------------------- /1.0/asvs-pictures-pt-br.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-pictures-pt-br.zip -------------------------------------------------------------------------------- /1.0/asvs-pictures.odp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-pictures.odp -------------------------------------------------------------------------------- /1.0/asvs-pictures.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-pictures.ppt -------------------------------------------------------------------------------- /1.0/asvs-pictures.vsd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-pictures.vsd -------------------------------------------------------------------------------- /1.0/asvs-scale.vsd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-scale.vsd -------------------------------------------------------------------------------- /1.0/asvs-translating.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-translating.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-alpha-2008.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-alpha-2008.doc -------------------------------------------------------------------------------- /1.0/asvs-webapp-alpha-2008.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-alpha-2008.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-beta-2008.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-beta-2008.doc -------------------------------------------------------------------------------- /1.0/asvs-webapp-beta-2008.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-beta-2008.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-presentation-fr.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-presentation-fr.ppt -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-de.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-de.doc -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-de.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-de.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-en.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-en.doc -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-en.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-en.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-fr.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-fr.odt -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-fr.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-fr.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-id.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-id.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-jp.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-jp.doc -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-jp.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-jp.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-pl.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-pl.pdf -------------------------------------------------------------------------------- /1.0/asvs-webapp-release-2009-pt-br.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-webapp-release-2009-pt-br.pdf -------------------------------------------------------------------------------- /1.0/asvs-wiki-cover-bug.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-cover-bug.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure1.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure1.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure10.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure10.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure11.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure11.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure2.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure2.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure3.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure3.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure4.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure4.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure5.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure5.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure6.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure6.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure7.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure7.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure8.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure8.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-figure9.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-figure9.JPG -------------------------------------------------------------------------------- /1.0/asvs-wiki-license.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-wiki-license.JPG -------------------------------------------------------------------------------- /1.0/asvs-xml.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-xml.zip -------------------------------------------------------------------------------- /1.0/asvs-xml/asvs.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | ASVS Checklist 13 | 14 | 15 |

ASVS Checklist

16 | 17 | 18 | 19 | 20 | 21 | 22 |

23 | 24 |

25 | 26 | 27 | 29 |
#Description1A1B2A2B34
30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | x 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /1.0/asvs-xml/odt2asvs.xsl: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | 9 | href="asvs.xsl" type="text/xsl" 10 | 11 | 12 | 13 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 25 | 26 | 27 | 28 | 29 |

30 | 31 |

32 | 33 | 35 |
36 | 37 | 38 | 39 | 41 | 43 | 44 | 45 | 46 | 47 | 48 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | x 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | true 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | -------------------------------------------------------------------------------- /1.0/asvs-xml/readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/asvs-xml/readme.txt -------------------------------------------------------------------------------- /1.0/owasp-google-code-asvs.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/owasp-google-code-asvs.JPG -------------------------------------------------------------------------------- /1.0/owasp-google-code-asvs.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/owasp-google-code-asvs.doc -------------------------------------------------------------------------------- /1.0/wiki.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/1.0/wiki.zip -------------------------------------------------------------------------------- /2.0/Asvs_2_PL.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/2.0/Asvs_2_PL.xlsx -------------------------------------------------------------------------------- /2.0/OWASPApplicationSecurityVerificationStandard3.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/2.0/OWASPApplicationSecurityVerificationStandard3.0.pdf -------------------------------------------------------------------------------- /2.0/OWASP_ASVS_Version_2.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/2.0/OWASP_ASVS_Version_2.docx -------------------------------------------------------------------------------- /2.0/OWASP_ASVS_Version_2_Persian.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/2.0/OWASP_ASVS_Version_2_Persian.pdf -------------------------------------------------------------------------------- /3.0.1/ASVS-excel-v3.0.1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0.1/ASVS-excel-v3.0.1.xlsx -------------------------------------------------------------------------------- /3.0.1/OWASP Application Security Verification Standard 3.0.1 in Hebrew.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0.1/OWASP Application Security Verification Standard 3.0.1 in Hebrew.pdf -------------------------------------------------------------------------------- /3.0.1/OWASP Application Security Verification Standard 3.0.1.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0.1/OWASP Application Security Verification Standard 3.0.1.docx -------------------------------------------------------------------------------- /3.0.1/OWASP Application Security Verification Standard 3.0.1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0.1/OWASP Application Security Verification Standard 3.0.1.pdf -------------------------------------------------------------------------------- /3.0.1/OWASP Application Security Verification Standard Checklist 3.0.1.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0.1/OWASP Application Security Verification Standard Checklist 3.0.1.xlsx -------------------------------------------------------------------------------- /3.0.1/OWASP_Application_Security_Verification_Standard_3.0.1 in Arabic.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0.1/OWASP_Application_Security_Verification_Standard_3.0.1 in Arabic.docx -------------------------------------------------------------------------------- /3.0.1/תקן אימות אבטחת היישומים.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0.1/תקן אימות אבטחת היישומים.docx -------------------------------------------------------------------------------- /3.0/OWASP Application Security Verification Standard 3.0.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/OWASP Application Security Verification Standard 3.0.docx -------------------------------------------------------------------------------- /3.0/OWASP Application Security Verification Standard 3.0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/OWASP Application Security Verification Standard 3.0.pdf -------------------------------------------------------------------------------- /3.0/drafts/OWASP Application Security Verification Standard 3.0-5.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/drafts/OWASP Application Security Verification Standard 3.0-5.docx -------------------------------------------------------------------------------- /3.0/drafts/OWASP Application Security Verification Standard v3.0.1 Redline.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/drafts/OWASP Application Security Verification Standard v3.0.1 Redline.docx -------------------------------------------------------------------------------- /3.0/spreadsheets/README.md: -------------------------------------------------------------------------------- 1 | Spreadsheet version of ASVS 2 | 3 | We used these in AppSec EU to review each and every control, but these are now out of date. 4 | 5 | If you want to see the Google Spreadsheets of each of our review, please visit: 6 | 7 | https://drive.google.com/folderview?id=0B4xgbqJzimL4fm11WTdIc2JBUkozTkdsbmZhQk5LTDR4TFgyYlBfQkhQbnZjVlZqQWVaSzA&usp=sharing 8 | 9 | If you want edit access, please send mail to vanderaj@owasp.org 10 | 11 | -------------------------------------------------------------------------------- /3.0/spreadsheets/V02 - Authentication.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V02 - Authentication.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V03 - Session management.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V03 - Session management.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V04 - Access Control.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V04 - Access Control.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V05 - Input validation malicious controls.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V05 - Input validation malicious controls.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V06 - Client Side Security.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V06 - Client Side Security.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V08 - Error handling.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V08 - Error handling.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V10 - Communications Security.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V10 - Communications Security.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V11 - HTTP Security.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V11 - HTTP Security.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V13 - Malicious Code Controls.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V13 - Malicious Code Controls.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V15 - Business Logic Flaws.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V15 - Business Logic Flaws.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V16 - File and resource.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V16 - File and resource.xlsx -------------------------------------------------------------------------------- /3.0/spreadsheets/V17 - Mobile Controls.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/spreadsheets/V17 - Mobile Controls.xlsx -------------------------------------------------------------------------------- /3.0/training/AppSec EU 2016 ASVS 3.0 2 day training.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/3.0/training/AppSec EU 2016 ASVS 3.0 2 day training.pptx -------------------------------------------------------------------------------- /4.0/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | *.pyc 3 | -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.1-fa.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.1-fa.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.1-ja.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.1-ja.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.1-tr.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.1-tr.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.2-de.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.2-de.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.2-ru.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.2-ru.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-ar.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-ar.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-de.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-de.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-en.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-en.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-es.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-es.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-fr.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-fr.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-it.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-it.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-pt.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-pt.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-ru.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-ru.pdf -------------------------------------------------------------------------------- /4.0/OWASP Application Security Verification Standard 4.0.3-zh-cn.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/OWASP Application Security Verification Standard 4.0.3-zh-cn.pdf -------------------------------------------------------------------------------- /4.0/ar/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![OWASP LOGO](../images/owasp_logo_1c_notext.png) 4 | 5 | # معيار التحقق من أمان التطبيقات 4.0.3 6 | 7 | ## نهائي 8 | 9 | أكتوبر 2021 10 | -------------------------------------------------------------------------------- /4.0/ar/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # البداية 2 | 3 | ## عن المعيار 4 | 5 | معيار التحقق من أمان التطبيقات هو قائمة لمتطلبات أو اختبارات أمان التطبيقات التي يمكن استخدامها من قبل مهندسي معمارية التطبيقات Architecture ، والمطورين ، والمختبرين ومحترفي أمن المعلومات وبائعي الأدوات والمستهلكين لتحديد وبناء واختبار والتحقق من التطبيقات الآمنة. 6 | 7 | ## حقوق الطبع والرخصة 8 | 9 | النسخة 4.0.3 ، أكتوبر 2021 10 | 11 | ![license](../images/license.png) 12 | 13 | حقوق الطبع محفوظة لمنظمة OWASP 2008 – 2021. تم نشر هذا المستند تحت [Creative Commons Attribution ShareAlike 3.0 license](https://creativecommons.org/licenses/by-sa/3.0/). يجب أن يتم توضيح شروط ترخيص هذا العمل للآخرين عند أي إعادة استخدام أو توزيع. 14 | 15 | ## قادة المشروع 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## المساهمون الرئيسيون 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## المساهمون والمراجعون الآخرون 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | | | | 46 | 47 | 48 | 49 | إذا كان هناك نقص في القائمة أعلاه، يرجى تسجيل تذكرة في GitHub ليتم أخذها بعين الاعتبار في التحديثات المستقبلية للإصدار 4.x. 50 | 51 | تم بناء معيار التحقق من أمان التطبيقات بتضافر جهود المشاركين في ASVS 1.0 عام 2008 لغاية عام 2016 وصولاً للإصدار 3.0 من هذا المعيار. لقد وضع كل من Mike Boberski وJeff Willams وDave Wichers الجزء الأكبر من البنية ومعظم مواد التحقق في ASVS. هناك أيضاً العديد من المساهمين. شكراً لجميع الذين ساهموا سابقاً. للحصول على قائمة شاملة لجميع المساهمين في الإصدارات السابقة، يرجى الرجوع لكل إصدار سابق. 52 | -------------------------------------------------------------------------------- /4.0/ar/0x19-V11-BusLogic.md: -------------------------------------------------------------------------------- 1 | # ت11: منطق الأعمال 2 | 3 | ## الهدف من ضوابط الأمان 4 | 5 | تأكد من أن التطبيق الذي يتم التحقق منه يفي بالمتطلبات عالية المستوى التالية: 6 | 7 | * تدفق منطق الأعمال متسلسل ومعالج بالترتيب ولا يمكن تجاوزه. 8 | * يتضمن منطق الأعمال حدودًا لاكتشاف ومنع الهجمات الآلية ، مثل التحويلات المستمرة للأموال الصغيرة ، أو إضافة مليون صديق واحدًا تلو الآخر ، وما إلى ذلك. 9 | * تدفقات منطق الأعمال ذات القيمة العالية تأخذ بعين الاعتبار حالات الإساءة abuse cases والجهات الفاعلة الخبيثة ، ولديها وسائل حماية ضد الانتحال spoofing والعبث tampering والكشف عن المعلومات information disclosure ورفع مستوى هجمات الصلاحيات elevation of privilege attacks. 10 | 11 | ## ق1.11 أمان منطق الأعمال 12 | 13 | يعتبر أمن منطق الأعمال فرديًا جدًا لكل تطبيق بحيث لن يتم تطبيق قائمة تحقق واحدة على الإطلاق. يجب تصميم أمان منطق الأعمال للحماية من التهديدات الخارجية المحتملة - لا يمكن إضافته باستخدام جدران حماية تطبيقات الويب أو الاتصالات الآمنة. نوصي باستخدام نمذجة التهديد threat modeling أثناء سباقات التصميم design sprints ، على سبيل المثال باستخدام OWASP Cornucopia أو أدوات مماثلة. 14 | 15 | | # | التوصيف | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---:| :---: | :---: | 17 | | **1.1.11** | تحقق من أن التطبيق سيعالج فقط تدفقات منطق الأعمال لنفس المستخدم بترتيب خطوات متسلسل وبدون تخطي الخطوات. | ✓ | ✓ | ✓ | 841 | 18 | | **2.1.11** | تحقق من أن التطبيق سيعالج تدفقات منطق الأعمال فقط مع معالجة جميع الخطوات في وقت بشري واقعي ، أي لا يتم إرسال المعامَلات transactions بسرعة كبيرة.| ✓ | ✓ | ✓ | 799 | 19 | | **3.1.11** | تحقق من أن التطبيق لديه حدود مناسبة لإجراءات أو معاملات transactions تجارية معينة يتم فرضها بشكل صحيح على أساس كل مستخدم. | ✓ | ✓ | ✓ | 770 | 20 | | **4.1.11** | تحقق من أن التطبيق يحتوي على ضوابط لمكافحة الأتمتة ضد الاستدعاءات المفرطة مثل استخراج البيانات الجماعية mass data exfiltration ، أو طلبات منطق العمل business logic requests ، أو رفع الملفات ، أو هجمات تعطيل الخدمة denial of service attacks. | ✓ | ✓ | ✓ | 770 | 21 | | **5.1.11** | تحقق من أن التطبيق يحتوي على حدود منطق الأعمال أو التحقق من الصحة للحماية من مخاطر أو تهديدات الأعمال المحتملة ، والتي تم تحديدها باستخدام نمذجة التهديد أو منهجيات مماثلة. | ✓ | ✓ | ✓ | 841 | 22 | | **6.1.11** | تحقق من أن التطبيق لا يعاني من مشكلات "وقت التحقق حتى وقت الاستخدام Time Of Check to Time Of Use" (TOCTOU)" أو ظروف السباق الأخرى race conditions للعمليات الحساسة. | | ✓ | ✓ | 367 | 23 | | **7.1.11** | تحقق من مراقبة التطبيق للأحداث أو الأنشطة غير العادية من منظور منطق الأعمال. على سبيل المثال ، محاولات تنفيذ إجراءات خارج النظام أو إجراءات لن يحاول المستخدم العادي تنفيذها أبدًا. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 754 | 24 | | **8.1.11** | تحقق من أن التطبيق يحتوي على تنبيهات قابلة للتكوين configurable alerting عند اكتشاف هجمات آلية أو نشاط غير عادي. | | ✓ | ✓ | 390 | 25 | 26 | ## المراجع 27 | 28 | لمزيد من المعلومات، يمكن أيضاً الاطلاع على: 29 | 30 | * [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) 31 | * يمكن تحقيق مكافحة الأتمتة بعدة طرق ، بما في ذلك استخدام [OWASP AppSensor](https://github.com/jtmelton/appsensor) and [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) 32 | * [OWASP AppSensor](https://github.com/jtmelton/appsensor) • يمكن تحقيق مكافحة الأتمتة بعدة طرق ، بما في ذلك استخدام. 33 | * [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) 34 | -------------------------------------------------------------------------------- /4.0/ar/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # الملحق ب: المراجع 2 | 3 | من المرجح أن تكون مشاريع OWASP التالية مفيدة لمستخدمي / متبني هذا المعيار: 4 | 5 | ## مشاريع أواسب الأساسية 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## مشروع أواسب لمجموعة أوراق المناقشة 14 | 15 | يحتوي هذا [المشروع ](https://owasp.org/www-project-cheat-sheets/) على عدد من أوراق المناقشة التي ستكون ذات صلة بمواضيع مختلفة في ASVS. 16 | 17 | يوجد تعيين لـ ASVS يمكن العثور عليه هنا: [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## المشاريع المتعلقة بأمن الجوال 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## مشاريع أواسب المتعلقة بانترنت الأشياء 26 | 27 | 1. OWASP Internet of Things Project: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## مشاريع أواسب بدون خادم Serverless OWASP Serverless projects 30 | 31 | 1. OWASP Serverless Project: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## مشاريع أخرى 34 | 35 | وبالمثل ، من المرجح أن تكون مواقع الويب التالية مفيدة لمستخدمي / متبني هذا المعيار 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/de/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![OWASP LOGO](../images/owasp_logo_1c_notext.png) 4 | 5 | # Application Security Verification Standard 4.0.3 6 | 7 | ## Finale Version 8 | 9 | Oktober 2021 10 | -------------------------------------------------------------------------------- /4.0/de/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontispiece 2 | 3 | ## Über diesen Standard 4 | 5 | Der Application Security Verification Standard ist eine Sammlung von Anforderungen und Tests an die Sicherheit von Anwendungen, die Architekten, Entwickler, Sicherheitsexperten, Toolhersteller und Verbraucher verwenden können, um sichere Anwendungen zu definieren, zu erstellen, zu testen und zu verifizieren. 6 | 7 | ## Copyright and License 8 | 9 | Version 4.0.3, Oktober 2021 10 | 11 | ![license](../images/license.png) 12 | 13 | Copyright © 2008-2021 The OWASP Foundation. Dieses Dokument wird lizensiert unter [Creative Commons Attribution ShareAlike 3.0 license](https://creativecommons.org/licenses/by-sa/3.0/). Für jedwede Wiederverwendung oder Verbreitung müssen die Lizenzbedingungen dieses Dokumentes an die jeweiligen Dritten kommuniziert werden. 14 | 15 | ## Projektleitung 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## Hauptautoren 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## Weitere Autoren und Reviews von 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | | | | 46 | 47 | Sollte ein Dank fehlen, eröffne bitte ein Ticket bei GitHub, so dass er in künftigen Updates berücksichtigt werden kann. 48 | 49 | Der Application Security Verification Standard 4.0 wurde von denjenigen aufgebaut, die bei ASVS 1.0 im Jahre 2008 bis 3.0 im Jahre 2016 mitgewirkt haben. Viele der Struktur- und Prüfungselemente, die im heutigen ASVS immer noch vorhanden sind, wurden ursprünglich von Mike Boberski, Jeff Williams und Dave Wichers geschrieben Es gibt aber noch viele andere Mitwirkende. Dank all denen, die sich bisher eingebracht haben. Für die umfassende Liste aller, die Beiträge zu früheren Versionen geleistet haben, verweisen wir auf die jeweilige Vorversion. 50 | -------------------------------------------------------------------------------- /4.0/de/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Anhang B: Referenzen 2 | 3 | Die folgenden OWASP-Projekte könnten für die Anwender des ASVS nützlich sein: 4 | 5 | ## OWASP Kernprojekte 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## OWASP Cheat Sheet Series project 14 | 15 | [Das Cheat Sheet Projekt](https://owasp.org/www-project-cheat-sheets/) stellt für viele Bereiche eine Vielzahl von Hilfsmitteln bereit: 16 | 17 | Die Übersicht befindet sich unter: [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## Mobile Security Projekte 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## OWASP Internet of Things Projekte 26 | 27 | 1. OWASP Internet of Things Project: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## OWASP Serverless Projekte 30 | 31 | 1. OWASP Serverless Projekte: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Andere 34 | 35 | Die folgenden Webseiten außerhalb der OWASP könnten für die Nutzer des ASVS interessant sein: 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/docs_de/OWASP Application Security Verification Standard 4.0.2-de.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_de/OWASP Application Security Verification Standard 4.0.2-de.docx -------------------------------------------------------------------------------- /4.0/docs_de/OWASP Application Security Verification Standard 4.0.3-de.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_de/OWASP Application Security Verification Standard 4.0.3-de.docx -------------------------------------------------------------------------------- /4.0/docs_de/de: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_de/de -------------------------------------------------------------------------------- /4.0/docs_en/OWASP Application Security Verification Standard 4.0.3-en.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_en/OWASP Application Security Verification Standard 4.0.3-en.docx -------------------------------------------------------------------------------- /4.0/docs_en/en: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_en/en -------------------------------------------------------------------------------- /4.0/docs_es/OWASP Application Security Verification Standard 4.0.3-es.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_es/OWASP Application Security Verification Standard 4.0.3-es.docx -------------------------------------------------------------------------------- /4.0/docs_es/es: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /4.0/docs_fr/OWASP Application Security Verification Standard 4.0.3-fr.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_fr/OWASP Application Security Verification Standard 4.0.3-fr.docx -------------------------------------------------------------------------------- /4.0/docs_fr/fr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_fr/fr -------------------------------------------------------------------------------- /4.0/docs_it/OWASP Application Security Verification Standard 4.0.3-it.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_it/OWASP Application Security Verification Standard 4.0.3-it.docx -------------------------------------------------------------------------------- /4.0/docs_it/it: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /4.0/docs_pt/OWASP Application Security Verification Standard 4.0.3-pt.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_pt/OWASP Application Security Verification Standard 4.0.3-pt.docx -------------------------------------------------------------------------------- /4.0/docs_ru/OWASP Application Security Verification Standard 4.0.2-ru.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_ru/OWASP Application Security Verification Standard 4.0.2-ru.docx -------------------------------------------------------------------------------- /4.0/docs_ru/OWASP Application Security Verification Standard 4.0.3-ru.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_ru/OWASP Application Security Verification Standard 4.0.3-ru.docx -------------------------------------------------------------------------------- /4.0/docs_zh-cn/OWASP Application Security Verification Standard 4.0.3-zh-cn.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/docs_zh-cn/OWASP Application Security Verification Standard 4.0.3-zh-cn.docx -------------------------------------------------------------------------------- /4.0/en/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![OWASP LOGO](../images/owasp_logo_1c_notext.png) 4 | 5 | # Application Security Verification Standard 4.0.3 6 | 7 | ## Final 8 | 9 | October 2021 10 | -------------------------------------------------------------------------------- /4.0/en/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontispiece 2 | 3 | ## About the Standard 4 | 5 | The Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, tool vendors, and consumers to define, build, test and verify secure applications. 6 | 7 | ## Copyright and License 8 | 9 | Version 4.0.3, October 2021 10 | 11 | ![license](../images/license.png) 12 | 13 | Copyright © 2008-2021 The OWASP Foundation. This document is released under the [Creative Commons Attribution ShareAlike 3.0 license](https://creativecommons.org/licenses/by-sa/3.0/). For any reuse or distribution, you must make clear to others the license terms of this work. 14 | 15 | ## Project Leads 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## Major Contributors 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## Other Contributors and Reviewers 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | | | | 46 | 47 | 48 | 49 | If a credit is missing from the 4.0.3 credit list above, please log a ticket at GitHub to be recognized in future updates. 50 | 51 | The Application Security Verification Standard is built upon the shoulders of those involved from ASVS 1.0 in 2008 to 3.0 in 2016. Much of the structure and verification items that are still in the ASVS today were originally written by Mike Boberski, Jeff Williams and Dave Wichers, but there are many more contributors. Thank you to all those previously involved. For a comprehensive list of all those who have contributed to earlier versions, please consult each prior version. 52 | -------------------------------------------------------------------------------- /4.0/en/0x12-V4-Access-Control.md: -------------------------------------------------------------------------------- 1 | # V4 Access Control 2 | 3 | ## Control Objective 4 | 5 | Authorization is the concept of allowing access to resources only to those permitted to use them. Ensure that a verified application satisfies the following high level requirements: 6 | 7 | * Persons accessing resources hold valid credentials to do so. 8 | * Users are associated with a well-defined set of roles and privileges. 9 | * Role and permission metadata is protected from replay or tampering. 10 | 11 | ## Security Verification Requirements 12 | 13 | ## V4.1 General Access Control Design 14 | 15 | | # | Description | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---:| :---: | :---: | 17 | | **4.1.1** | Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed. | ✓ | ✓ | ✓ | 602 | 18 | | **4.1.2** | Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized. | ✓ | ✓ | ✓ | 639 | 19 | | **4.1.3** | Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 285 | 20 | | **4.1.4** | [DELETED, DUPLICATE OF 4.1.3] | | | | | 21 | | **4.1.5** | Verify that access controls fail securely including when an exception occurs. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 285 | 22 | 23 | ## V4.2 Operation Level Access Control 24 | 25 | | # | Description | L1 | L2 | L3 | CWE | 26 | | :---: | :--- | :---: | :---:| :---: | :---: | 27 | | **4.2.1** | Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records. | ✓ | ✓ | ✓ | 639 | 28 | | **4.2.2** | Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality. | ✓ | ✓ | ✓ | 352 | 29 | 30 | ## V4.3 Other Access Control Considerations 31 | 32 | | # | Description | L1 | L2 | L3 | CWE | 33 | | :---: | :--- | :---: | :---:| :---: | :---: | 34 | | **4.3.1** | Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use. | ✓ | ✓ | ✓ | 419 | 35 | | **4.3.2** | Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders. | ✓ | ✓ | ✓ | 548 | 36 | | **4.3.3** | Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud. | | ✓ | ✓ | 732 | 37 | 38 | ## References 39 | 40 | For more information, see also: 41 | 42 | * [OWASP Testing Guide 4.0: Authorization](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/README.html) 43 | * [OWASP Cheat Sheet: Access Control](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html) 44 | * [OWASP CSRF Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) 45 | * [OWASP REST Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) 46 | -------------------------------------------------------------------------------- /4.0/en/0x19-V11-BusLogic.md: -------------------------------------------------------------------------------- 1 | # V11 Business Logic 2 | 3 | ## Control Objective 4 | 5 | Ensure that a verified application satisfies the following high level requirements: 6 | 7 | * The business logic flow is sequential, processed in order, and cannot be bypassed. 8 | * Business logic includes limits to detect and prevent automated attacks, such as continuous small funds transfers, or adding a million friends one at a time, and so on. 9 | * High value business logic flows have considered abuse cases and malicious actors, and have protections against spoofing, tampering, information disclosure, and elevation of privilege attacks. 10 | 11 | ## V11.1 Business Logic Security 12 | 13 | Business logic security is so individual to every application that no one checklist will ever apply. Business logic security must be designed in to protect against likely external threats - it cannot be added using web application firewalls or secure communications. We recommend the use of threat modeling during design sprints, for example using the OWASP Cornucopia or similar tools. 14 | 15 | | # | Description | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---:| :---: | :---: | 17 | | **11.1.1** | Verify that the application will only process business logic flows for the same user in sequential step order and without skipping steps.| ✓ | ✓ | ✓ | 841 | 18 | | **11.1.2** | Verify that the application will only process business logic flows with all steps being processed in realistic human time, i.e. transactions are not submitted too quickly.| ✓ | ✓ | ✓ | 799 | 19 | | **11.1.3** | Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis. | ✓ | ✓ | ✓ | 770 | 20 | | **11.1.4** | Verify that the application has anti-automation controls to protect against excessive calls such as mass data exfiltration, business logic requests, file uploads or denial of service attacks. | ✓ | ✓ | ✓ | 770 | 21 | | **11.1.5** | Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modeling or similar methodologies. | ✓ | ✓ | ✓ | 841 | 22 | | **11.1.6** | Verify that the application does not suffer from "Time Of Check to Time Of Use" (TOCTOU) issues or other race conditions for sensitive operations. | | ✓ | ✓ | 367 | 23 | | **11.1.7** | Verify that the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 754 | 24 | | **11.1.8** | Verify that the application has configurable alerting when automated attacks or unusual activity is detected. | | ✓ | ✓ | 390 | 25 | 26 | ## References 27 | 28 | For more information, see also: 29 | 30 | * [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) 31 | * Anti-automation can be achieved in many ways, including the use of [OWASP AppSensor](https://github.com/jtmelton/appsensor) and [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) 32 | * [OWASP AppSensor](https://github.com/jtmelton/appsensor) can also help with Attack Detection and Response. 33 | * [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) 34 | -------------------------------------------------------------------------------- /4.0/en/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Appendix B: References 2 | 3 | The following OWASP projects are most likely to be useful to users/adopters of this standard: 4 | 5 | ## OWASP Core Projects 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## OWASP Cheat Sheet Series project 14 | 15 | [This project](https://owasp.org/www-project-cheat-sheets/) has a number of cheat sheets which will be relevant for different topics in the ASVS. 16 | 17 | There is a mapping to the ASVS which can be found here: [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## Mobile Security Related Projects 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## OWASP Internet of Things related projects 26 | 27 | 1. OWASP Internet of Things Project: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## OWASP Serverless projects 30 | 31 | 1. OWASP Serverless Project: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Others 34 | 35 | Similarly, the following web sites are most likely to be useful to users/adopters of this standard 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/es/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![LOGO OWASP](../images/owasp_logo_1c_notext.png) 4 | 5 | # Application Security Verification Standard 4.0.3 6 | 7 | ## Final 8 | 9 | Octubre 2021 10 | -------------------------------------------------------------------------------- /4.0/es/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontispicio 2 | 3 | ## Acerca del Estándar 4 | 5 | El Estándar de Verificación de Seguridad en Aplicaciones (ASVS; por sus siglas en inglés) es una lista de requisitos o pruebas de seguridad en aplicaciones que puede ser utilizado por arquitectos, desarrolladores, probadores, profesionales de la seguridad, proveedores de herramientas y consumidores para definir, construir, probar y verificar aplicaciones seguras. 6 | 7 | ## Derechos de Autor y Licencia 8 | 9 | Version 4.0.3, Octubre 2021 10 | 11 | ![license](../images/license.png) 12 | 13 | Copyright © 2008-2021 The OWASP Foundation. Este documento se publica bajo el [Creative Commons Attribution ShareAlike 3.0 license](https://creativecommons.org/licenses/by-sa/3.0/). Para cualquier reutilización o distribución, debe dejar claro a otros los términos de licencia de este trabajo. 14 | 15 | ## Líderes de Proyecto 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## Principales Colaboradores 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## Otros Colaboradores y Revisores 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | | | | 46 | 47 | 48 | 49 | Si falta un crédito en la lista de créditos de la 4.0.3 que aparece arriba, registre un ticket en GitHub para que se le reconozca en futuras actualizaciones. 50 | 51 | El Estándar de Verificación de Seguridad de Aplicaciones está construido sobre los hombros de aquellos que participaron desde el ASVS 1.0 en 2008 hasta el 3.0 en 2016. Gran parte de la estructura y de los elementos de verificación que todavía están en el ASVS hoy fueron escritos originalmente por Mike Boberski, Jeff Williams y Dave Wichers, pero hay muchos más contribuyentes. Gracias a todos los que han participado anteriormente. Para obtener una lista completa de todos aquellos que han contribuido a versiones anteriores, por favor consulte cada versión anterior. 52 | -------------------------------------------------------------------------------- /4.0/es/0x19-V11-BusLogic.md: -------------------------------------------------------------------------------- 1 | # V11 Lógica de Negocio 2 | 3 | ## Objetivo de Control 4 | 5 | Asegúrese de que una aplicación verificada cumple los siguientes requisitos de alto nivel: 6 | 7 | * El flujo de lógica de negocios es secuencial, se procesa en orden y no se puede omitir. 8 | * La lógica empresarial incluye límites para detectar y prevenir ataques automatizados, como transferencias continuas de montos pequeños, o agregar un millón de amigos de uno en uno, etc. 9 | * Los flujos de lógica de negocios de alto valor han considerado casos de abuso y actores malintencionados, y tienen protecciones contra la suplantación, manipulación, divulgación de información y ataques de elevación de privilegios. 10 | 11 | ## V11.1 Seguridad de la Lógica de Negocio 12 | 13 | La seguridad de la lógica de negocio es tan individual en todas las aplicaciones, que ningún checklist se puede aplicar. La seguridad de la lógica empresarial debe diseñarse para proteger contra amenazas externas probables: no se puede agregar mediante firewalls de aplicaciones web ni comunicaciones seguras. Recomendamos el uso de modelado de amenazas durante los sprints de diseño, por ejemplo, utilizando la herramienta Cornucopia OWASP o herramientas similares. 14 | 15 | | # | Descripción | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---:| :---: | :---: | 17 | | **11.1.1** | Verificar que la aplicación solo procesará flujos de la lógica de negocio para el mismo usuario en orden de pasos secuenciales y sin omitir pasos.| ✓ | ✓ | ✓ | 841 | 18 | | **11.1.2** | Verificar que la aplicación solo procesará flujos de lógica de negocios con todos los pasos que se procesan en tiempo humano realista, es decir, las transacciones no se envían demasiado rápido.| ✓ | ✓ | ✓ | 799 | 19 | | **11.1.3** | Verificar que la aplicación tiene límites adecuados para acciones o transacciones de negocio específicas, y que se aplican correctamente con base en los usuarios. | ✓ | ✓ | ✓ | 770 | 20 | | **11.1.4** | Verifique que la aplicación tenga controles anti-automatización para proteger contra llamadas excesivas, como exfiltración masiva de datos, solicitudes de lógica empresarial, carga de archivos o ataques de denegación de servicio. | ✓ | ✓ | ✓ | 770 | 21 | | **11.1.5** | Verificar que la aplicación tiene límites de lógica empresarial o validación para protegerse contra riesgos o amenazas empresariales probables, identificados mediante el modelado de amenazas o metodologías similares. | ✓ | ✓ | ✓ | 841 | 22 | | **11.1.6** | Verifique que la aplicación no tenga problemas de "Time Of Check to Time Of Use" (TOCTOU) u otras race conditions para operaciones sensibles. | | ✓ | ✓ | 367 | 23 | | **11.1.7** | Verificar que la aplicación supervisa eventos o actividades inusuales desde una perspectiva de lógica de negocios. Por ejemplo, los intentos de realizar acciones fuera de servicio o acciones que un usuario normal nunca intentaría. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 754 | 24 | | **11.1.8** | Verificar que la aplicación tiene alertas configurables cuando se detectan ataques automatizados o actividad inusual. | | ✓ | ✓ | 390 | 25 | 26 | ## Referencias 27 | 28 | Para obtener más información, véase también: 29 | 30 | * [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) 31 | * Anti-automation can be achieved in many ways, including the use of [OWASP AppSensor](https://github.com/jtmelton/appsensor) and [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) 32 | * [OWASP AppSensor](https://github.com/jtmelton/appsensor) can also help with Attack Detection and Response. 33 | * [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) 34 | -------------------------------------------------------------------------------- /4.0/es/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Apéndice B: Referencias 2 | 3 | Es más probable que los siguientes proyectos de OWASP sean útiles para los usuarios/adoptantes de esta norma: 4 | 5 | ## Principales Proyectos OWASP 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## OWASP Cheat Sheet Series project 14 | 15 | [Este proyecto](https://owasp.org/www-project-cheat-sheets/) tiene una serie de hojas de trucos que serán relevantes para diferentes temas en el ASVS. 16 | 17 | Hay un mapping entre cheat sheet y ASVS, que se puede encontrar aquí : [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## Proyectos relacionados con la seguridad de móviles 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## Proyectos de OWASP relacionados con el Internet de las cosas 26 | 27 | 1. OWASP Internet of Things Project: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## Proyectos OWASP Serverless 30 | 31 | 1. OWASP Serverless Project: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Otros 34 | 35 | Del mismo modo, es más probable que los siguientes sitios web sean útiles para los usuarios/adoptantes de este estándar 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/es/es: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /4.0/fr/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![LOGO OWASP](../images/owasp_logo_1c_notext.png) 4 | 5 | # Application Security Verification Standard 4.0.3 6 | 7 | ## Final 8 | 9 | Octobre 2021 10 | -------------------------------------------------------------------------------- /4.0/fr/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontispice 2 | 3 | ## À propos de la norme 4 | 5 | Le référentiel de vérification de la sécurité des applications est une liste d'exigences ou de tests de sécurité des applications qui peut être utilisée par les architectes, les développeurs, les testeurs, les professionnels de la sécurité, les fournisseurs d'outils et les utilisateurs pour définir, construire, tester et vérifier des applications sécurisées. 6 | 7 | ## Copyright et licence 8 | 9 | Version 4.0.3, Octobre 2021 10 | 11 | ![license](../images/license.png) 12 | 13 | Copyright © 2008-2022 La Fondation OWASP. Ce document est publié sous la [licence Creative Commons Attribution ShareAlike 3.0](https://creativecommons.org/licenses/by-sa/3.0/). Pour toute réutilisation ou distribution, vous devez indiquer clairement aux autres les termes de la licence de ce travail. 14 | 15 | ## Chefs de projet 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## Principaux contributeurs 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## Contributeurs et relecteurs 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | | | | 46 | 47 | 48 | 49 | S'il manque un crédit dans la liste des crédits 4.0.3 ci-dessus, veuillez enregistrer un ticket sur GitHub pour être reconnu dans les futures mises à jour. 50 | 51 | Le référentiel de vérification de la sécurité des applications repose sur les épaules des personnes concernées, de ASVS 1.0 en 2008 à 3.0 en 2016. Une grande partie de la structure et des éléments de vérification qui sont encore dans l'ASVS aujourd'hui ont été écrits à l'origine par Mike Boberski, Jeff Williams et Dave Wichers, mais il y a beaucoup plus de contributeurs. Merci à tous ceux qui y ont participé précédemment. Pour une liste complète de tous ceux qui ont contribué aux versions précédentes, veuillez consulter chaque version antérieure. 52 | -------------------------------------------------------------------------------- /4.0/fr/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Annexe B : Références 2 | 3 | Les projets suivants de l'OWASP sont les plus susceptibles d'être utiles aux utilisateurs/adopteurs de cette norme : 4 | 5 | ## Projets de base de l'OWASP 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## Projet OWASP Cheat Sheet Series 14 | 15 | [This project](https://cheatsheetseries.owasp.org/) has a number of cheat sheets which will be relevant for different topics in the ASVS. 16 | 17 | Vous trouverez ici une correspondance avec l'ASVS : [https://github.com/OWASP/CheatSheetSeries/blob/master/IndexASVS.md](https://github.com/OWASP/CheatSheetSeries/blob/master/IndexASVS.md) 18 | 19 | ## Projets liés à la sécurité mobile 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## Projets liés à l'Internet des objets de l'OWASP 26 | 27 | 1. Projet OWASP "Internet of Things" : [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project](https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project) 28 | 29 | ## Projets OWASP sans serveur 30 | 31 | 1. OWASP Serverless Project: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Autres 34 | 35 | De même, les sites web suivants sont les plus susceptibles d'être utiles aux utilisateurs/adopteurs de cette norme 36 | 37 | 1. SecListes Github : [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Dénombrement des faiblesses communes : [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. Conseil des normes de sécurité PCI : [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. Norme de sécurité des données PCI (DSS) v3.2.1 Exigences et procédures d'évaluation de la sécurité : [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Exigences et procédures d'évaluation des logiciels sécurisés : [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. Exigences et procédures d'évaluation du PCI Secure Software Lifecycle (Secure SLC) : [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/generate-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ALLOWED_LANGS='ar de en es fr pt ru zh-cn it' 4 | 5 | echo $@ 6 | 7 | if [[ -n $@ ]]; then 8 | LANGS=$@ 9 | else 10 | LANGS=${ALLOWED_LANGS} 11 | fi 12 | 13 | for lang in ${LANGS}; do 14 | if [[ " $ALLOWED_LANGS " =~ " $lang " ]]; then 15 | 16 | vers="4.0.3" 17 | verslong="./docs_$lang/OWASP Application Security Verification Standard $vers-$lang" 18 | 19 | python3 tools/export.py --format json --language $lang > "$verslong.json" 20 | python3 tools/export.py --format cdx_json --language $lang > "$verslong.cdx.json" 21 | python3 tools/export.py --format json --language $lang --verify-only true 22 | 23 | python3 tools/export.py --format json_flat --language $lang > "$verslong.flat.json" 24 | python3 tools/export.py --format json_flat --language $lang --verify-only true 25 | 26 | python3 tools/export.py --format xml --language $lang > "$verslong.xml" 27 | python3 tools/export.py --format xml --language $lang --verify-only true 28 | 29 | python3 tools/export.py --format csv --language $lang > "$verslong.csv" 30 | python3 tools/export.py --format csv --language $lang --verify-only true 31 | 32 | ./generate_document.sh $lang $vers 33 | 34 | fi 35 | 36 | done 37 | -------------------------------------------------------------------------------- /4.0/generate_document.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "OWASP Markdown Conversion Tool" 4 | echo "" 5 | 6 | function command_exists () { 7 | command -v $1 >/dev/null 2>&1; 8 | } 9 | 10 | if ! command_exists pandoc; then 11 | echo "Error: Please install pandoc. Cannot continue" 12 | exit; 13 | fi 14 | 15 | generate_docx() { 16 | pandoc -s -f gfm --reference-doc=../templates/reference.docx --columns 10000 --toc -t docx -o "../docs_$1/OWASP Application Security Verification Standard $2-$1.docx" *.md 17 | echo " done." 18 | echo -e "" 19 | echo -e "Note: If you got an error 'Invalid UTF-8 stream', make sure you are on the newest version of pandoc from the project website (not just the OS package repo)" 20 | echo -e "" 21 | echo -e "DOCX GENERATION MANUAL STEPS" 22 | echo -e "----------------------------" 23 | echo -e "After the docx file has been generated, do the following:" 24 | echo -e " - Select 'No' in the first prompt that appears" 25 | echo -e " - Move the 'Table of Contents' section to be just before the 'Frontispiece' section." 26 | echo -e " - Select the document heading (one of the first lines in the documrnt) which should say: 'OWASP Application" 27 | echo -e " Security Verification Standard $2', go to 'Paragraph' > 'Line and Page Breaks' and" 28 | echo -e " deselect 'Page break before'" 29 | echo -e " - Go to 'File' > 'Info' and set the 'Title' field to be 'OWASP Application Security Verification Standard $2'" 30 | echo -e " - Run the following VBA macro to fix Table settings:" 31 | echo -e " " 32 | echo -e " Dim tbl As Table" 33 | echo -e " For Each tbl In ActiveDocument.Tables" 34 | echo -e " tbl.Rows(1).HeadingFormat = True" 35 | echo -e " tbl.Rows.AllowBreakAcrossPages = False" 36 | echo -e " Next tbl" 37 | echo -e " " 38 | echo -e " - Manually review the document and move any orphaned table headings or section headings to the" 39 | echo -e " following page" 40 | echo -e " - Run 'Update table...' on the Table of Contents" 41 | echo -e " - Remove the lines above 'Frontispiece' from the Table of Contents" 42 | } 43 | 44 | # generate_html() { 45 | # pandoc -s -f markdown_github -t html5 -o "../OWASP Application Security Verification Standard 4.0-$1.html" *.md 46 | # } 47 | 48 | lang="en" 49 | vers="4.0" 50 | 51 | if [ -z "$1" ] 52 | then 53 | lang="en" 54 | else 55 | lang=$1 56 | fi 57 | 58 | if [ -z "$2" ] 59 | then 60 | vers="4.0" 61 | else 62 | vers=$2 63 | fi 64 | 65 | echo -n "Generating OWASP ASVS $vers ($lang)..." 66 | if [ -d "$lang" ]; 67 | then 68 | cd "$lang" 69 | generate_docx $lang $vers 70 | # generate_html $lang 71 | cd .. 72 | 73 | else 74 | echo " No OWASP ASVS found in directory $lang" 75 | fi 76 | 77 | 78 | echo 79 | echo "Generated OWASP Application Security Verification Standard $vers" 80 | -------------------------------------------------------------------------------- /4.0/images/asvs_40_levels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/images/asvs_40_levels.png -------------------------------------------------------------------------------- /4.0/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/images/license.png -------------------------------------------------------------------------------- /4.0/images/owasp_logo_1c_notext.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/images/owasp_logo_1c_notext.png -------------------------------------------------------------------------------- /4.0/it/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![OWASP LOGO](../images/owasp_logo_1c_notext.png) 4 | 5 | # Application Security Verification Standard 4.0.3 6 | 7 | ## Final 8 | 9 | Ottobre 2021 10 | -------------------------------------------------------------------------------- /4.0/it/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontespizio 2 | 3 | ## Riguardo allo standard 4 | 5 | La Application Security Verification Standard è una lista di requisiti o test per la sicurezza delle applicazioni che può essere utilizzata da architetti del software, sviluppatori, tester, security professionals, tool vendors, e utenti per definire, realizzare, testare e verificare la sicurezza delle applicazioni. 6 | 7 | ## Copyright e Licenza 8 | 9 | Version 4.0.3, October 2021 10 | 11 | ![license](../images/license.png) 12 | 13 | Copyright © 2008-2021 The OWASP Foundation. Questo documento è rilasciato sotto la [Creative Commons Attribution ShareAlike 3.0 license](https://creativecommons.org/licenses/by-sa/3.0/). Per qualsiasi riutilizzo o distribuzione, devi chiarire agli altri i termini di licenza di questa opera. 14 | 15 | ## Leader del progetto 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## Principali Contributori 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## Altri Contributori e Revisori 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | Riccardo Sirigu | | | 46 | 47 | 48 | 49 | Se non vi ritrovate nella lista dei contributori relativa alla versione 4.0.3 qui sopra, si prega di aprire un ticket su GitHub per essere riconosciuti negli aggiornamenti futuri. 50 | 51 | La Application Security Verification Standard si basa sul lavoro svolto da coloro che hanno partecipato dalla verisone ASVS 1.0 del 2008 fino alla versione 3.0 del 2016. Gran parte della struttura e degli elementi di verifica che sono ancora presenti nell'ASVS attuale, sono stati originariamente scritti da Mike Boberski, Jeff Williams e Dave Wichers, ma ci sono molti altri contributori. Grazie a tutti coloro che hanno partecipato in precedenza. Per un elenco completo di tutti coloro che hanno contribuito alle versioni precedenti, si prega di consultare ciascuna versione precedente. 52 | -------------------------------------------------------------------------------- /4.0/it/0x19-V11-BusLogic.md: -------------------------------------------------------------------------------- 1 | # V11 Logica di business 2 | 3 | ## Obiettivo del controllo 4 | 5 | Verificare che un'applicazione soddisfi i seguenti requisiti di alto livello: 6 | 7 | * Il flusso della logica di business deve essere sequenziale, elaborato nell'ordine corretto e non deve essere aggirabile. 8 | * La logica di business deve includere limiti per rilevare e prevenire attacchi automatizzati, come trasferimenti di fondi ripetuti di piccolo importo o l'aggiunta massiva di utenti (ad esempio, un milione di amici contemporaneamente). 9 | * I flussi della logica di business ad alto valore devono considerare possibili abusi e attori malintenzionati, e devono includere protezioni contro attacchi di spoofing, manomissione, divulgazione di informazioni e escalation di privilegi. 10 | 11 | ## V11.1 Sicurezza della logica di business 12 | 13 | La sicurezza della logica di business è così specifica per ogni applicazione che non esiste una lista di controllo universale. Deve essere progettata per proteggersi da minacce esterne probabili e non può essere implementata successivamente tramite firewall per applicazioni web o comunicazioni sicure. Si raccomanda di utilizzare il threat modeling durante le fasi di progettazione, ad esempio attraverso strumenti come OWASP Cornucopia o simili. 14 | 15 | | # | Descrizione | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---:| :---: | :---: | 17 | | **11.1.1** | Verificare che l'applicazione elabori i flussi della logica di business per lo stesso utente solo in sequenza e senza saltare passaggi. | ✓ | ✓ | ✓ | 841 | 18 | | **11.1.2** | Verificare che l'applicazione elabori i flussi della logica di business solo con tutti i passaggi completati in un lasso di tempo umano realistico, ovvero le transazioni non vengano eseguite troppo rapidamente. | ✓ | ✓ | ✓ | 799 | 19 | | **11.1.3** | Verificare che l'applicazione abbia limiti appropriati per azioni o transazioni aziendali specifiche, applicati correttamente su base per utente. | ✓ | ✓ | ✓ | 770 | 20 | | **11.1.4** | Verificare che l'applicazione disponga di controlli anti-automazione per proteggersi da chiamate eccessive, come esfiltrazione di massa di dati, richieste di logica di business, caricamenti di file o attacchi denial of service. | ✓ | ✓ | ✓ | 770 | 21 | | **11.1.5** | Verificare che l'applicazione disponga di limiti o convalide della logica di business per proteggersi da probabili rischi o minacce aziendali, identificati mediante threat modeling o metodologie simili. | ✓ | ✓ | ✓ | 841 | 22 | | **11.1.6** | Verificare che l'applicazione non soffra di problemi "Time Of Check to Time Of Use" (TOCTOU) o altre condizioni di race condition per operazioni sensibili. | | ✓ | ✓ | 367 | 23 | | **11.1.7** | Verificare che l'applicazione monitori eventi o attività inusuali da una prospettiva di logica di business. Ad esempio, tentativi di eseguire azioni fuori ordine o azioni che un utente normale non proverebbe mai ad eseguire. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 754 | 24 | | **11.1.8** | Verificare che l'applicazione abbia un sistema di allerta configurabile in caso di rilevamento di attacchi automatizzati o attività inusuali. | | ✓ | ✓ | 390 | 25 | 26 | ## Riferimenti 27 | 28 | Per approfondimenti, consultare: 29 | 30 | * [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) 31 | * Anti-automation can be achieved in many ways, including the use of [OWASP AppSensor](https://github.com/jtmelton/appsensor) and [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) 32 | * [OWASP AppSensor](https://github.com/jtmelton/appsensor) can also help with Attack Detection and Response. 33 | * [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) 34 | -------------------------------------------------------------------------------- /4.0/it/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Appendice B: Riferimenti 2 | 3 | I seguenti progetti OWASP sono probabilmente i più utili per gli utenti/adottatori di questo standard: 4 | 5 | ## Progetti principali OWASP 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## Progetti OWASP Cheat Sheet 14 | 15 | [Questo progetto](https://owasp.org/www-project-cheat-sheets/) contiene una serie di cheat sheet rilevanti per diversi argomenti del ASVS. 16 | 17 | È disponibile una mappatura con l'ASVS che può essere trovata qui: [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## Progetti realitivi alla sicurezza Mobile 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## Progetti OWASP relativi all'Internet of Things 26 | 27 | 1. OWASP Internet of Things Project: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## Progetti OWASP relativi all'ambiente Serverless 30 | 31 | 1. OWASP Serverless Project: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Altri 34 | 35 | Analogamente, i seguenti siti web sono probabilmente i più utili per gli utenti/adottatori di questo standard 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/presentations/ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San Francisco 2022 - Josh Grossman.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/presentations/ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San Francisco 2022 - Josh Grossman.pdf -------------------------------------------------------------------------------- /4.0/presentations/AppSec DC 2019 ASVS 4.0 Final.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/presentations/AppSec DC 2019 ASVS 4.0 Final.pptx -------------------------------------------------------------------------------- /4.0/presentations/MyDevSecOps Jan 2020 Webinar - ASVS.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/presentations/MyDevSecOps Jan 2020 Webinar - ASVS.pptx -------------------------------------------------------------------------------- /4.0/presentations/NullCon 2019 ASVS 4.0 Release.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/presentations/NullCon 2019 ASVS 4.0 Release.pptx -------------------------------------------------------------------------------- /4.0/presentations/OWASP Helsinki Sep 2019 ASVS 4.0.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/presentations/OWASP Helsinki Sep 2019 ASVS 4.0.pptx -------------------------------------------------------------------------------- /4.0/presentations/OWASP Israel Nov 2019 ASVS.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/presentations/OWASP Israel Nov 2019 ASVS.pptx -------------------------------------------------------------------------------- /4.0/presentations/README.md: -------------------------------------------------------------------------------- 1 | Index of presentations in this folder: 2 | - **NullCon 2019 ASVS 4.0 Release.pptx** - Original 4.0 release presentation prepared by Andrew van der Stock for Nullcon 2019 3 | - **AppSec DC 2019 ASVS 4.0 Final.pptx** - Slides for training prepared and delivered by Andrew van der Stock for Global AppSec DC 2019. 4 | - **OWASP Helsinki Sep 2019 ASVS 4.0.pptx** - Based on Andrew's 4.0 release presentation but modified and extended by Josh Grossman for ~60min presentation at OWASP Helsinki chapter meeting. 5 | - **OWASP Israel Nov 2019 ASVS 4.0.pptx** - Based on Andrew's 4.0 release presentation but structually modified by Josh Grossman for ~30min presentation at OWASP Israel chapter meeting. 6 | - **MyDevSecOps Jan 2020 Webinar - ASVS.pptx** - Slightly expanded version of the "OWASP Israel Nov 2019" version which runs for ~45mins. 7 | - **ASVS 5.0 – The rise of the Security Verification Standard** Update on the ASVS including initiatives related to using ASVS for application security verification and the principles for 5.0. -------------------------------------------------------------------------------- /4.0/pt/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![LOGO OWASP](../images/owasp_logo_1c_notext.png) 4 | 5 | # Application Security Verification Standard 4.0.3 6 | 7 | ## Final 8 | 9 | Outubro de 2021 10 | -------------------------------------------------------------------------------- /4.0/pt/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontispício 2 | 3 | ## Sobre o Padrão 4 | 5 | O Application Security Verification Standard é uma lista de requisitos ou testes de segurança de aplicações que podem ser usados por arquitetos, desenvolvedores, testadores, profissionais de segurança, fornecedores de ferramentas e consumidores para definir, construir, testar e verificar aplicações seguros. 6 | 7 | ## Direitos autorais e licença 8 | 9 | Versão 4.0.3, outubro de 2021 10 | 11 | ![licença](../images/license.png) 12 | 13 | Copyright © 2008–2021 The OWASP Foundation. Este documento é lançado sob a [licença Creative Commons Attribution ShareAlike 3.0](https://creativecommons.org/licenses/by-sa/3.0/). Para qualquer reutilização ou distribuição, deixe claro para outras pessoas os termos da licença deste trabalho. 14 | 15 | ## Líderes de projeto 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## Principais colaboradores 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## Outros colaboradores e revisores 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | | | | 46 | 47 | 48 | 49 | Se um crédito faltar na lista de créditos 4.0.3 acima, crie um ticket no GitHub para ser reconhecido em futuras atualizações. 50 | 51 | O Application Security Verification Standard é construído com base no trabalho dos envolvidos desde o ASVS 1.0 em 2008 até o 3.0 em 2016. Grande parte da estrutura e itens de verificação que ainda estão no ASVS hoje foram originalmente escritos por Mike Boberski, Jeff Williams e Dave Wichers, mas há muitos mais contribuidores. Obrigado a todos os envolvidos. Para obter uma lista abrangente de todos aqueles que contribuíram para versões anteriores, consulte as versões anteriores. 52 | -------------------------------------------------------------------------------- /4.0/pt/0x19-V11-BusLogic.md: -------------------------------------------------------------------------------- 1 | # V11 Lógica de Negócios 2 | 3 | ## Objetivo de controle 4 | 5 | Certifique-se de que uma aplicação verificado atenda aos seguintes requisitos de alto nível: 6 | 7 | * O fluxo da lógica de negócios é sequencial, processado em ordem e não pode ser ignorado. 8 | * A lógica de negócios inclui limites para detectar e prevenir ataques automatizados, como pequenas transferências contínuas de fundos ou adição de um milhão de amigos, um por vez, e assim por diante. 9 | * Os fluxos de lógica de negócios de alto valor consideraram casos de abuso e atores mal-intencionados com proteções contra falsificação, adulteração, divulgação de informações e ataques de elevação de privilégio. 10 | 11 | ## V11.1 Segurança da Lógica de Negócios 12 | 13 | A segurança da lógica de negócios é tão individual para cada aplicação que nenhuma lista de verificação será aplicada. A segurança da lógica de negócios deve ser projetada para proteger contra prováveis ameaças externas - ela não pode ser adicionada usando firewalls de aplicações da Web ou comunicações seguras. Recomendamos o uso de modelagem de ameaças durante os sprints de design, por exemplo, usando o OWASP Cornucopia ou ferramentas semelhantes. 14 | 15 | | # | Descrição | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---: | :---: | :---: | 17 | | **11.1.1** | Verifique se a aplicação processará apenas fluxos de lógica de negócios para o mesmo usuário em ordem sequencial de etapas e sem pular etapas. | ✓ | ✓ | ✓ | 841 | 18 | | **11.1.2** | Verifique se a aplicação processará apenas fluxos de lógica de negócios com todas as etapas sendo processadas em tempo humano realista, ou seja, as transações não são enviadas muito rapidamente. | ✓ | ✓ | ✓ | 799 | 19 | | **11.1.3** | Verifique se a aplicação tem limites apropriados para ações ou transações de negócios específicas que são aplicadas corretamente por usuário. | ✓ | ✓ | ✓ | 770 | 20 | | **11.1.4** | Verifique se a aplicação possui controles antiautomação para proteção contra chamadas excessivas, como exfiltração de dados em massa, solicitações de lógica de negócios, uploads de arquivos ou ataques de negação de serviço. | ✓ | ✓ | ✓ | 770 | 21 | | **11.1.5** | Verifique se a aplicação tem limites de lógica de negócios ou validação para proteger contra prováveis riscos ou ameaças de negócios, identificados usando modelagem de ameaças ou metodologias semelhantes. | ✓ | ✓ | ✓ | 841 | 22 | | **11.1.6** | Verifique se a aplicação não sofre de problemas de "Time Of Check to Time Of Use" (TOCTOU) ou outras condições de corrida para operações confidenciais. | | ✓ | ✓ | 367 | 23 | | **11.1.7** | Verifique se a aplicação monitora eventos ou atividades incomuns de uma perspectiva de lógica de negócios. Por exemplo, tentativas de executar ações fora de ordem ou ações que um usuário normal nunca tentaria. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 754 | 24 | | **11.1.8** | Verifique se a aplicação possui alertas configuráveis quando ataques automatizados ou atividades incomuns são detectados. | | ✓ | ✓ | 390 | 25 | 26 | ## Referências 27 | 28 | Para mais informações, consulte também: 29 | 30 | * [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) 31 | * A antiautomação pode ser alcançada de várias maneiras, incluindo o uso de [OWASP AppSensor](https://github.com/jtmelton/appsensor) e [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) 32 | * [OWASP AppSensor](https://github.com/jtmelton/appsensor) pode também ajudar com Detecção e Respostas de Ataques. 33 | * [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) 34 | -------------------------------------------------------------------------------- /4.0/pt/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Apêndice B: Referências 2 | 3 | Os seguintes projetos OWASP provavelmente serão úteis para usuários/adotantes deste padrão: 4 | 5 | ## Projetos principais do OWASP 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## Projeto OWASP Cheat Sheet Series 14 | 15 | [Este projeto](https://owasp.org/www-project-cheat-sheets/) possui várias sugestões que serão relevantes para diferentes tópicos no ASVS. 16 | 17 | Existe um mapeamento para o ASVS que pode ser encontrado aqui: [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## Projetos Relacionados à Segurança Mobile 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## Projetos relacionados à Internet of Things OWASP 26 | 27 | 1. OWASP Internet of Things Project: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## Projetos OWASP Serverless 30 | 31 | 1. OWASP Serverless Project: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Outras 34 | 35 | Da mesma forma, os seguintes sites provavelmente serão úteis para usuários/adotantes deste padrão. 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/ru/0x00-Header.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | ![OWASP LOGO](../images/owasp_logo_1c_notext.png) 4 | 5 | # Стандарт верификации требований к безопасности приложений 4.0.3 6 | 7 | ## Финальная версия 8 | 9 | Октябрь 2021 10 | -------------------------------------------------------------------------------- /4.0/ru/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Фронтиспис 2 | 3 | ## О стандарте 4 | 5 | Стандарт верификации требований к безопасности приложений — это перечень требований к безопасности приложений (тестов), которыми могут пользоваться архитекторы, разработчики, тестировщики, специалисты по безопасности, разработчики инструментов и конечные пользователи для проектирования, разработки, тестирования и контроля безопасных приложений. 6 | 7 | ## Авторские права и лицензия 8 | 9 | Версия 4.0.3, октябрь 2021 10 | 11 | ![лицензия](../images/license.png) 12 | 13 | Copyright © 2008-2021 The OWASP Foundation. Этот документ выпущен под [лицензией Creative Commons Attribution ShareAlike 3.0](https://creativecommons.org/licenses/by-sa/3.0/). При воспроизведении или распространении этого документа необходимо разъяснить условия лицензии на него. 14 | 15 | ## Руководители проекта 16 | 17 | | | | | 18 | |---------------------- |----------------- |------------ | 19 | | Andrew van der Stock | Daniel Cuthbert | Jim Manico | 20 | | Josh C Grossman | Elar Lang | | 21 | 22 | ## Основные участники 23 | 24 | | | | | 25 | |---------------- |---------------- |------------------- | 26 | | Abhay Bhargav | Benedikt Bauer | Osama Elnaggar | 27 | | Ralph Andalis | Ron Perris | Sjoerd Langkemper | 28 | | Tonimir Kisasondi | | | 29 | 30 | ## Другие участники и рецензенты 31 | 32 | | | | | | | 33 | | ------------------- | ------------------ | ----------------- | ---------------- | ----------------- | 34 | | Aaron Guzman | Alina Vasiljeva | Andreas Kurtz | Anthony Weems | Barbara Schachner | 35 | | Christian Heinrich | Christopher Loessl | Clément Notin | Dan Cornell | Daniël Geerts | 36 | | David Clarke | David Johansson | David Quisenberry | Elie Saad | Erlend Oftedal | 37 | | Fatih Ersinadim | Filip van Laenen | Geoff Baskwill | Glenn ten Cate | Grant Ongers | 38 | | hello7s | Isaac Lewis | Jacob Salassi | James Sulinski | Jason Axley | 39 | | Jason Morrow | Javier Dominguez | Jet Anderson | jeurgen | Jim Newman | 40 | | Jonathan Schnittger | Joseph Kerby | Kelby Ludwig | Lars Haulin | Lewis Ardern | 41 | | Liam Smit | lyz-code | Marc Aubry | Marco Schnüriger | Mark Burnett | 42 | | Philippe De Ryck | Ravi Balla | Rick Mitchell | Riotaro Okada | Robin Wood | 43 | | Rogan Dawes | Ryan Goltry | Sajjad Pourali | Serg Belkommen | Siim Puustusmaa | 44 | | Ståle Pettersen | Stuart Gunter | Tal Argoni | Tim Hemel | Tomasz Wrobel | 45 | | Vincent De Schutter | Mike Jang | | | | 46 | 47 | Если Вы — участник проекта, но Вашего имени нет в приведенном выше списке, пожалуйста, зарегистрируйте issue на GitHub, для признания в будущих обновлениях. 48 | 49 | Четвертая версия стандарта верификации требований к безопасности приложений опирается на предыдущие версии ASVS, начиная с первой, вышедшей в 2008 году, и до третьей, в 2016. Большая часть разделов оглавления и пунктов требований до сих пор присутствующих в ASVS, изначально были написаны Майком Боберски, Джеффом Уильямсом и Дэйвом Уичерсом, но участников было гораздо больше - спасибо им всем. Полные списки всех, кто внес свой вклад в более ранние версии, есть в соответствующих версиях документа. 50 | -------------------------------------------------------------------------------- /4.0/ru/0x19-V11-BusLogic.md: -------------------------------------------------------------------------------- 1 | # V11 Бизнес-логика 2 | 3 | ## Задачи контроля 4 | 5 | Убедитесь, что исследуемое приложение удовлетворяет следующим концептуальным требованиям: 6 | 7 | * Поток бизнес-логики является последовательным, обрабатывается по порядку, и его нельзя обойти. 8 | * Бизнес-логика включает ограничения для обнаружения и предотвращения автоматизированных атак, таких как многократно повторяющиеся денежные переводы незначительных сумм или добавление миллиона друзей по одному за раз и т.д. 9 | * Ключевые потоки бизнес-логики учитывают возможность злоупотреблений и злонамеренных действий и имеют защиту от несанкционированного доступа, разглашения и искажения информации и атак с повышением привилегий. 10 | 11 | ## V11.1 Безопасность бизнес-логики 12 | 13 | Безопасность бизнес-логики настолько индивидуальна для каждого приложения, что не поможет ни один чек-лист. Она должна проектироваться для защиты от вероятных внешних угроз, но её нельзя «включить» как набор правил на WAF или, организовав защищенный канал связи. Мы рекомендуем использовать моделирование угроз во время спринтов по дизайну, например, с помощью OWASP Cornucopia или аналогичных инструментов. 14 | 15 | | № | Описание | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---:| :---: | :---: | 17 | | **11.1.1** | Убедитесь, что приложение обрабатывает потоки бизнес-логики для того же пользователя, последовательно, и без пропуска шагов.| ✓ | ✓ | ✓ | 841 | 18 | | **11.1.2** | Убедитесь, что приложение обрабатывает потоки бизнес-логики только в том случае, если все шаги обрабатываются в реалистичном для человека масштабе времени, т.е. транзакции не делаются слишком быстро.| ✓ | ✓ | ✓ | 799 | 19 | | **11.1.3** | Убедитесь, что приложение ограничивает определенные операции бизнес-процессов или транзакции по частоте и потребляемым ресурсам, и эти ограничения корректно применяются для каждого пользователя. | ✓ | ✓ | ✓ | 770 | 20 | | **11.1.4** | Убедитесь, что в приложении предусмотрены меры защиты от автоматизации аномальных по размеру запросов на массовую выгрузку данных, запросов бизнес-логики, загрузки файлов или атак типа «отказ в обслуживании». | ✓ | ✓ | ✓ | 770 | 21 | | **11.1.5** | Убедитесь, что приложение имеет ограничения бизнес-логики или меры защиты от наиболее вероятных бизнес-рисков или угроз, выявленных с помощью моделирования угроз или аналогичных методологий. | ✓ | ✓ | ✓ | 841 | 22 | | **11.1.6** | Убедитесь, что приложение не подвержено атакам типа «момент проверки до момента использования» (TOCTOU) или других условий гонки для конфиденциальных операций. | | ✓ | ✓ | 367 | 23 | | **11.1.7** | Убедитесь, что приложение отслеживает необычные события или действия с точки зрения бизнес-логики. Например, попытки выполнить действия не по порядку или действия, которые обычный пользователь никогда бы не совершил. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 754 | 24 | | **11.1.8** | Убедитесь, что приложение имеет настраиваемое оповещение при обнаружении автоматизированных атак или необычных действий. | | ✓ | ✓ | 390 | 25 | 26 | ## Ссылки 27 | 28 | Для дополнительной информации см. также: 29 | 30 | * [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) 31 | * "Анти-автоматизация" атак может быть достигнута многими способами, включая [OWASP AppSensor](https://github.com/jtmelton/appsensor) и [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) 32 | * [OWASP AppSensor](https://github.com/jtmelton/appsensor) также может помочь с обнаружением и реагированием на атаки. 33 | * [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) 34 | -------------------------------------------------------------------------------- /4.0/ru/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Приложение B: Полезные ссылки 2 | 3 | Следующие проекты OWASP, скорее всего, будут полезны для читателей/последователей этого стандарта: 4 | 5 | ## Основные проекты OWASP 6 | 7 | 1. Проект OWASP Top 10: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Security Knowledge Framework: [https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## Проект OWASP Cheat Sheet Series 14 | 15 | [В этом проекте](https://owasp.org/www-project-cheat-sheets/) есть памятки, которые будут актуальны для многих требований ASVS. 16 | 17 | Сопоставление памяток с требованиями ASVS можно найти здесь: [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## Проекты Mobile Security 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## Проект OWASP Internet of Things 26 | 27 | OWASP Internet of Things: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## Проект OWASP Serverless 30 | 31 | OWASP Serverless: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Другие 34 | 35 | Следующие web-сайты, скорее всего, также будут полезны для читателей/последователей этого стандарта: 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://ru.pcisecuritystandards.org/_onelink_/pcisecurity/en2ru/minisite/en/docs/PCI_DSS_v3-2-1_RU.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/templates/reference.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/4.0/templates/reference.docx -------------------------------------------------------------------------------- /4.0/tools/export.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | ''' Tool for converting the ASVS requirements to various formats. 4 | 5 | Usage: ./export.py [--format .<节>.<要求>` ,每个元素都是一个数字,例如:`1.11.3` 。 67 | - `` 值对应于需求出现的章,例如:所有 `1.#.#` 的需求都来自`Architecture`这一章。 68 | - `
` 值对应于该章中需求出现的小节,例如:所有 `1.11.#` 需求都在 `Architecture` 章的 `Business Logic Architecture` 部分。 69 | - ``值对应该章的具体要求,例如:本标准的4.0.3版本中的 `1.11.3` 是: 70 | 71 | > 验证所有高价值业务逻辑流(包括身份验证、会话管理和访问控制)都是线程安全的,并且可以防止“检查时间和使用时间不一致”导致的条件竞争问题。 72 | 73 | 标识符可能会在标准版本之间发生变化,因此在其他文档、报告或工具最好使用以下格式: `v-.
.` ,其中:“version”是 ASVS 版本标签。 例如:`v4.0.3-1.11.3` 将被理解为特指版本 4.0.3 中“架构”这一章中“业务逻辑架构”这一节的第 3 项要求。 (可概括为`v-`。) 74 | 75 | 注意:版本部分前面的 `v` 要小写。 76 | 77 | 如果使用不包括 `v` 的标识符,那么它们应该被认为是指最新的应用安全验证标准内容。显然,随着标准的增长和变化,这将导致问题,这就是为什么作者或开发者应该将版本包括进去。 78 | 79 | ASVS 需求列表,以 CSV、JSON 和其他可能对参考或编程有用的格式提供。 80 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x04-Assessment_and_Certification.md: -------------------------------------------------------------------------------- 1 | # 评估和认证 2 | 3 | ## OWASP对ASVS认证和信任标志的立场 4 | 5 | OWASP作为一个与供应商无关的非营利性组织,目前不认证任何供应商、验证人员或软件。 6 | 7 | 所有这类保证声明、信任标志或认证,均未经 OWASP 正式审查、注册或认证,因此依赖此类观点的组织,需要谨慎对待任何第三方的信任或声称ASVS认证的信任标志。 8 | 9 | 这并不影响组织提供此类保证服务,只要他们不要求官方的 OWASP 认证。 10 | 11 | ## 认证组织指南 12 | 13 | 应用程序安全验证标准,可以用作应用程序的公开验证,包括对关键资源的开放和自由访问(如架构师和开发人员、项目文档、源代码),对测试系统的认证访问(包括对每个角色的一个或多个帐户的访问),特别是L2和L3验证。 14 | 15 | 从历史上看,渗透测试和安全代码审查都包含“异常”问题——即只有未通过的测试项才会出现在最终报告中。 认证组织必须在任何报告中包括验证的范围(特别是某个关键组件不在范围内时,如SSO身份验证)、验证结果的摘要,包括通过的和未通过的测试,并清楚地说明如何解决未通过的测试。 16 | 17 | 某些验证要求可能不适用于被测试的应用程序。例如,如果你向客户提供无状态的服务层API而没有客户端实现,那么“V3-会话管理”中的许多要求就不能直接使用。 在这种情况下,认证机构仍可声称完全符合 ASVS 的要求,但必须在报告中明确说明被排除的验证要求不适用的原因。 18 | 19 | 保留详细的工作底稿、屏幕截图或视频、可靠地重复利用一个问题的脚本,以及测试的电子记录,如拦截代理日志和相关的笔记(如清理清单),被认为是标准的行业惯例,哪怕是对于最可疑的开发人员来说,它们也能作为调查结果的证明。 仅仅跑一个工具并报告故障是不够的,这根本不能提供充分的证据,证明所有认证级别的问题都经过了彻底的测试。 在有争议的情况下,应该有足够的证据,来证明每一个经过验证的需求确实被测试过。 20 | 21 | ### 测试方法 22 | 23 | 认证机构可自由选择适当的测试方法,但应在报告中注明。 24 | 25 | 根据所测试的应用程序和验证需求,可以使用不同的测试方法来获得相似的结果置信度。 例如,要验证应用程序输入验证机制的有效性,可以通过手动渗透测试或通过源代码来分析。 26 | 27 | #### 自动化安全测试工具的作用 28 | 29 | 鼓励使用自动化渗透测试工具以提供尽可能多的覆盖范围。 30 | 31 | 仅使用自动渗透测试工具,是不可能完全完成ASVS验证的。虽然L1中的绝大多数需求可以使用自动化测试来执行,但总体上,绝大多数需求并不适合自动化渗透测试。 32 | 33 | 请注意,随着应用安全行业的成熟,自动化和手动测试之间的界限已经变得模糊。 自动化工具通常由专家手动调整,而手动测试人员通常会利用各种自动化工具。 34 | 35 | #### 渗透测试的作用 36 | 37 | 在 4.0 版本中,我们决定让 L1 完全可渗透测试,而无需访问源代码、文档或开发人员。 OWASP Top 10 2017 A10 要求的两个日志记录项目,将需要访谈、屏幕截图或其他证据,就像它们在 OWASP Top 10 2017 中的一样。 然而,在无法获得必要信息的情况下进行测试,并不是一种理想的安全验证方式,因为它不仅错过了审查来源、识别威胁和缺失控制的可能性,还会错过在更短的时间内进行更彻底测试的可能。 38 | 39 | 在可能的情况下,执行L2或L3评估时,需要访问开发人员、文档、代码,以及访问具有非生产数据的测试应用程序。 在这些级别进行的渗透测试,需要这种级别的访问,我们称之为 “混合审查” 或 “混合渗透测试”。 40 | 41 | ## ASVS的其他用途 42 | 43 | 除了用于评估应用程序的安全性外,我们还确定了ASVS的许多其他潜在用途。 44 | 45 | ### 作为详细的安全架构指南 46 | 47 | 应用程序安全验证标准的更常见用途之一,是作为安全架构师的资源。 Sherwood应用业务安全架(Sherwood Applied Business Security Architecture,SABSA)缺少大量的信息,而这些信息是完成一次彻底的应用安全架构审查所必需的。 ASVS可以用来填补这些空白,让安全架构师为常见问题选择更好的控制措施,如数据保护模式和输入验证策略。 48 | 49 | ### 作为现有安全编码Checklists的替代品 50 | 51 | 许多组织可以从采用ASVS中受益,通过选择三个级别中的一个,或通过fork ASVS,在特定领域改变每个应用风险级别的要求。 我们鼓励这种fork,只要保持可追溯性,因此,如果一个应用程序已经通过了标准版本中的“要求4.1”,那么也就通过了fork版本中的这个要求。 52 | 53 | ### 作为自动化单元和集成测试的指南 54 | 55 | ASVS的设计是高度可测试的,唯一的例外是架构和恶意代码要求。 通过构建单元和集成测试,对相关的滥用情况进行fuzz测试,应用程序几乎可以在每次构建中进行自我验证。 例如,可以为登录控制器制作额外的测试,测试常见的默认用户名参数、帐户枚举、暴力破解、LDAP注入、SQL 注入以及 XSS。 同样地,对密码参数的测试,应该包括常用密码、密码长度、空字节注入、移除参数、XSS等。 56 | 57 | ### 用于安全开发培训 58 | 59 | ASVS 还可用于定义安全软件的特征。 许多“安全编码”课程只是带有少量编码技巧的道德黑客课程。 这不一定能帮助开发人员编写更安全的代码。 相反,安全开发课程可以使用 ASVS,重点关注 ASVS 中的主动控制,而不是前 10 项不该做的负面事情。 60 | 61 | ### 作为敏捷应用安全的驱动程序 62 | 63 | 在敏捷开发过程中,为了获得安全的产品,ASVS可以作为框架来定义团队需要实施的特定任务。 一种可能的方法是:从 Level 1 开始,根据指定级别的 ASVS 要求,验证特定应用程序或系统,查找缺少哪些项目,并在待办事项中提出特定工单/任务。 这有助于对具体任务进行优先排序(梳理),并使安全在敏捷开发中可见。 这也可用于确定组织中审计和审查任务的优先;其中,特定的 ASVS 要求,可以作为团队成员审查、重构或审计的驱动因素,并可以记录到最终的待办清单中。 64 | 65 | ### 作为指导安全软件采购的框架 66 | 67 | ASVS 是一个很好的框架,可以帮助确保安全软件的采购或定制开发服务的采购。 买方可以简单地设定一个要求,即他们希望采购的软件必须按照 ASVS 的 Level x 来开发,并要求卖方证明该软件满足ASVS的x级。 68 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x12-V4-Access-Control.md: -------------------------------------------------------------------------------- 1 | # V4 访问控制 2 | 3 | ## 控制目标 4 | 5 | 授权是一个概念,即只允许那些被允许使用资源的人访问资源。确保经过验证的应用程序满足以下高级要求: 6 | 7 | * 访问资源的人员持有有效凭据才能这样做。 8 | * 用户与一组明确定义的角色和权限相关联。 9 | * 角色和权限元数据受到保护,不会被重放或篡改。 10 | 11 | ## 安全验证要求 12 | 13 | ## V4.1 通用访问控制设计 14 | 15 | | # | 描述 | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---: | :---: | :---: | 17 | | **4.1.1** | 验证应用程序是否在受信任的服务层上执行访问控制规则,尤其是在有客户端访问控制并且可能被绕过的情况下。 | ✓ | ✓ | ✓ | 602 | 18 | | **4.1.2** | 验证访问控制所使用的所有用户和数据属性以及策略信息,不能被最终用户操纵,除非得到特别授权。 | ✓ | ✓ | ✓ | 639 | 19 | | **4.1.3** | 验证是否存在最小权限原则——用户应该只能访问他们拥有特定授权的功能、数据文件、URL、控制器、服务和其他资源。这意味着防止欺骗或特权提升。 ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 285 | 20 | | **4.1.4** | [已删除,与 4.1.3 重复] | | | | | 21 | | **4.1.5** | 验证访问控制安全,在发生异常时是否失效。 ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 285 | 22 | 23 | ## V4.2 操作级访问控制 24 | 25 | | # | 描述 | L1 | L2 | L3 | CWE | 26 | | :---: | :--- | :---: | :---: | :---: | :---: | 27 | | **4.2.1** | 验证敏感数据和API的保护,防止针对创建、读取、更新和删除记录的不安全直接对象引用(IDOR)攻击,如创建或更新别人的记录,查看每个人的记录或删除所有记录。 | ✓ | ✓ | ✓ | 639 | 28 | | **4.2.2** | 验证应用程序或框架是否实施了强大的反 CSRF 机制来保护经过身份验证的功能,以及有效的反自动化或反 CSRF 保护无需身份验证的功能。 | ✓ | ✓ | ✓ | 352 | 29 | 30 | ## V4.3 其他访问控制注意事项 31 | 32 | | # | 描述 | L1 | L2 | L3 | CWE | 33 | | :---: | :--- | :---: | :---: | :---: | :---: | 34 | | **4.3.1** | 验证管理界面使用适当的多因素认证,防止未经授权的使用。 | ✓ | ✓ | ✓ | 419 | 35 | | **4.3.2** | 验证目录浏览被禁用,除非特意需要。此外,应用程序不应允许披露文件或目录元数据,例如Thumbs.db、.DS_Store、.git或.svn文件夹。 | ✓ | ✓ | ✓ | 548 | 36 | | **4.3.3** | 验证应用程序对低价值的系统有额外的授权(如升级或自适应认证),对高价值的应用程序进行职责分离,以根据应用程序和过去的欺诈风险执行反欺诈控制。 | | ✓ | ✓ | 732 | 37 | 38 | ## 参考文献 39 | 40 | 有关更多信息,请参阅: 41 | 42 | * [OWASP Testing Guide 4.0: Authorization](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/README.html) 43 | * [OWASP Cheat Sheet: Access Control](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html) 44 | * [OWASP CSRF Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) 45 | * [OWASP REST Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html) 46 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x14-V6-Cryptography.md: -------------------------------------------------------------------------------- 1 | # V6 存储密码学 2 | 3 | ## 控制目标 4 | 5 | 确保经过验证的应用程序满足以下高级要求: 6 | 7 | * 所有加密模块以安全的方式失效,并且正确处理错误。 8 | * 使用合适的随机数发生器。 9 | * 密钥访问被安全地管理。 10 | 11 | ## V6.1 数据分类 12 | 13 | 最重要的资产是由应用程序处理、存储或传输的数据。始终执行隐私影响评估,对任何存储数据的数据保护需求进行正确分类。 14 | 15 | | # | 说明 | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---: | :---: | :---: | 17 | | **6.1.1** | 验证受监管的私人数据在静止状态下是否被加密存储,如个人身份信息(PII)、敏感个人信息或经评估可能受制于欧盟GDPR的数据。 | | ✓ | ✓ | 311 | 18 | | **6.1.2** | 验证受监管的健康数据在静止状态下是否被加密存储,如医疗记录、医疗设备详情或去匿名化的研究记录。 | | ✓ | ✓ | 311 | 19 | | **6.1.3** | 验证受监管的金融数据在静止状态下是否被加密存储,如金融账户、违约或信用记录、税务记录、工资记录、受益人或去匿名化的市场或研究记录。 | | ✓ | ✓ | 311 | 20 | 21 | ## V6.2 算法 22 | 23 | 密码学的最新进展意味着以前安全的算法和密钥长度不再安全或足以保护数据。因此,应该可以改变算法。 24 | 25 | 虽然这一部分不容易进行渗透测试,但开发人员应该把这一整节视为强制性的,即使在大多数项目中 L1 都没有要求。 26 | 27 | | # | 说明 | L1 | L2 | L3 | CWE | 28 | | :---: | :--- | :---: | :---: | :---: | :---: | 29 | | **6.2.1** | 验证所有的加密模块即使在故障时也是安全的,并且处理错误的方式不会使Padding Oracle攻击得逞。 | ✓ | ✓ | ✓ | 310 | 30 | | **6.2.2** | 验证使用业界认可或政府批准的加密算法、模式和库,而不是自定义编码的加密技术。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 327 | 31 | | **6.2.3** | 验证加密初始化向量、密码配置和分组模式是否使用最新建议进行安全配置。 | | ✓ | ✓ | 326 | 32 | | **6.2.4** | 验证随机数、加密或散列算法、密钥长度、轮次、密码或模式,可以在任何时候重新配置、升级或交换,以防止密码中断。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 326 | 33 | | **6.2.5** | 验证不使用已知不安全的分组模式(如ECB等)、填充模式(如PKCS#1 v1.5等)、小块大小的密码(如Triple-DES、Blowfish等)和弱散列算法(如MD5、SHA1等),除非需要向后兼容。 | | ✓ | ✓ | 326 | 34 | | **6.2.6** | 验证随机数、初始化向量和其他一次性使用的数字,不得与特定的加密密钥使用超过一次。生成方法必须适合所使用的算法。 | | ✓ | ✓ | 326 | 35 | | **6.2.7** | 验证加密数据是否通过签名、认证的密码模式或 HMAC 进行身份验证,以确保密文不会被未经授权的一方更改。 | | | ✓ | 326 | 36 | | **6.2.8** | 验证所有的密码操作都是恒定时间的,在比较、计算或返回中没有“短路”操作,以避免信息泄漏。 | | | ✓ | 385 | 37 | 38 | ## V6.3 随机值 39 | 40 | 真正的伪随机数生成(PRNG)很难实现。通常,如果过度使用,系统内良好的熵源不但很快耗尽,而且随机性较小的源会导致可预测的密钥和秘密。 41 | 42 | | # | 说明 | L1 | L2 | L3 | CWE | 43 | | :---: | :--- | :---: | :---: | :---: | :---: | 44 | | **6.3.1** | 验证所有的随机数、随机文件名、随机GUID和随机字符串,都是使用加密模块认可的加密安全随机数生成器生成的,而这些随机值旨在不被攻击者猜测。 | | ✓ | ✓ | 338 | 45 | | **6.3.2** | 验证是否使用 GUID v4 算法和加密安全伪随机数生成器(CSPRNG)创建了随机 GUID。使用其他伪随机数生成器创建的 GUID 可能是可预测的。 | | ✓ | ✓ | 338 | 46 | | **6.3.3** | 验证应用程序即使在处于高负载下时也使用适当的熵创建随机数,或者应用程序在这种情况下优雅地降级。 | | | ✓ | 338 | 47 | 48 | ## V6.4 密钥管理 49 | 50 | 虽然这一部分不容易进行渗透测试,但开发人员应将整个部分视为强制性的,即使大多数项目中都缺少 L1 的要求。 51 | 52 | | # | 说明 | L1 | L2 | L3 | CWE | 53 | | :---: | :--- | :---: | :---: | :---: | :---: | 54 | | **6.4.1** | 验证秘密管理解决方案,如钥匙库,用于安全地创建、存储、控制对秘密的访问和销毁。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 798 | 55 | | **6.4.2** | 验证密钥材料是否未暴露给应用程序,而是使用一个隔离的安全模块(如保险库)进行加密操作。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 320 | 56 | 57 | ## 参考文献 58 | 59 | 有关更多信息,请参阅: 60 | 61 | * [OWASP Testing Guide 4.0: Testing for weak Cryptography](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/README.html) 62 | * [OWASP Cheat Sheet: Cryptographic Storage](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html) 63 | * [FIPS 140-2](https://csrc.nist.gov/publications/detail/fips/140/2/final) 64 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x16-V8-Data-Protection.md: -------------------------------------------------------------------------------- 1 | # V8 数据保护 2 | 3 | ## Control Objective 4 | 5 | 健全的数据保护有三个关键因素。机密性、完整性和可用性(CIA)。这个标准假定数据保护是在一个可信的系统上执行的,比如服务器,它已经被加固并有足够的保护措施。 6 | 7 | 应用程序必须假设所有的用户设备都以某种方式受到损害。如果应用程序在不安全的设备上传输或存储敏感信息,如共享电脑、手机和平板电脑,应用程序有责任确保存储在这些设备上的数据是加密的,不能轻易地被非法获取、改变或披露。 8 | 9 | 确保经过验证的应用程序满足以下高水平的数据保护要求: 10 | 11 | * 机密性。数据应受到保护,在传输过程中和存储时都不会被未经授权的观察或披露。 12 | * 完整性。应保护数据不被未经授权的攻击者恶意创建、更改或删除。 13 | * 可用性。数据应按要求提供给授权的用户。 14 | 15 | ## V8.1 通用数据保护 16 | 17 | | # | 说明 | L1 | L2 | L3 | CWE | 18 | | :---: | :--- | :---: | :---: | :---: | :---: | 19 | | **8.1.1** | 验证应用程序保护敏感数据不被缓存在负载均衡和应用程序缓存等服务器组件中。 | | ✓ | ✓ | 524 | 20 | | **8.1.2** | 验证在服务器上所存储敏感数据的所有缓存或临时副本是否受到保护(防止未经授权的访问),或在被授权用户访问后清除/失效。 | | ✓ | ✓ | 524 | 21 | | **8.1.3** | 验证应用程序尽量减少请求中的参数数量,如隐藏字段、Ajax 变量、cookies 和请求头。 | | ✓ | ✓ | 233 | 22 | | **8.1.4** | 验证应用程序能够检测并提醒异常的请求数量,例如按IP、用户、每小时或每天的总数,或其它对应用程序有意义的指标。 | | ✓ | ✓ | 770 | 23 | | **8.1.5** | 验证是否对重要数据进行了定期备份,是否对数据进行了测试恢复。 | | | ✓ | 19 | 24 | | **8.1.6** | 验证备份的安全存储,防止数据被盗或损坏。 | | | ✓ | 19 | 25 | 26 | ## V8.2 客户端数据保护 27 | 28 | | # | 说明 | L1 | L2 | L3 | CWE | 29 | | :---: | :--- | :---: | :---: | :---: | :---: | 30 | | **8.2.1** | 验证应用程序设置足够的“禁止缓存”头,以便敏感数据不会在现代浏览器中被缓存。 | ✓ | ✓ | ✓ | 525 | 31 | | **8.2.2** | 验证存储在浏览器存储(例如 localStorage、sessionStorage、IndexedDB 或 cookie)中的数据不包含敏感数据。 | ✓ | ✓ | ✓ | 922 | 32 | | **8.2.3** | 在客户端或会话终止后,验证经过身份验证的数据已从客户端存储(例如浏览器 DOM)中清除。 | ✓ | ✓ | ✓ | 922 | 33 | 34 | ## V8.3 敏感私有数据 35 | 36 | 本小节有助于保护敏感数据免遭未经授权的创建、读取、更新或删除,尤其是批量数据。 37 | 38 | 遵守本节意味着遵守 V4 访问控制,尤其是 V4.2。例如,为了防止个人敏感信息的未授权的更新或泄露,需要遵守 V4.2.1。请遵守本节和 V4 以获得全面覆盖。 39 | 40 | 注意:隐私法规和法律,例如澳大利亚隐私原则 APP-11 或 GDPR,直接影响应用程序必须如何处理敏感个人信息的存储、使用和传输的实施。范围从严厉的处罚到简单的建议。请查阅您当地的法律法规,并根据需要咨询专业的隐私专家或律师。 41 | 42 | | # | 说明 | L1 | L2 | L3 | CWE | 43 | | :---: | :--- | :---: | :---: | :---: | :---: | 44 | | **8.3.1** | 验证敏感数据是在HTTP消息正文或请求头中被发送到服务器,以及HTTP请求方法的查询字符串参数都不包含敏感数据。 | ✓ | ✓ | ✓ | 319 | 45 | | **8.3.2** | 验证用户是否有途径按需删除或导出自己的数据。 | ✓ | ✓ | ✓ | 212 | 46 | | **8.3.3** | 验证向用户提供了关于收集和使用其个人信息的明确语言,并且在以任何方式使用这些数据之前,用户已勾选了同意。 | ✓ | ✓ | ✓ | 285 | 47 | | **8.3.4** | 验证应用程序创建和处理的所有敏感数据是否已被识别,并确保已制定了如何处理敏感数据的策略。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 200 | 48 | | **8.3.5** | 如果数据是根据相关数据保护指令收集的或(应用)要求记录访问日志,验证访问敏感数据是否被审计(不记录敏感数据本身)。 | | ✓ | ✓ | 532 | 49 | | **8.3.6** | 为了减少内存转储攻击,一旦不再需要内存中的敏感信息,请检查该敏感信息是否会被覆盖(使用0或随机数)。 | | ✓ | ✓ | 226 | 50 | | **8.3.7** | 验证需要加密的敏感信息或私有信息是否使用经过批准的机密性和完整性算法加密。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 327 | 51 | | **8.3.8** | 验证敏感的个人信息是否符合数据保留分类,以便自动、按计划或根据情况需要删除旧数据或过时数据。 | | ✓ | ✓ | 285 | 52 | 53 | 在考虑数据保护时,首要的考虑应该围绕批量提取、修改或过度使用。例如,许多社交媒体系统只允许用户每天添加100个新好友,但这些请求来自哪个系统并不重要。银行平台可能希望阻止每小时超过5笔的、转移超过1000欧元的外部交易。每个系统的要求可能非常不同,所以决定 “异常” 必须考虑威胁模型和商业风险。重要的标准是检测、遏制,或者最好是阻止这种异常批量行为的能力。 54 | 55 | ## 参考文献 56 | 57 | 有关更多信息,请参阅: 58 | 59 | * [Consider using Security Headers website to check security and anti-caching headers](https://securityheaders.io) 60 | * [OWASP Secure Headers project](https://owasp.org/www-project-secure-headers/) 61 | * [OWASP Privacy Risks Project](https://owasp.org/www-project-top-10-privacy-risks/) 62 | * [OWASP User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html) 63 | * [European Union General Data Protection Regulation (GDPR) overview](https://edps.europa.eu/data-protection_en) 64 | * [European Union Data Protection Supervisor - Internet Privacy Engineering Network](https://edps.europa.eu/data-protection/ipen-internet-privacy-engineering-network_en) 65 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x17-V9-Communications.md: -------------------------------------------------------------------------------- 1 | # V9 通讯 2 | 3 | ## 控制目标 4 | 5 | 确保经过验证的应用程序满足以下高级要求: 6 | 7 | * 要求 TLS 或强加密,与内容的敏感性无关。 8 | * 遵循最新指南,包括: 9 | * 配置建议 10 | * 首选算法和密码 11 | * 避免使用弱的或即将被废弃的算法和密码,除非是最后的手段。 12 | * 禁用已废弃或已知不安全的算法和密码。 13 | 14 | 在这些要求范围内: 15 | 16 | * 了解业界对安全TLS配置的建议,因为它经常变化(往往是由于现有算法和密码的灾难性破坏)。 17 | * 使用最新版本的TLS配置审查工具,来配置首选顺序和算法选择。 18 | * 定期检查你的配置,以确保安全通信始终存在并有效。 19 | 20 | ## V9.1 客户端通信安全 21 | 22 | 确保所有客户端消息都通过加密网络发送,使用TLS 1.2或更高版本。 23 | 使用最新的工具定期检查客户端配置。 24 | 25 | | # | 描述 | L1 | L2 | L3 | CWE | 26 | | :---: | :--- | :---: | :---: | :---: | :---: | 27 | | **9.1.1** | 验证所有客户端连接都使用了TLS,并且不会降级到不安全或未加密的通信。 ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ✓ | ✓ | ✓ | 319 | 28 | | **9.1.2** | 使用最新的TLS测试工具,验证是否只启用了强密码套件,并将最强的密码套件设置为首选。 | ✓ | ✓ | ✓ | 326 | 29 | | **9.1.3** | 验证只启用最新推荐版本的TLS协议,如TLS 1.2和TLS 1.3。最新版本的TLS协议应该是首选项。 | ✓ | ✓ | ✓ | 326 | 30 | 31 | ## V9.2 服务器通信安全 32 | 33 | 服务器通信不仅仅是 HTTP。与其他系统的安全连接,例如监控系统、管理工具、远程访问和 ssh、中间件、数据库、大型机、合作伙伴或外部源系统——必须到位。所有这些都必须加密,以防止“外面安全,里面被轻易截获”。 34 | 35 | | # | 描述 | L1 | L2 | L3 | CWE | 36 | | :---: | :--- | :---: | :---: | :---: | :---: | 37 | | **9.2.1** | 验证与服务器的连接是否使用受信任的TLS证书。在使用内部生成或自签名证书的情况下,必须将服务器配置为只信任特定的内部CA和特定的自签证书。所有其他的都应该被拒绝。 | | ✓ | ✓ | 295 | 38 | | **9.2.2** | 确认所有入站和出站连接都使用了 TLS 等加密通信,包括管理端口、监控、身份验证、API 或 Web 服务调用、数据库、云、serverless、大型机、外部和合作伙伴的连接。服务器不得回退到不安全或未加密的协议。 | | ✓ | ✓ | 319 | 39 | | **9.2.3** | 验证所有外部系统中与敏感信息/功能相关的加密连接,均已通过身份验证。 | | ✓ | ✓ | 287 | 40 | | **9.2.4** | 验证是否启用并配置了正确的证书吊销,例如在线证书状态协议(OCSP)Stapling。 | | ✓ | ✓ | 299 | 41 | | **9.2.5** | 验证是否记录了后端TLS连接失败(的事件)。 | | | ✓ | 544 | 42 | 43 | ## 参考文献 44 | 45 | 有关更多信息,请参阅: 46 | 47 | * [OWASP – TLS Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html) 48 | * [OWASP - Pinning Guide](https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning) 49 | * 关于 “TLS的批准模式“ 的说明: 50 | * 在过去,ASVS提到了美国标准FIPS 140-2,但作为一个全球标准美国标准的应用可能充满困难、矛盾或混乱。 51 | * 实现第9.1节的更好方法是审查指南,如 [Mozilla's Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS) or [generate known good configurations](https://mozilla.github.io/server-side-tls/ssl-config-generator/),并使用已知最新的TLS评估工具来获得所需的安全等级。 52 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x18-V10-Malicious.md: -------------------------------------------------------------------------------- 1 | # V10 恶意代码 2 | 3 | ## 控制目标 4 | 5 | 确保代码满足以下高级要求: 6 | 7 | * 恶意活动得到安全和适当的处理,不会影响应用程序的其余部分。 8 | * 没有定时炸弹或其他基于时间的攻击。 9 | * 不会向恶意或未经授权的目的地“打电话回家”。 10 | * 没有后门、复活节彩蛋、Salami攻击、rootkit 或攻击者可以控制的未授权代码。 11 | 12 | 发现恶意代码是否定的证明,这是不可能被充分验证的。应尽最大努力,确保代码没有固有的恶意代码或不需要的功能。 13 | 14 | ## V10.1 代码完整性 15 | 16 | 对恶意代码的最佳防御是“信任,但要验证”。在许多司法管辖区,将未经授权或恶意的代码片段引入代码,通常是刑事犯罪。策略和过程应明确对恶意代码的制裁。 17 | 18 | 首席开发人员应该定期检查代码签入,特别是那些可能去访问时间、I/O或网络功能的代码签入。 19 | 20 | | # | 描述 | L1 | L2 | L3 | CWE | 21 | | :---: | :--- | :---: | :---: | :---: | :---: | 22 | | **10.1.1** | 验证是否使用了代码分析工具,可以检测潜在的恶意代码,如时间函数、不安全的文件操作和网络连接。 | | | ✓ | 749 | 23 | 24 | ## V10.2 恶意代码搜索 25 | 26 | 恶意代码极为罕见,难以检测。手动逐行审查代码可以帮助寻找逻辑炸弹,但即使是最有经验的代码审查员也很难找到恶意代码,哪怕事先知道它们的存在。 27 | 28 | 如果不能完全接触到源代码,包括第三方库,就不可能遵守本节的规定。 29 | 30 | | # | 描述 | L1 | L2 | L3 | CWE | 31 | | :---: | :--- | :---: | :---: | :---: | :---: | 32 | | **10.2.1** | 验证应用程序的源代码和第三方库不包含未经授权的回连或数据收集功能。如果存在这样的功能,在收集任何数据之前,要获得用户的操作许可。 | | ✓ | ✓ | 359 | 33 | | **10.2.2** | 验证应用程序不会对隐私相关的功能或传感器(例如联系人、摄像头、麦克风或位置)要求不必要或过度的权限。 | | ✓ | ✓ | 272 | 34 | | **10.2.3** | 验证应用程序的源代码和第三方库不包含后门,如硬编码或额外的未记录的账户或密钥、代码混淆、未记录的二进制blobs、rootkits或反调试、不安全的调试特性,或其他过时、不安全或隐藏的功能,一旦被发现可能会被恶意使用。 | | | ✓ | 507 | 35 | | **10.2.4** | 通过搜索日期和时间相关函数,来验证应用程序源代码和第三方库不包含时间炸弹。 | | | ✓ | 511 | 36 | | **10.2.5** | 验证应用程序源代码和第三方库不包含恶意代码,例如salami攻击、逻辑绕过或逻辑炸弹。 | | | ✓ | 511 | 37 | | **10.2.6** | 验证应用程序的源代码和第三方库不包含复活节彩蛋或任何其他潜在的冗余功能。 | | | ✓ | 507 | 38 | 39 | ## V10.3 应用程序完整性 40 | 41 | 应用程序被部署后,恶意代码仍然可以被插入。应用程序需要保护自己免受常见的攻击,例如执行来自不受信任来源的未签名代码或子域接管。 42 | 43 | 本节内容的实现,很可能是操作性和持续性的。 44 | 45 | | # | 描述 | L1 | L2 | L3 | CWE | 46 | | :---: | :--- | :---: | :---: | :---: | :---: | 47 | | **10.3.1** | 验证如果应用程序具有客户端或服务器自动更新功能,则应通过安全通道获得更新,并进行数字签名。更新代码必须在安装或执行更新之前验证更新的数字签名。 | ✓ | ✓ | ✓ | 16 | 48 | | **10.3.2** | 验证应用程序是否采用了完整性保护,如代码签名或子资源完整性。应用程序不得从不受信任的来源加载或执行代码,例如从不可信任的来源或互联网加载模块、插件、代码或库。 | ✓ | ✓ | ✓ | 353 | 49 | | **10.3.3** | 如果应用程序依赖 DNS 条目或 DNS 子域,例如过期的域名、过时的 DNS 指针或 CNAME、公共源代码库中过期的项目或临时的云API接口、serverless功能或存储桶(*autogen-bucket-id*.cloud.example.com)或类似情况,则验证该应用程序是否具有防止子域接管的措施。保护措施可以包括确保定期检查应用程序使用的DNS名称是否过期或改变。 | ✓ | ✓ | ✓ | 350 | 50 | 51 | ## 参考文献 52 | 53 | 有关更多信息,请参阅: 54 | 55 | * [Hostile Subdomain Takeover, Detectify Labs](https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/) 56 | * [Hijacking of abandoned subdomains part 2, Detectify Labs](https://labs.detectify.com/2014/12/08/hijacking-of-abandoned-subdomains-part-2/) 57 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x19-V11-BusLogic.md: -------------------------------------------------------------------------------- 1 | # V11 业务逻辑 2 | 3 | ## 控制目标 4 | 5 | 确保经过验证的应用程序满足以下高级要求: 6 | 7 | * 业务逻辑流程是串行的,按顺序处理的,并且不能被绕过。 8 | * 业务逻辑包括检测和防止自动化攻击,如连续的小额资金转移,或一次添加上百万个好友等。 9 | * 高价值的业务逻辑流已经考虑了滥用情况和恶意行为者,并有防止欺骗、篡改、信息披露和特权提升攻击的保护措施。 10 | 11 | ## V11.1 业务逻辑安全 12 | 13 | 业务逻辑安全对每个应用程序来说都是非常独特的,因此没有通用的检查表。业务逻辑安全必须设计成能够抵御可能的外部威胁——它不能使用 Web 应用防火墙或安全通信来添加。我们建议在设计冲刺(Design Sprint)期间使用威胁建模,例如使用 OWASP Cornucopia 或类似工具。 14 | 15 | | # | 描述 | L1 | L2 | L3 | CWE | 16 | | :---: | :--- | :---: | :---: | :---: | :---: | 17 | | **11.1.1** | 验证应用程序仅按串行顺序处理同一用户的业务逻辑流,不会跳过步骤。 | ✓ | ✓ | ✓ | 841 | 18 | | **11.1.2** | 验证应用程序将只处理业务逻辑流,所有步骤都在现实的人工时间内处理,即事务不会提交得太快。 | ✓ | ✓ | ✓ | 799 | 19 | | **11.1.3** | 验证应用程序是否对特定的业务操作或交易有适当的限制,并在每个用户的基础上正确执行。 | ✓ | ✓ | ✓ | 770 | 20 | | **11.1.4** | 验证应用程序具有反自动化的控制手段,以防止过度调用,如大量数据泄露、业务逻辑请求、文件上传或拒绝服务攻击。 | ✓ | ✓ | ✓ | 770 | 21 | | **11.1.5** | 验证应用程序是否具有业务逻辑限制或验证,以防止可能的业务风险或威胁(使用威胁建模或类似方法识别)。 | ✓ | ✓ | ✓ | 841 | 22 | | **11.1.6** | 验证应用程序是否存在TOCTOU(Time Of Check to Time Of Use)问题 或敏感操作的其他条件竞争问题。 | | ✓ | ✓ | 367 | 23 | | **11.1.7** | 验证应用程序是否从业务逻辑角度监控异常事件或活动。例如,尝试执行无序的操作或普通用户永远不会尝试的操作。 ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | ✓ | ✓ | 754 | 24 | | **11.1.8** | 验证应用程序在检测到自动化攻击或异常活动时,具有可配置的警报。 | | ✓ | ✓ | 390 | 25 | 26 | ## 参考文献 27 | 28 | 有关更多信息,请参阅: 29 | 30 | * [OWASP Web Security Testing Guide 4.1: Business Logic Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html) 31 | * 反自动化可以通过多种方式实现,包括使用 [OWASP AppSensor](https://github.com/jtmelton/appsensor) 和 [OWASP Automated Threats to Web Applications](https://owasp.org/www-project-automated-threats-to-web-applications/) 32 | * [OWASP AppSensor](https://github.com/jtmelton/appsensor) 也可以帮助进行攻击检测和响应。 33 | * [OWASP Cornucopia](https://owasp.org/www-project-cornucopia/) 34 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x20-V12-Files-Resources.md: -------------------------------------------------------------------------------- 1 | # V12 文件和资源 2 | 3 | ## 控制目标 4 | 5 | 确保经过验证的应用程序满足以下高级要求: 6 | 7 | * 不受信任的文件数据应以安全的方式进行相应处理。 8 | * 从不可信任的来源获得的不可信任的文件数据被存储在Web目录之外,并具有有限的权限。 9 | 10 | ## V12.1 文件上传 11 | 12 | 尽管zip炸弹很容易使用渗透测试技术进行测试,但它们被认为是L2及以上级别,以鼓励设计和开发时考虑仔细的人工测试,并避免对拒绝服务场景进行自动化或不熟练的手动渗透测试。 13 | 14 | | # | 描述 | L1 | L2 | L3 | CWE | 15 | | :---: | :--- | :---: | :---: | :---: | :---: | 16 | | **12.1.1** | 确认应用程序不会接受可能会填满存储空间或导致拒绝服务的大文件。 | ✓ | ✓ | ✓ | 400 | 17 | | **12.1.2** | 验证应用程序在解压缩文件前,根据允许的最大解压缩尺寸和最大文件数检查压缩文件(如zip,gz,docx,odt)。 | | ✓ | ✓ | 409 | 18 | | **12.1.3** | 验证文件大小配额和每个用户的最大文件数是否被强制执行,以确保单个用户不能用过多的文件或过大的文件填满存储。 | | ✓ | ✓ | 770 | 19 | 20 | ## V12.2 文件完整性 21 | 22 | | # | 描述 | L1 | L2 | L3 | CWE | 23 | | :---: | :--- | :---: | :---: | :---: | :---: | 24 | | **12.2.1** | 验证从不可信任的来源获得的文件,根据文件的内容,验证其是否为预期类型。 | | ✓ | ✓ | 434 | 25 | 26 | ## V12.3 文件执行 27 | 28 | | # | 描述 | L1 | L2 | L3 | CWE | 29 | | :---: | :--- | :---: | :---: | :---: | :---: | 30 | | **12.3.1** | 验证系统或框架文件系统不直接使用用户提交的文件名元数据,并且使用 URL API 来防止路径遍历。 | ✓ | ✓ | ✓ | 22 | 31 | | **12.3.2** | 验证用户提交的文件名元数据是否经过验证或忽略,以防止通过本地文件包含(LFI) 泄露、创建、更新或删除本地文件。 | ✓ | ✓ | ✓ | 73 | 32 | | **12.3.3** | 验证用户提交的文件名元数据是否经过验证或忽略,以防止通过远程文件包含(Remote File Inclusion,RFI)或服务器端请求伪造攻击(server - Server Side Request Forgery,SSRF)泄露或执行远程文件。 | ✓ | ✓ | ✓ | 98 | 33 | | **12.3.4** | 验证应用程序通过验证或忽略用户提交的JSON、JSONP或URL参数中的文件名来防止反射文件下载(RFD),响应的Content-Type头应该设置为 text/plain,而Content-Disposition头应该有一个固定的文件名。 | ✓ | ✓ | ✓ | 641 | 34 | | **12.3.5** | 验证未受信任的文件元数据不直接用于系统API或库,以防止操作系统命令注入。 | ✓ | ✓ | ✓ | 78 | 35 | | **12.3.6** | 验证应用程序不包含或执行不可信任来源的功能,如未经验证的内容分发网络、JavaScript 库、node npm 库或服务器端 DLL。 | | ✓ | ✓ | 829 | 36 | 37 | ## V12.4 文件存储 38 | 39 | | # | 描述 | L1 | L2 | L3 | CWE | 40 | | :---: | :--- | :---: | :---: | :---: | :---: | 41 | | **12.4.1** | 验证从不受信任的来源获得的文件是否存储在 Web 根目录之外,并具有有限的权限。 | ✓ | ✓ | ✓ | 552 | 42 | | **12.4.2** | 验证从不受信任的来源获得的文件是否已被防病毒扫描程序扫描,以防止上传和提供已知的恶意内容。 | ✓ | ✓ | ✓ | 509 | 43 | 44 | ## V12.5 文件下载 45 | 46 | | # | 描述 | L1 | L2 | L3 | CWE | 47 | | :---: | :--- | :---: | :---: | :---: | :---: | 48 | | **12.5.1** | 验证网络层是否被配置为只提供具有特定文件扩展名的文件,以防止意外信息和源代码泄漏。例如,除非有需要,应阻止提供备份文件(如.bak)、临时工作文件(如.swp)、压缩文件(.zip、.tar.gz等)以及其他编辑人员常用的扩展名。 | ✓ | ✓ | ✓ | 552 | 49 | | **12.5.2** | 验证对上传文件的直接请求永远不会作为 HTML/JavaScript 内容执行。 | ✓ | ✓ | ✓ | 434 | 50 | 51 | ## V12.6 SSRF保护 52 | 53 | | # | 说明 | L1 | L2 | L3 | CWE | 54 | | :---: | :--- | :---: | :---: | :---: | :---: | 55 | | **12.6.1** | 验证 Web 或应用程序服务器是否配置了资源或系统的白名单列表,服务器可以向其发送请求或加载数据/文件。 | ✓ | ✓ | ✓ | 918 | 56 | 57 | ## 参考文献 58 | 59 | 有关更多信息,请参阅: 60 | 61 | * [File Extension Handling for Sensitive Information](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload) 62 | * [Reflective file download by Oren Hafif](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/) 63 | * [OWASP Third Party JavaScript Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html) 64 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x90-Appendix-A_Glossary.md: -------------------------------------------------------------------------------- 1 | # 附录A:词汇表 2 | 3 | - **地址空间布局随机化**(ASLR, Address Space Layout Randomization)- 一种技术,使内存损坏的漏洞利用更加困难。 4 | - **允许列表** - 允许的数据或操作的列表,例如输入验证时允许执行的字符列表。 5 | - **应用程序安全** - 应用程序级安全性侧重于分析构成开放系统互连参考模型(OSI 模型)应用层的组件,而不是侧重于例如底层操作系统或连接网络。 6 | - **应用安全验证** – 根据OWASP ASVS对一个应用进行技术评估。 7 | - **应用安全验证报告** - 记录验证者对某一特定应用的总体结果和支持性分析的报告。 8 | - **认证** - 对应用用户所声称身份的验证。 9 | - **自动化验证** – 使用漏洞签名来发现问题的自动化工具(动态分析工具、静态分析工具或两者兼有)。 10 | - **黑盒测试** - 它是一种软件测试方法,在不窥视其内部结构或工作原理的情况下检查应用程序的功能。 11 | - **组件** - 一个独立的代码单元,有相关的磁盘和网络接口,与其他组件进行通信。 12 | - **跨站脚本**(XSS, Cross-Site Scripting)- 通常在网络应用中发现的一种安全漏洞,允许在内容中注入客户端脚本。 13 | - **加密模块** - 实现加密算法或生成加密密钥的硬件、软件或固件。 14 | - **常见弱点列举**(CWE, Common Weakness Enumeration)- 一个社区开发的常见软件安全弱点列表。它是一种通用语言,是软件安全工具的衡量标准,也是弱点识别、缓解和预防工作的基准。 15 | - **设计验证** - 对应用程序的安全架构进行技术评估。 16 | - **动态应用安全测试**(DAST, Dynamic Application Security Testing)- 技术旨在检测应用程序在运行状态下的安全漏洞。 17 | - **动态验证** - 使用自动化工具,使用漏洞签名,在应用程序的执行过程中发现问题。 18 | - **快速在线身份认证**(FIDO, Fast IDentity Online)- 一组认证标准,允许使用各种不同的身份验证方法,包括生物识别、可信平台模块(TPM)、USB 安全令牌等。 19 | - **全球唯一标识符**(GUID, Globally Unique Identifier)– 在软件中作为标识符使用的唯一参考号。 20 | - **超文本传输​​协议**(HTTPS)– 分布式、协作式、超媒体信息系统的应用协议。它是万维网数据通信的基础。 21 | - **硬编码密钥** – 存储在文件系统中的加密钥匙,无论是代码、注释还是文件。 22 | - **硬件安全模块**(HSM, Hardware Security Module)- 硬件组件,能够以受保护的方式存储加密密钥和其他密码。 23 | - **Hibernate查询语言**(HQL)- 一种查询语言,在外观上类似于Hibernate ORM库使用的SQL。 24 | - **输入验证** - 对未受信任的用户输入的规范化和验证。 25 | - **恶意代码** - 在应用程序所有者不知情的情况下,在开发过程中将代码引入到应用程序中,从而规避了应用程序的预期安全策略。这与病毒或蠕虫等恶意软件不同! 26 | - **恶意软件** - 在应用程序用户或管理员不知情的情况下,在运行期间被引入到应用程序的可执行代码。 27 | - **OWASP**(OWASP,Open Web Application Security Project)– 开放网络应用安全项目(OWASP)是一个全球自由开放的社区,致力于提高应用软件的安全性。我们的使命是使应用安全“可见”,以便人们和组织能够对应用安全风险做出明智的决定。见: See: https://www.owasp.org/ 28 | - **一次性密码**(OTP)- 唯一生成的密码,可在单一场合中使用。 29 | - **对象关系映射**(ORM)- 一种系统,用于允许使用应用兼容的对象模型,在应用中引用和查询基于关系/表的数据库。 30 | - **PBKDF2**(PBKDF2,Password-Based Key Derivation Function 2)- 一种特殊的单向算法,用于从输入文本(如密码)和额外的随机盐值中创建一个强大的加密密钥,因此,如果产生的值被存储(而不是原始密码),则可用于使密码更难被离线破解。 31 | - **个人可识别信息**(PII)- 是指可单独使用或与其他信息一起使用的信息,可用于识别、联系或定位一个人,或用于识别一个人的背景。 32 | - **与位置无关的可执行文件**(PIE)- 放置在主存储器某处的机器代码体,无论其绝对地址如何,都能正确执行。 33 | - **公钥基础设施**(PKI)- 将公钥与实体的各自身份结合起来的一种安排。绑定是通过在证书机构(CA)注册和颁发证书的过程建立的。 34 | - **公共交换电话网**(PSTN)- 传统的电话网络,包括固定电话和移动电话。 35 | - **依赖方**(RP,Relying Party)- 指依赖用户对单独的认证提供者进行认证的应用程序。该应用程序依赖于该身份验证提供者提供的某种令牌或一组签名断言,来相信用户就是他们所说的那个人。 36 | - **静态应用安全测试**(SAST)- 一套分析应用源代码、字节码和二进制文件的技术,用于了解表明存在安全漏洞的编码和设计场景。SAST解决方案在非运行状态下从“内部”分析一个应用程序。 37 | - **软件开发生命周期**(SDLC)- 软件从最初的需求到部署和维护的一步步发展过程。 38 | - **安全架构** - 应用程序设计的抽象,确定和描述安全控制的位置和方式,同时也确定和描述用户和应用程序数据的位置和敏感性。 39 | - **安全配置** - 应用程序的运行时配置,影响安全控制的使用方式。 40 | - **安全控制** - 执行安全检查(如访问控制检查)或在调用时产生安全效果(如生成审计记录)的功能或组件。 41 | - **服务器端请求伪造**(SSRF)- 滥用服务器上的功能,通过更改在服务器上运行的代码会读取或提交数据的URL,来读取或更新内部资源的攻击。 42 | - **单点登录验证**(SSO)- 这发生在用户登录到一个应用程序,然后就自动登录到其他应用程序,而无需重新认证。例如,当你已登录到Google时,在访问其他谷歌服务,如YouTube、谷歌文档和Gmail时,你将自动登录。 43 | - **SQL注入**(SQLi)- 一种代码注入技术,用于攻击数据驱动的应用程序,其中恶意的SQL语句被插入到一个入口点。 44 | - **SVG** - 可扩展矢量图形 45 | - **基于时间的OTP** - 一种生成OTP的方法,将当前的时间作为生成密码的算法的一部分。 46 | - **威胁建模** - 一种技术,包括开发越来越精细的安全架构,以确定威胁代理、安全域、安全控制以及重要的技术和商业资产。 47 | - **传输层安全**(TLS)- 通过网络连接提供通信安全的加密协议。 48 | - **信任平台模块**(TPM,Trusted Platform Module)- 一种HSM,通常连接到较大的硬件组件,如主板,并作为该系统的“信任根”。 49 | - **双因素认证**(2FA)- 这为账户登录增加了第二层认证。 50 | - **通用第二因素**(U2F)- 由FIDO创建的标准之一,专门用于允许USB或NFC安全密钥作为第二认证因素使用。 51 | - **URI/URL/URL分片** – 统一资源标识符是用于标识web资源名称或web资源的字符串。统一资源定位符通常用作对资源的引用。 52 | - **验证者** – 根据OWASP ASVS要求审核应用程序的人员或团队。 53 | - **所见即所得**(WYSIWYG,What You See Is What You Get)- 一种富文本的内容编辑器,显示内容在渲染时的实际效果,而不是显示用于管理渲染的编码。 54 | - **X.509证书** - X.509证书是一种数字证书,它使用广泛接受的国际X.509公钥基础设施(PKI)标准,来验证公钥是否属于证书中包含的用户、计算机或服务身份。 55 | - **XML外部实体**(XXE,XML eXternal Entity)- 一种XML实体,可以通过声明的系统标识访问本地或远程内容。这可能会导致各种注入攻击。 56 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # 附录B:参考文献 2 | 3 | 以下OWASP项目最可能对本标准的用户/采用者有用: 4 | 5 | ## OWASP核心项目 6 | 7 | 1. OWASP Top 10项目:[https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP网络安全测试指南:[https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP 主动控制:[https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP安全知识框架:[https://owasp.org/www-project-security-knowledge-framework/](https://owasp.org/www-project-security-knowledge-framework/) 11 | 5. OWASP软件保障成熟度模型(SAMM):[https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 12 | 13 | ## OWASP Cheat Sheet系列项目 14 | 15 | [该项目](https://owasp.org/www-project-cheat-sheets/) 有许多与 ASVS 中的不同主题相关的备忘单。 16 | 17 | 可以在此处找到到 ASVS 的映射: [https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html](https://cheatsheetseries.owasp.org/cheatsheets/IndexASVS.html) 18 | 19 | ## 移动安全相关项目 20 | 21 | 1. OWASP 移动安全项目:[https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 风险:[https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP移动安全测试指南和移动应用安全验证标准:[https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## OWASP物联网相关项目 26 | 27 | 1. OWASP物联网项目:[https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## OWASP Serverless项目 30 | 31 | 1. OWASP Serverless项目:[https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## 其他 34 | 35 | 同样,以下网站最有可能对本标准的用户/采用者有用 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE 常见弱点列举: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI 安全标准委员会: [https://www.pcisecuritystandards.org](https://www.pcisecuritystandards.org) 40 | 4. PCI 数据安全标准(DSS)v3.2.1 要求和安全评估程序:[https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI 软件安全框架 - 安全软件要求和评估程序: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI 安全软件生命周期(Secure SLC)要求和评估程序: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | -------------------------------------------------------------------------------- /4.0/zh-cn/0x93-Appendix-C_IoT.md: -------------------------------------------------------------------------------- 1 | # 附录C: 物联网验证要求 2 | 3 | 本章原本是在main分支中,但考虑到OWASP IoT团队已完成的工作,所以在该主题上维护两个不同的线程没有意义。对于 4.0 版本,我们将其移到附录中,并敦促所有需要此功能的人使用主要的 [OWASP IoT 项目](https://owasp.org/www-project-internet-of-things/) 4 | 5 | ## 控制目标 6 | 7 | 嵌入式/IoT设备应该满足: 8 | 9 | * 通过在受信任的环境中实施安全控制,在设备内拥有与服务器中相同级别的安全控制。 10 | * 存储在设备上的敏感数据,应使用硬件支持的存储(如安全元件)以安全的方式完成。 11 | * 从设备传输的所有敏感数据,都应利用传输层安全。 12 | 13 | ## 安全验证要求 14 | 15 | | # | 说明 | L1 | L2 | L3 | 起始时间 | 16 | | --- | --- | --- | --- | -- | -- | 17 | | **C.1** | 验证应用层调试接口,如USB、UART和其他串行变体,是否被禁用或受到复杂密码的保护。 | ✓ | ✓ | ✓ | 4.0 | 18 | | **C.2** | 验证加密密钥和证书对于每个单独的设备都是唯一的。 | ✓ | ✓ | ✓ | 4.0 | 19 | | **C.3** | 验证嵌入式/IoT 操作系统(如果适用)是否启用了内存保护控制(如 ASLR 和 DEP)。 | ✓ | ✓ | ✓ | 4.0 | 20 | | **C.4** | 验证是否禁用了 JTAG 或 SWD 等片上调试接口,或者是否启用并正确配置了可用的保护机制。 | ✓ | ✓ | ✓ | 4.0 | 21 | | **C.5** | 验证是否已实施并启用受信任的执行(如果在设备 SoC 或 CPU 上可用)。 | ✓ | ✓ | ✓ | 4.0 | 22 | | **C.6** | 验证敏感数据、私钥和证书是否安全存储在Secure Element、TPM、TEE (Trusted Execution Environment)中,或使用强加密保护。 | ✓ | ✓ | ✓ | 4.0 | 23 | | **C.7** | 验证固件应用程序使用传输层安全,保护传输中的数据。 | ✓ | ✓ | ✓ | 4.0 | 24 | | **C.8** | 验证固件应用程序验证与服务器连接的数字签名。 | ✓ | ✓ | ✓ | 4.0 | 25 | | **C.9** | 验证无线通信鉴权。 | ✓ | ✓ | ✓ | 4.0 | 26 | | **C.10** | 验证无线通信是否通过加密通道发送。 | ✓ | ✓ | ✓ | 4.0 | 27 | | **C.11** | 验证任何被禁止的C函数,都被替换成适当的安全函数。 | ✓ | ✓ | ✓ | 4.0 | 28 | | **C.12** | 验证每个固件都有一个软件材料清单,其中包括第三方组件、版本和已公布的漏洞。 | ✓ | ✓ | ✓ | 4.0 | 29 | | **C.13** | 验证所有代码,包括第三方二进制文件、库、框架都经过审查,以防止硬编码凭据(后门)。 | ✓ | ✓ | ✓ | 4.0 | 30 | | **C.14** | 通过调用shell命令封装器、脚本或安全控制,来防止操作系统命令注入,验证应用程序和固件组件不受操作系统命令注入的影响。 | ✓ | ✓ | ✓ | 4.0 | 31 | | **C.15** | 验证固件应用程序将数字签名固定到可信服务器。 | | ✓ | ✓ | 4.0 | 32 | | **C.16** | 验证是否存在防篡改或篡改检测功能。 | | ✓ | ✓ | 4.0 | 33 | | **C.17** | 验证是否启用了芯片制造商提供的任何可用的知识产权保护技术。 | | ✓ | ✓ | 4.0 | 34 | | **C.18** | 验证安全控制是否到位,以阻止固件逆向工程(例如,删除冗长的调试符号)。 | | ✓ | ✓ | 4.0 | 35 | | **C.19** | 验证设备在加载前校验启动镜像的签名。 | | ✓ | ✓ | 4.0 | 36 | | **C.20** | 验证固件更新过程不会受到“检查时间与使用时间”攻击(译者注:time-of-check vs time-of-use attacks)。 | | ✓ | ✓ | 4.0 | 37 | | **C.21** | 验证设备在安装前使用代码签名并校验固件升级文件。 | | ✓ | ✓ | 4.0 | 38 | | **C.22** | 验证设备不能被降级到有效固件的旧版本(防回滚)。 | | ✓ | ✓ | 4.0 | 39 | | **C.23** | 验证嵌入式设备使用了密码学安全的伪随机数生成器(例如,使用芯片提供的随机数生成器)。 | | ✓ | ✓ | 4.0 | 40 | | **C.24** | 验证固件能够按照预定的时间表,执行自动固件更新。 | | ✓ | ✓ | 4.0 | 41 | | **C.25** | 验证设备在检测到篡改或收到无效信息时,能擦除固件和敏感数据。 | | | ✓ | 4.0 | 42 | | **C.26** | 验证只使用了支持禁用调试接口(如JTAG、SWD)的微控制器。 | | | ✓ | 4.0 | 43 | | **C.27** | 验证只使用了提供实质性保护的微控制器,以防止“去封装”(译者注:de-capping, decapsulation)和侧信道攻击。 | | | ✓ | 4.0 | 44 | | **C.28** | 验证敏感导线不暴露在印刷电路板的外层。 | | | ✓ | 4.0 | 45 | | **C.29** | 验证芯片间的通信是加密的(如主板到子板的通信)。 | | | ✓ | 4.0 | 46 | | **C.30** | 验证设备使用代码签名并在执行前验证代码。 | | | ✓ | 4.0 | 47 | | **C.31** | 验证保存在内存中的敏感信息一旦不再需要,就立即用零值覆盖。 | | | ✓ | 4.0 | 48 | | **C.32** | 验证固件应用程序利用内核容器在应用程序之间进行隔离。 | | | ✓ | 4.0 | 49 | | **C.33** | 验证安全编译器标志,例如 -fPIE, -fstack-protector-all, -Wl,-z,noexecstack, -Wl,-z,noexecheap 已配置到固件构建中。 | | | ✓ | 4.0 | 50 | | **C.34** | 验证微型控制器是否配置了代码保护(如果适用)。 | | | ✓ | 4.0 | 51 | 52 | ## 参考文献 53 | 54 | 有关更多信息,请参阅: 55 | 56 | * [OWASP Internet of Things Top 10](https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf) 57 | * [OWASP Embedded Application Security Project](https://owasp.org/www-project-embedded-application-security/) 58 | * [OWASP Internet of Things Project](https://owasp.org/www-project-internet-of-things/) 59 | * [Trudy TCP Proxy Tool](https://github.com/praetorian-inc/trudy) 60 | -------------------------------------------------------------------------------- /5.0/.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | *.pyc 3 | build/* 4 | docker/tests/ 5 | .ipynb_checkpoints/ 6 | .bash_history 7 | -------------------------------------------------------------------------------- /5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf -------------------------------------------------------------------------------- /5.0/docs_en/OWASP_Application_Security_Verification_Standard_5.0.0_en.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/docs_en/OWASP_Application_Security_Verification_Standard_5.0.0_en.docx -------------------------------------------------------------------------------- /5.0/docs_en/en: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/docs_en/en -------------------------------------------------------------------------------- /5.0/en/0x00-Header.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Application Security Verification Standard" 3 | subtitle: "Version 5.0.0" 4 | date: May 2025 5 | titlepage: true 6 | titlepage-rule-height: 0 7 | titlepage-logo: "images/owasp_logo_1c_notext.png" 8 | table-use-row-colors: true 9 | toc: true 10 | toc-own-page: true 11 | geometry: "left=2cm,right=2cm,top=3cm,bottom=3cm" 12 | CJKmainfont: "Noto Sans CJK JP" 13 | mainfont: "Source Serif 4" 14 | sansfont: "Source Sans 3" 15 | --- 16 | 17 | -------------------------------------------------------------------------------- /5.0/en/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontispiece 2 | 3 | ## About the Standard 4 | 5 | The Application Security Verification Standard is a list of application security requirements that architects, developers, testers, security professionals, tool vendors, and consumers can use to define, build, test, and verify secure applications. 6 | 7 | ## Copyright and License 8 | 9 | Version 5.0.0, May 2025 10 | 11 | ![license](../images/license.png) 12 | 13 | Copyright © 2008-2025 The OWASP Foundation. 14 | 15 | This document is released under the [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/). 16 | 17 | For any reuse or distribution, you must clearly communicate the license terms of this work to others. 18 | 19 | ## Project Leads 20 | 21 | | | | 22 | |---------------------- |----------------- | 23 | | Elar Lang | Josh C Grossman | 24 | | Jim Manico | Daniel Cuthbert | 25 | 26 | ## Working Group 27 | 28 | | | | | | 29 | |---------------- |------------------ |------------------- |----------------- | 30 | | Tobias Ahnoff | Ralph Andalis | Ryan Armstrong | Gabriel Corona | 31 | | Meghan Jacquot | Shanni Prutchi | Iman Sharafaldin | Eden Yardeni | 32 | 33 | ## Other Major Contributors 34 | 35 | | | | 36 | |-------------------|-------------------| 37 | | Sjoerd Langkemper | Isaac Lewis | 38 | | Mark Carney | Sandro Gauci | 39 | 40 | ## Other Contributors and Reviewers 41 | 42 | We have included a list of the other contributors in Appendix E. 43 | 44 | If a credit is missing from the 5.x credit list, please log a ticket at GitHub to be recognized in future 5.x updates. 45 | 46 | The Application Security Verification Standard builds on the work of those involved in ASVS 1.0 (2008) through 4.0 (2019). Much of the structure and many of the verification items that remain in ASVS today were originally written by Andrew van der Stock, Mike Boberski, Jeff Williams, and Dave Wichers, among numerous other contributors. Thank you to everyone who has contributed in the past. For a comprehensive list of earlier contributors, please consult each prior version. 47 | -------------------------------------------------------------------------------- /5.0/en/0x02-Preface.md: -------------------------------------------------------------------------------- 1 | # Preface 2 | 3 | Welcome to the Application Security Verification Standard (ASVS) Version 5.0. 4 | 5 | ## Introduction 6 | 7 | Originally launched in 2008 through a global community collaboration, the ASVS defines a comprehensive set of security requirements for designing, developing, and testing modern web applications and services. 8 | 9 | Following the release of ASVS 4.0 in 2019 and its minor update (v4.0.3) in 2021, Version 5.0 represents a significant milestone—modernized to reflect the latest advances in software security. 10 | 11 | ASVS 5.0 is the result of extensive contributions from project leaders, working group members, and the wider OWASP community to update and improve this important standard. 12 | 13 | ## Principles behind version 5.0 14 | 15 | This major revision has been developed with several key principles in mind: 16 | 17 | * Refined Scope and Focus: This version of the standard has been designed to align more directly with the foundational pillars in its name: Application, Security, Verification, and Standard. Requirements have been rewritten to emphasize the prevention of security flaws rather than mandating specific technical implementations. Requirement texts are intended to be self-explanatory, explaining why they exist. 18 | 19 | * Support for Documented Security Decisions: ASVS 5.0 introduces requirements for documenting key security decisions. This enhances traceability and supports context-sensitive implementations, allowing organizations to tailor their security posture to their specific needs and risks. 20 | 21 | * Updated Levels: While ASVS retains its three-tier model, the level definitions have evolved to make the ASVS easier to adopt. Level 1 is designed as the initial step to adopting the ASVS, providing the first layer of defense. Level 2 represents a comprehensive view of standard security practices, and Level 3 addresses advanced, high-assurance requirements. 22 | 23 | * Restructured and Expanded Content: ASVS 5.0 includes approximately 350 requirements across 17 chapters. Chapters have been reorganized for clarity and usability. A two-way mapping between v4.0 and v5.0 is provided to facilitate migration. 24 | 25 | ## Looking ahead 26 | 27 | Just as securing an application is never truly finished, neither is the ASVS. Although Version 5.0 is a major release, development continues. This release allows the wider community to benefit from the improvements and additions which have been accumulated but also lays the groundwork for future enhancements. This could include community-driven efforts to create implementation and verification guidance built on top of the core requirement set. 28 | 29 | ASVS 5.0 is designed to serve as a reliable foundation for secure software development. The community is invited to adopt, contribute, and build upon this standard to collectively advance the state of application security. 30 | -------------------------------------------------------------------------------- /5.0/en/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Appendix B: References 2 | 3 | The following OWASP projects are most likely to be useful to users/adopters of this standard: 4 | 5 | ## OWASP Core Projects 6 | 7 | 1. OWASP Top 10 Project: [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/) 8 | 2. OWASP Web Security Testing Guide: [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) 9 | 3. OWASP Proactive Controls: [https://owasp.org/www-project-proactive-controls/](https://owasp.org/www-project-proactive-controls/) 10 | 4. OWASP Software Assurance Maturity Model (SAMM): [https://owasp.org/www-project-samm/](https://owasp.org/www-project-samm/) 11 | 5. OWASP Secure Headers Project: [https://owasp.org/www-project-secure-headers/](https://owasp.org/www-project-secure-headers/) 12 | 13 | ## OWASP Cheat Sheet Series project 14 | 15 | [This project](https://owasp.org/www-project-cheat-sheets/) has several cheat sheets that will be relevant to different topics in the ASVS. 16 | 17 | There is a mapping to the ASVS which can be found here: [https://cheatsheetseries.owasp.org/IndexASVS.html](https://cheatsheetseries.owasp.org/IndexASVS.html) 18 | 19 | ## Mobile Security Related Projects 20 | 21 | 1. OWASP Mobile Security Project: [https://owasp.org/www-project-mobile-security/](https://owasp.org/www-project-mobile-security/) 22 | 2. OWASP Mobile Top 10 Risks: [https://owasp.org/www-project-mobile-top-10/](https://owasp.org/www-project-mobile-top-10/) 23 | 3. OWASP Mobile Security Testing Guide and Mobile Application Security Verification Standard: [https://owasp.org/www-project-mobile-security-testing-guide/](https://owasp.org/www-project-mobile-security-testing-guide/) 24 | 25 | ## OWASP Internet of Things related projects 26 | 27 | 1. OWASP Internet of Things Project: [https://owasp.org/www-project-internet-of-things/](https://owasp.org/www-project-internet-of-things/) 28 | 29 | ## OWASP Serverless projects 30 | 31 | 1. OWASP Serverless Project: [https://owasp.org/www-project-serverless-top-10/](https://owasp.org/www-project-serverless-top-10/) 32 | 33 | ## Others 34 | 35 | Similarly, the following websites are most likely to be useful to users/adopters of this standard 36 | 37 | 1. SecLists Github: [https://github.com/danielmiessler/SecLists](https://github.com/danielmiessler/SecLists) 38 | 2. MITRE Common Weakness Enumeration: [https://cwe.mitre.org/](https://cwe.mitre.org/) 39 | 3. PCI Security Standards Council: [https://www.pcisecuritystandards.org/](https://www.pcisecuritystandards.org/) 40 | 4. PCI Data Security Standard (DSS) v3.2.1 Requirements and Security Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf](https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf) 41 | 5. PCI Software Security Framework - Secure Software Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-Software-Standard-v1_0.pdf) 42 | 6. PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures: [https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf](https://www.pcisecuritystandards.org/documents/PCI-Secure-SLC-Standard-v1_0.pdf) 43 | 7. OWASP ASVS 4.0 Testing Guide [https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide](https://github.com/BlazingWind/OWASP-ASVS-4.0-testing-guide) 44 | -------------------------------------------------------------------------------- /5.0/generate-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ALLOWED_LANGS='en' 4 | 5 | echo $@ 6 | 7 | if [[ -n $@ ]]; then 8 | LANGS=$@ 9 | else 10 | LANGS=${ALLOWED_LANGS} 11 | fi 12 | 13 | for lang in ${LANGS}; do 14 | if [[ " $ALLOWED_LANGS " =~ " $lang " ]]; then 15 | 16 | vers="5.0.0" 17 | verslong="./docs_$lang/OWASP_Application_Security_Verification_Standard_$vers_$lang" 18 | 19 | python3 tools/export.py --format json --language $lang > "$verslong.json" 20 | python3 tools/export.py --format cdx_json --language $lang > "$verslong.cdx.json" 21 | python3 tools/export.py --format json_legacy --language $lang > "$verslong.legacy.json" 22 | python3 tools/export.py --format json --language $lang --verify-only 23 | 24 | python3 tools/export.py --format json_flat --language $lang > "$verslong.flat.json" 25 | python3 tools/export.py --format json_flat_legacy --language $lang > "$verslong.flat.legacy.json" 26 | python3 tools/export.py --format json_flat --language $lang --verify-only 27 | 28 | python3 tools/export.py --format xml --language $lang > "$verslong.xml" 29 | python3 tools/export.py --format xml_legacy --language $lang > "$verslong.legacy.xml" 30 | python3 tools/export.py --format xml --language $lang --verify-only 31 | 32 | python3 tools/export.py --format csv --language $lang > "$verslong.csv" 33 | python3 tools/export.py --format csv_legacy --language $lang > "$verslong.legacy.csv" 34 | python3 tools/export.py --format csv --language $lang --verify-only 35 | 36 | tools/generate_document.sh $lang $vers 37 | 38 | fi 39 | 40 | done 41 | -------------------------------------------------------------------------------- /5.0/images/asvs_40_levels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/images/asvs_40_levels.png -------------------------------------------------------------------------------- /5.0/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/images/license.png -------------------------------------------------------------------------------- /5.0/images/owaspLogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/images/owaspLogo.png -------------------------------------------------------------------------------- /5.0/images/owasp_logo_1c_notext.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/images/owasp_logo_1c_notext.png -------------------------------------------------------------------------------- /5.0/images/owasp_logo_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/images/owasp_logo_header.png -------------------------------------------------------------------------------- /5.0/mappings/README.md: -------------------------------------------------------------------------------- 1 | # Mapping files 2 | 3 | Versions: 4 | 5 | * v4.0.3 - latest v4 release 6 | * v5.0.be - "bleeding edge" version for v5.0 development, where all v4.0 structure and numbers were kept directly or as placeholders 7 | * v5.0 - v5.0 after re-structuring and re-numbering everything 8 | 9 | Mapping files: 10 | 11 | * `mapping_v5.0.be_to_v5.0.0.yml` - from v5.0.be to v5.0.0 12 | * `mapping_v4.0.3_to_v5.0.0.yml` - from v4.0.3 to v5.0.0 13 | * `mapping_v5.0.0_to_v4.0.3.yml` - from v5.0.0 to v4.0.3 14 | 15 | Temporary mapping files before re-numbering everything: 16 | 17 | * `mapping_v4.0.3_to_v5.0.be.yml` - from v4.0.3 to v5.0.be 18 | * `mapping_v5.0.be_to_v4.0.3.yml` - from v5.0.be to v4.0.3 19 | 20 | Just-in-case exports before deleted from v5.0.be: 21 | 22 | * `nist.md` - v5.0.be requirement ids and mapping to NIST 800-63B identifiers before those were removed 23 | * `v5.0.be_cwe_mapping.json` - v5.0.be requirement ids and mapping to CWE identifiers before those were removed 24 | -------------------------------------------------------------------------------- /5.0/mappings/nist.md: -------------------------------------------------------------------------------- 1 | # Mapping requirements to NIST (07-Nov-2024) 2 | 3 | | # | [NIST §](https://pages.nist.gov/800-63-3/sp800-63b.html) | 4 | | :---: | :---: | 5 | | **2.1.1** | 5.1.1.2 | 6 | | **2.1.2** | 5.1.1.2 | 7 | | **2.1.3** | 5.1.1.2 | 8 | | **2.1.4** | | 9 | | **2.1.5** | 5.1.1.2 | 10 | | **2.1.6** | 5.1.1.2 | 11 | | **2.1.7** | 5.1.1.2 | 12 | | **2.1.8** | | 13 | | **2.1.9** | 5.1.1.2 | 14 | | **2.1.10** | 5.1.1.2 | 15 | | **2.1.11** | 5.1.1.2 | 16 | | **2.1.12** | 5.1.1.2 | 17 | | **2.1.13** | 5.1.1.2 | 18 | | **2.1.14** | 5.1.1.2 | 19 | | **2.2.1** | 5.2.2 | 20 | | **2.2.2** | | 21 | | **2.2.3** | 6.1.2 | 22 | | **2.2.4** | 4.3.1 | 23 | | **2.2.5** | | 24 | | **2.2.6** | | 25 | | **2.2.7** | | 26 | | **2.2.8** | | 27 | | **2.2.9** | 4.2.1 | 28 | | **2.2.10** | | 29 | | **2.2.11** | | 30 | | **2.3.1** | 5.1.1.2 / A.3 | 31 | | **2.3.2** | | 32 | | **2.3.3** | 6.1.4 | 33 | | **2.3.4** | | 34 | | **2.4.1** | | 35 | | **2.4.2** | | 36 | | **2.4.3** | | 37 | | **2.4.4** | | 38 | | **2.4.5** | | 39 | | **2.4.6** | | 40 | | **2.5.1** | | 41 | | **2.5.2** | 5.1.1.2 | 42 | | **2.5.3** | | 43 | | **2.5.4** | | 44 | | **2.5.5** | | 45 | | **2.5.6** | 5.1.1.2 | 46 | | **2.5.7** | 6.1.2.3 | 47 | | **2.6.1** | 5.1.2.2 | 48 | | **2.6.2** | 5.1.2.2 | 49 | | **2.6.3** | 5.1.2.2 | 50 | | **2.6.4** | 5.1.2.1 | 51 | | **2.7.1** | 5.1.3.2, 5.1.3.3, 5.2.10 | 52 | | **2.7.2** | 5.1.3.2 | 53 | | **2.7.3** | 5.1.3.2 | 54 | | **2.7.4** | 5.1.3.2 | 55 | | **2.7.5** | | 56 | | **2.7.6** | 5.1.3.2 | 57 | | **2.7.7** | 5.1.3.2 | 58 | | **2.7.8** | | 59 | | **2.8.1** | 5.1.4.2 / 5.1.5.2 | 60 | | **2.8.2** | 5.1.4.2 / 5.1.5.2 | 61 | | **2.8.3** | 5.1.4.2 / 5.1.5.2 | 62 | | **2.8.4** | 5.1.4.2 / 5.1.5.2 | 63 | | **2.8.5** | | 64 | | **2.8.6** | 5.2.1 | 65 | | **2.8.7** | 5.2.3 | 66 | | **2.8.8** | 5.1.4.2 / 5.1.5.2 | 67 | | **2.9.1** | 5.1.7.2 | 68 | | **2.9.2** | 5.1.7.2 | 69 | | **2.9.3** | 5.1.7.2 | 70 | | **2.10.1** | | 71 | | **2.10.2** | | 72 | | **2.10.3** | | 73 | | **2.10.4** | | 74 | | **2.11.1** | | 75 | | **2.11.2** | | 76 | | **2.11.3** | | 77 | | **3.1.1** | | 78 | | **3.1.2** | | 79 | | **3.1.3** | 7.1 | 80 | | **3.1.4** | | 81 | | **3.2.1** | 7.1 | 82 | | **3.2.2** | | 83 | | **3.2.3** | | 84 | | **3.2.4** | | 85 | | **3.2.5** | | 86 | | **3.3.1** | | 87 | | **3.3.2** | | 88 | | **3.3.3** | | 89 | | **3.3.4** | | 90 | | **3.3.5** | 7.2 | 91 | | **3.4.1** | 7.1.1 | 92 | | **3.4.2** | 7.1.1 | 93 | | **3.4.3** | 7.1.1 | 94 | | **3.4.4** | 7.1.1 | 95 | | **3.4.5** | | 96 | | **3.5.1** | 7.1.2 | 97 | | **3.5.2** | | 98 | | **3.5.3** | | 99 | | **3.5.4** | | 100 | | **3.5.5** | | 101 | | **3.5.6** | | 102 | | **3.6.1** | 7.2.1 | 103 | | **3.6.2** | | 104 | | **3.7.1** | | 105 | | **3.7.2** | | 106 | | **3.8.1** | 7.1 | 107 | | **3.8.2** | | 108 | | **3.8.3** | | 109 | | **3.8.4** | | 110 | | **3.8.5** | 7.1 | 111 | -------------------------------------------------------------------------------- /5.0/presentations/OWASP-ASVS-v5.0.0-release-at-Global-AppSec-Barcelona-by-Elar-Lang.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/presentations/OWASP-ASVS-v5.0.0-release-at-Global-AppSec-Barcelona-by-Elar-Lang.pdf -------------------------------------------------------------------------------- /5.0/templates/header-eisvogel.tex: -------------------------------------------------------------------------------- 1 | 2 | \hypersetup{colorlinks=false, 3 | allbordercolors={0 0 0}, 4 | pdfborderstyle={/S/U/W 1}} 5 | 6 | \newcommand*{\escape}[1]{\texttt{\textbackslash#1}} 7 | -------------------------------------------------------------------------------- /5.0/templates/reference.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/5.0/templates/reference.docx -------------------------------------------------------------------------------- /5.0/tools/export.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | ''' Tool for converting the ASVS requirements to various formats. 4 | 5 | Usage: ./export.py [--format /dev/null 2>&1; 8 | } 9 | 10 | if ! command_exists pandoc; then 11 | echo "Error: Please install pandoc. Cannot continue" 12 | exit; 13 | fi 14 | 15 | generate_docx() { 16 | pandoc -s -f gfm --reference-doc=../templates/reference.docx --columns 10000 --toc -t docx -o "../docs_$1/OWASP Application Security Verification Standard $2-$1.docx" *.md 17 | echo " done." 18 | echo -e "" 19 | echo -e "Note: If you got an error 'Invalid UTF-8 stream', make sure you are on the newest version of pandoc from the project website (not just the OS package repo)" 20 | echo -e "" 21 | echo -e "DOCX GENERATION MANUAL STEPS" 22 | echo -e "----------------------------" 23 | echo -e "After the docx file has been generated, do the following:" 24 | echo -e " - Select 'No' in the first prompt that appears" 25 | echo -e " - Move the 'Table of Contents' section to be just before the 'Frontispiece' section." 26 | echo -e " - Select the document heading (one of the first lines in the documrnt) which should say: 'OWASP Application" 27 | echo -e " Security Verification Standard $2', go to 'Paragraph' > 'Line and Page Breaks' and" 28 | echo -e " deselect 'Page break before'" 29 | echo -e " - Go to 'File' > 'Info' and set the 'Title' field to be 'OWASP Application Security Verification Standard $2'" 30 | echo -e " - Run the following VBA macro to fix Table settings:" 31 | echo -e " " 32 | echo -e " Dim tbl As Table" 33 | echo -e " For Each tbl In ActiveDocument.Tables" 34 | echo -e " tbl.Rows(1).HeadingFormat = True" 35 | echo -e " tbl.Rows.AllowBreakAcrossPages = False" 36 | echo -e " Next tbl" 37 | echo -e " " 38 | echo -e " - Manually review the document and move any orphaned table headings or section headings to the" 39 | echo -e " following page" 40 | echo -e " - Run 'Update table...' on the Table of Contents" 41 | echo -e " - Remove the lines above 'Frontispiece' from the Table of Contents" 42 | } 43 | 44 | # generate_html() { 45 | # pandoc -s -f markdown_github -t html5 -o "../OWASP Application Security Verification Standard 4.0-$1.html" *.md 46 | # } 47 | 48 | lang="en" 49 | vers="4.0" 50 | 51 | if [ -z "$1" ] 52 | then 53 | lang="en" 54 | else 55 | lang=$1 56 | fi 57 | 58 | if [ -z "$2" ] 59 | then 60 | vers="4.0" 61 | else 62 | vers=$2 63 | fi 64 | 65 | echo -n "Generating OWASP ASVS $vers ($lang)..." 66 | if [ -d "$lang" ]; 67 | then 68 | cd "$lang" 69 | generate_docx $lang $vers 70 | # generate_html $lang 71 | cd .. 72 | 73 | else 74 | echo " No OWASP ASVS found in directory $lang" 75 | fi 76 | 77 | 78 | echo 79 | echo "Generated OWASP Application Security Verification Standard $vers" 80 | -------------------------------------------------------------------------------- /5.0/tools/install_deps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo apt install pandoc -y 3 | sudo apt install python3 -y 4 | sudo apt install python3-pip -y 5 | pip install dicttoxml 6 | pip install dicttoxml2 -------------------------------------------------------------------------------- /COMPILING.md: -------------------------------------------------------------------------------- 1 | # Document Builder 2 | 3 | 4 | 5 | ## Github Actions 6 | 7 | This is the recommended mechanism. The Github Actions in this repository will automatically rebuild the output formats every time on merge requests and on commits to main. It is likely to be easier to use this then to try and build locally. 8 | 9 | The Actions will detect whether the v4.x content or the v5.x content has changed and rebuild the documents accordingly. 10 | 11 | Whilst the output scripts can also be run locally, this may not be currently stable. 12 | 13 | ## Local Generation 14 | 15 | **Note:** This method is still in testing and may or may not function depending on your environment and underlying Operating System. 16 | 17 | Stabilizing this is on our todo list but not a top priority. 18 | 19 | ### Document Compilation Instructions 20 | 1. Install Docker on your computer (see instructions for different architectures [in the Docker docs](https://docs.docker.com/engine/install/)) 21 | 2. If running WSL or WSL2 make sure that you can talk to the Docker Daemon from the console 22 | 3. Build the docker image: `docker build ./docker --tag ghcr.io/owasp/asvs/documentbuilder:latest` 23 | 4. Run `make` in this directory. It will compile the latest bleeding edge to the `dist` directory of the latest release. You can specify a 24 | particular target version, i.e. `make 4.0`, or you can run `make all` to compile all versions. 25 | 26 | ### Running Manually 27 | To build the docker image manually, use this command: 28 | 29 | ``` 30 | docker build ./docker --tag ghcr.io/owasp/asvs/documentbuilder:latest 31 | ``` 32 | 33 | To run the document builder manually, use the following. The Volume you are mounting (`-v `) needs to be shared in the docker settings console for this to work: 34 | 35 | ``` 36 | docker run --rm -v "/Path/to/the/repo/4.0:/data" ghcr.io/owasp/asvs/documentbuilder 37 | ``` 38 | 39 | To download the docker image from the repository, first create a Personal Access Token with read access to packages. 40 | Then you can download the docker image from the asvs package repository: `https://github.com/OWASP/ASVS/pkgs/container/asvs%2Fdocumentbuilder` 41 | 42 | ``` 43 | $ echo | docker login ghcr.io -u --password-stdin 44 | $ docker pull ghcr.io/owasp/asvs/documentbuilder:latest 45 | ``` 46 | 47 | ### Background 48 | 49 | #### Future Changes 50 | * Hosted *public* image to pull, so users don't have to build the docker image themselves or log in to ghcr. 51 | * Watcher to build files when source files change 52 | * Ability to select only certain format compilers from main Makefile 53 | 54 | #### Philosophy behind this effort 55 | It should be easy and repeatable to create the documents. We need to provide the build environment in order to keep the effort low. This will allow for 56 | future interactions with a CI in GitLab. 57 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | latest: 5.0 2 | 3 | all: 5.0 4.0 4 | 5 | 4.0-LANGS := $(shell cd 4.0 && git status --porcelain | sed 's/[ A-Z?]\+ \"\?4.0\///g' | sed 's/\/.*//g' | sed -n '/^\(ar\|de\|en\|es\|fr\|pt\|ru\|zh-cn\)/p' | tr '\n' ' ') 6 | 7 | 5.0: docker 8 | docker run --rm --user $(id -u):$(id -g) -v "`pwd`/5.0:/data" -v "`pwd`/docker:/scripts" -e "TARGET=5.0" -e "FORMATS=$(FORMATS)" ghcr.io/owasp/asvs/documentbuilder:latest 9 | 5.0-clean: docker 10 | docker run --rm --user $(id -u):$(id -g) -v "`pwd`/5.0:/data" -v "`pwd`/docker:/scripts" -e "TARGET=clean" -e "FORMATS=$(FORMATS)" ghcr.io/owasp/asvs/documentbuilder:latest 11 | 12 | 4.0: docker 13 | docker run --rm --user $(id -u):$(id -g) -v "`pwd`/4.0:/data" -v "`pwd`/docker:/scripts" -e "TARGET=4.0" -e "FORMATS=$(FORMATS)" -e "LANGS=$(4.0-LANGS)" ghcr.io/owasp/asvs/documentbuilder:latest 14 | 4.0-clean: docker 15 | docker run --rm --user $(id -u):$(id -g) -v "`pwd`/4.0:/data" -v "`pwd`/docker:/scripts" -e "TARGET=clean" -e "FORMATS=$(FORMATS)" ghcr.io/owasp/asvs/documentbuilder:latest 16 | 17 | .PHONY: 5.0 5.0-clean 4.0 4.0-clean docker 18 | docker: 19 | docker pull ghcr.io/owasp/asvs/documentbuilder:latest || docker build --pull --tag ghcr.io/owasp/asvs/documentbuilder:latest --network host docker 20 | -------------------------------------------------------------------------------- /Security.md: -------------------------------------------------------------------------------- 1 | # OWASP Application Security Verification Standard (ASVS) Security Policy 2 | 3 | The ASVS leaders and community take all security bugs seriously. We appreciate your efforts to disclose the issue responsibly, and will make every effort to acknowledge your contributions. To help us with the vulnerability(s) you have identified, it would be great if you could please follow the reporting guidelines below to submit your finding. 4 | 5 | We aim to reply within **3** days of receiving your finding. If a finding is accepted, we aim to publish a patch within **6** days. If it is declined, we will reply to let you know. 6 | 7 | ## Reporting Guidelines 8 | 9 | Email jim@owasp.org with the following information: 10 | 11 | 1. Name / affiliation 12 | 2. Vulnerability description 13 | 3. Steps to reproduce the issue 14 | 4. Current public knowledge of this vulnerability (e.g. related CVE, security advisory, etc.) 15 | 16 | ## Supported Versions 17 | 18 | At this time, only the following versions of **ASVS** are supported: 19 | 20 | | Version | Supported | 21 | | ------- | ------------------ | 22 | | 5.0.x | :white_check_mark: | 23 | | 4.0.x | :white_check_mark: | 24 | 25 | ## Our security acknowledgments page 26 | Acknowledgments: https://github.com/OWASP/ASVS/blob/master/hall_of-fame.md 27 | -------------------------------------------------------------------------------- /docker/run.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | . ~/.py-env/bin/activate 4 | 5 | case $TARGET in 6 | 4.0) 7 | ./generate-all.sh $LANGS 8 | ;; 9 | clean) 10 | make clean 11 | ;; 12 | *) 13 | make $FORMATS 14 | ;; 15 | esac 16 | -------------------------------------------------------------------------------- /hall_of-fame.md: -------------------------------------------------------------------------------- 1 | # OWASP Application Security Verification Standard (ASVS) Hall of Fame 2 | 3 | 4 | 5 | Thank you to those who have discovered or will discover security bugs in our scripts or infrastructure! -------------------------------------------------------------------------------- /images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/1.png -------------------------------------------------------------------------------- /images/1.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/1.psd -------------------------------------------------------------------------------- /images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/2.png -------------------------------------------------------------------------------- /images/2.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/2.psd -------------------------------------------------------------------------------- /images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/3.png -------------------------------------------------------------------------------- /images/3.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/3.psd -------------------------------------------------------------------------------- /images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/4.png -------------------------------------------------------------------------------- /images/4.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/4.psd -------------------------------------------------------------------------------- /images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/5.png -------------------------------------------------------------------------------- /images/5.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/5.psd -------------------------------------------------------------------------------- /images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/6.png -------------------------------------------------------------------------------- /images/6.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/6.psd -------------------------------------------------------------------------------- /images/old/ASVS_uses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/old/ASVS_uses.png -------------------------------------------------------------------------------- /images/old/levels.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/old/levels.png -------------------------------------------------------------------------------- /images/supporters/clarifiedlogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/supporters/clarifiedlogo.png -------------------------------------------------------------------------------- /images/supporters/crestlogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/supporters/crestlogo.png -------------------------------------------------------------------------------- /images/supporters/forwardseclogo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/supporters/forwardseclogo.jpg -------------------------------------------------------------------------------- /images/supporters/googlelogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/supporters/googlelogo.png -------------------------------------------------------------------------------- /images/supporters/jitlogo.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | Jit- Automating product security-Logo-pink 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /images/supporters/omegapointlogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/ASVS/24f71176e55629a31ef70d9eef900dbec43f3144/images/supporters/omegapointlogo.png --------------------------------------------------------------------------------