ASVS Index¶
Table of Contents¶
- Objective
- V1: Architecture, Design and Threat Modeling Requirements
- V1.1 Secure Software Development Lifecycle Requirements
- V1.2 Authentication Architectural Requirements
- V1.3 Session Management Architectural Requirements
- V1.4 Access Control Architectural Requirements
- V1.5 Input and Output Architectural Requirements
- V1.6 Cryptographic Architectural Requirements
- V1.7 Errors, Logging and Auditing Architectural Requirements
- V1.8 Data Protection and Privacy Architectural Requirements
- V1.9 Communications Architectural Requirements
- V1.10 Malicious Software Architectural Requirements
- V1.11 Business Logic Architectural Requirements
- V1.12 Secure File Upload Architectural Requirements
- V1.13 API Architectural Requirements
- V1.14 Configuration Architectural Requirements
- V2: Authentication Verification Requirements
- V2.1 Password Security Requirements
- V2.2 General Authenticator Requirements
- V2.3 Authenticator Lifecycle Requirements
- V2.4 Credential Storage Requirements
- V2.5 Credential Recovery Requirements
- V2.6 Look-up Secret Verifier Requirements
- V2.7 Out of Band Verifier Requirements
- V2.8 Single or Multi Factor One Time Verifier Requirements
- V2.9 Cryptographic Software and Devices Verifier Requirements
- V2.10 Service Authentication Requirements
- V3: Session Management Verification Requirements
- V3.1 Fundamental Session Management Requirements
- V3.2 Session Binding Requirements
- V3.3 Session Logout and Timeout Requirements
- V3.4 Cookie-based Session Management
- V3.5 Token-based Session Management
- V3.6 Re-authentication from a Federation or Assertion
- V3.7 Defenses Against Session Management Exploits
- V4: Access Control Verification Requirements
- V5: Validation, Sanitization and Encoding Verification Requirements
- V6: Stored Cryptography Verification Requirements
- V7: Error Handling and Logging Verification Requirements
- V8: Data Protection Verification Requirements
- V9: Communications Verification Requirements
- V10: Malicious Code Verification Requirements
- V11: Business Logic Verification Requirements
- V12: File and Resources Verification Requirements
- V13: API and Web Service Verification Requirements
- V14: Configuration Verification Requirements
Objective¶
The objective of this index is to help an OWASP Application Security Verification Standard (ASVS) user clearly identify which cheat sheets are useful for each section during his or her usage of the ASVS.
This index is based on the version 4.x of the ASVS.
V1: Architecture, Design and Threat Modeling Requirements¶
V1.1 Secure Software Development Lifecycle Requirements¶
Attack Surface Analysis Cheat Sheet.
V1.2 Authentication Architectural Requirements¶
None.
V1.3 Session Management Architectural Requirements¶
None.
V1.4 Access Control Architectural Requirements¶
V1.5 Input and Output Architectural Requirements¶
V1.6 Cryptographic Architectural Requirements¶
Cryptographic Storage Cheat Sheet.
V1.7 Errors, Logging and Auditing Architectural Requirements¶
V1.8 Data Protection and Privacy Architectural Requirements¶
User Privacy Protection Cheat Sheet.
V1.9 Communications Architectural Requirements¶
Transport Layer Protection Cheat Sheet.
TLS Cipher String Cheat Sheet.
V1.10 Malicious Software Architectural Requirements¶
Third Party Javascript Management Cheat Sheet.
V1.11 Business Logic Architectural Requirements¶
V1.12 Secure File Upload Architectural Requirements¶
None.
V1.13 API Architectural Requirements¶
V1.14 Configuration Architectural Requirements¶
None.
V2: Authentication Verification Requirements¶
V2.1 Password Security Requirements¶
Choosing and Using Security Questions Cheat Sheet.
Credential Stuffing Prevention Cheat Sheet
V2.2 General Authenticator Requirements¶
Transport Layer Protection Cheat Sheet.
TLS Cipher String Cheat Sheet.
V2.3 Authenticator Lifecycle Requirements¶
None.
V2.4 Credential Storage Requirements¶
V2.5 Credential Recovery Requirements¶
Choosing and Using Security Questions Cheat Sheet.
V2.6 Look-up Secret Verifier Requirements¶
None.
V2.7 Out of Band Verifier Requirements¶
V2.8 Single or Multi Factor One Time Verifier Requirements¶
None.
V2.9 Cryptographic Software and Devices Verifier Requirements¶
Cryptographic Storage Cheat Sheet.
V2.10 Service Authentication Requirements¶
None.
V3: Session Management Verification Requirements¶
V3.1 Fundamental Session Management Requirements¶
None.
V3.2 Session Binding Requirements¶
Session Management Cheat Sheet.
V3.3 Session Logout and Timeout Requirements¶
Session Management Cheat Sheet.
V3.4 Cookie-based Session Management¶
Session Management Cheat Sheet.
Cross-Site Request Forgery Prevention Cheat Sheet.
V3.5 Token-based Session Management¶
JSON Web Token Cheat Sheet for Java.
V3.6 Re-authentication from a Federation or Assertion¶
None.
V3.7 Defenses Against Session Management Exploits¶
Session Management Cheat Sheet.
Transaction Authorization Cheat Sheet.
V4: Access Control Verification Requirements¶
V4.1 General Access Control Design¶
Authorization Testing Automation.
V4.2 Operation Level Access Control¶
Insecure Direct Object Reference Prevention Cheat Sheet.
Cross-Site Request Forgery Prevention Cheat Sheet.
Authorization Testing Automation.
V4.3 Other Access Control Considerations¶
V5: Validation, Sanitization and Encoding Verification Requirements¶
V5.1 Input Validation Requirements¶
V5.2 Sanitization and Sandboxing Requirements¶
Server Side Request Forgery Prevention Cheat Sheet.
DOM based XSS Prevention Cheat Sheet.
Unvalidated Redirects and Forwards Cheat Sheet.
V5.3 Output encoding and Injection Prevention Requirements¶
DOM based XSS Prevention Cheat Sheet.
Injection Prevention Cheat Sheet.
Injection Prevention Cheat Sheet in Java.
LDAP Injection Prevention Cheat Sheet.
OS Command Injection Defense Cheat Sheet.
Protect File Upload Against Malicious File.
Query Parameterization Cheat Sheet.
SQL Injection Prevention Cheat Sheet.
Unvalidated Redirects and Forwards Cheat Sheet.
V5.4 Memory, String, and Unmanaged Code Requirements¶
None.
V5.5 Deserialization Prevention Requirements¶
V6: Stored Cryptography Verification Requirements¶
V6.1 Data Classification¶
User Privacy Protection Cheat Sheet.
V6.2 Algorithms¶
Cryptographic Storage Cheat Sheet.
V6.3 Random Values¶
None.
V6.4 Secret Management¶
V7: Error Handling and Logging Verification Requirements¶
V7.1 Log Content Requirements¶
V7.2 Log Processing Requirements¶
V7.3 Log Protection Requirements¶
V7.4 Error Handling¶
V8: Data Protection Verification Requirements¶
V8.1 General Data Protection¶
None.
V8.2 Client-side Data Protection¶
None.
V8.3 Sensitive Private Data¶
None.
V9: Communications Verification Requirements¶
V9.1 Communications Security Requirements¶
HTTP Strict Transport Security Cheat Sheet.
Transport Layer Protection Cheat Sheet.
TLS Cipher String Cheat Sheet.
V9.2 Server Communications Security Requirements¶
None.
V10: Malicious Code Verification Requirements¶
V10.1 Code Integrity Controls¶
Third Party Javascript Management Cheat Sheet.
V10.2 Malicious Code Search¶
None.
V10.3 Deployed Application Integrity Controls¶
V11: Business Logic Verification Requirements¶
V11.1 Business Logic Security Requirements¶
V12: File and Resources Verification Requirements¶
V12.1 File Upload Requirements¶
Protect File Upload Against Malicious File.
V12.2 File Integrity Requirements¶
Protect File Upload Against Malicious File.
Third Party Javascript Management Cheat Sheet.
V12.3 File execution Requirements¶
None.
V12.4 File Storage Requirements¶
None.
V12.5 File Download Requirements¶
None.
V12.6 SSRF Protection Requirements¶
Server Side Request Forgery Prevention Cheat Sheet.
Unvalidated Redirects and Forwards Cheat Sheet.
V13: API and Web Service Verification Requirements¶
V13.1 Generic Web Service Security Verification Requirements¶
Web Service Security Cheat Sheet.
Server Side Request Forgery Prevention Cheat Sheet.
V13.2 RESTful Web Service Verification Requirements¶
Cross-Site Request Forgery Prevention Cheat Sheet.
V13.3 SOAP Web Service Verification Requirements¶
V13.4 GraphQL and other Web Service Data Layer Security Requirements¶
None.
V14: Configuration Verification Requirements¶
V14.1 Build¶
V14.2 Dependency¶
Vulnerable Dependency Management Cheat Sheet.
V14.3 Unintended Security Disclosure Requirements¶
V14.4 HTTP Security Headers Requirements¶
Content Security Policy Cheat Sheet.
V14.5 Validate HTTP Request Header Requirements¶
None.