ASVS Index¶
Table of Contents¶
- Objective
- V1: Architecture, Design and Threat Modeling Requirements
- V1.1 Secure Software Development Lifecycle Requirements
- V1.2 Authentication Architectural Requirements
- V1.3 Session Management Architectural Requirements
- V1.4 Access Control Architectural Requirements
- V1.5 Input and Output Architectural Requirements
- V1.6 Cryptographic Architectural Requirements
- V1.7 Errors, Logging and Auditing Architectural Requirements
- V1.8 Data Protection and Privacy Architectural Requirements
- V1.9 Communications Architectural Requirements
- V1.10 Malicious Software Architectural Requirements
- V1.11 Business Logic Architectural Requirements
- V1.12 Secure File Upload Architectural Requirements
- V1.13 API Architectural Requirements
- V1.14 Configuration Architectural Requirements
- V2: Authentication Verification Requirements
- V2.1 Password Security Requirements
- V2.2 General Authenticator Requirements
- V2.3 Authenticator Lifecycle Requirements
- V2.4 Credential Storage Requirements
- V2.5 Credential Recovery Requirements
- V2.6 Look-up Secret Verifier Requirements
- V2.7 Out of Band Verifier Requirements
- V2.8 Single or Multi Factor One Time Verifier Requirements
- V2.9 Cryptographic Software and Devices Verifier Requirements
- V2.10 Service Authentication Requirements
- V3: Session Management Verification Requirements
- V3.1 Fundamental Session Management Requirements
- V3.2 Session Binding Requirements
- V3.3 Session Logout and Timeout Requirements
- V3.4 Cookie-based Session Management
- V3.5 Token-based Session Management
- V3.6 Re-authentication from a Federation or Assertion
- V3.7 Defenses Against Session Management Exploits
- V4: Access Control Verification Requirements
- V5: Validation, Sanitization and Encoding Verification Requirements
- V6: Stored Cryptography Verification Requirements
- V7: Error Handling and Logging Verification Requirements
- V8: Data Protection Verification Requirements
- V9: Communications Verification Requirements
- V10: Malicious Code Verification Requirements
- V11: Business Logic Verification Requirements
- V12: File and Resources Verification Requirements
- V13: API and Web Service Verification Requirements
- V14: Configuration Verification Requirements
Objective¶
The objective of this index is to help an OWASP Application Security Verification Standard (ASVS) user clearly identify which cheat sheets are useful for each section during his or her usage of the ASVS.
This index is based on the version 4.0.x of the ASVS.
V1: Architecture, Design and Threat Modeling Requirements¶
V1.1 Secure Software Development Lifecycle Requirements¶
Attack Surface Analysis Cheat Sheet
V1.2 Authentication Architectural Requirements¶
None.
V1.3 Session Management Architectural Requirements¶
None.
V1.4 Access Control Architectural Requirements¶
V1.5 Input and Output Architectural Requirements¶
V1.6 Cryptographic Architectural Requirements¶
Cryptographic Storage Cheat Sheet
V1.7 Errors, Logging and Auditing Architectural Requirements¶
V1.8 Data Protection and Privacy Architectural Requirements¶
User Privacy Protection Cheat Sheet
V1.9 Communications Architectural Requirements¶
Transport Layer Security Cheat Sheet
V1.10 Malicious Software Architectural Requirements¶
Third Party Javascript Management Cheat Sheet
V1.11 Business Logic Architectural Requirements¶
V1.12 Secure File Upload Architectural Requirements¶
None.
V1.13 API Architectural Requirements¶
V1.14 Configuration Architectural Requirements¶
None.
V2: Authentication Verification Requirements¶
V2.1 Password Security Requirements¶
Choosing and Using Security Questions Cheat Sheet
Credential Stuffing Prevention Cheat Sheet
V2.2 General Authenticator Requirements¶
Transport Layer Security Cheat Sheet
V2.3 Authenticator Lifecycle Requirements¶
None.
V2.4 Credential Storage Requirements¶
V2.5 Credential Recovery Requirements¶
Choosing and Using Security Questions Cheat Sheet
V2.6 Look-up Secret Verifier Requirements¶
None.
V2.7 Out of Band Verifier Requirements¶
V2.8 Single or Multi Factor One Time Verifier Requirements¶
None.
V2.9 Cryptographic Software and Devices Verifier Requirements¶
Cryptographic Storage Cheat Sheet
V2.10 Service Authentication Requirements¶
None.
V3: Session Management Verification Requirements¶
V3.1 Fundamental Session Management Requirements¶
None.
V3.2 Session Binding Requirements¶
Session Management Cheat Sheet
Transport Layer Security Cheat Sheet
V3.3 Session Logout and Timeout Requirements¶
Session Management Cheat Sheet
V3.4 Cookie-based Session Management¶
Session Management Cheat Sheet
Cross-Site Request Forgery Prevention Cheat Sheet
V3.5 Token-based Session Management¶
JSON Web Token Cheat Sheet for Java
V3.6 Re-authentication from a Federation or Assertion¶
None.
V3.7 Defenses Against Session Management Exploits¶
Session Management Cheat Sheet
Transaction Authorization Cheat Sheet
V4: Access Control Verification Requirements¶
V4.1 General Access Control Design¶
Authorization Testing Automation
V4.2 Operation Level Access Control¶
Insecure Direct Object Reference Prevention Cheat Sheet
Cross-Site Request Forgery Prevention Cheat Sheet
Authorization Testing Automation
V4.3 Other Access Control Considerations¶
REST Assessment Cheat Sheet Multifactor Authentication Cheat Sheet
V5: Validation, Sanitization and Encoding Verification Requirements¶
V5.1 Input Validation Requirements¶
V5.2 Sanitization and Sandboxing Requirements¶
Server Side Request Forgery Prevention Cheat Sheet
DOM based XSS Prevention Cheat Sheet
Unvalidated Redirects and Forwards Cheat Sheet
V5.3 Output encoding and Injection Prevention Requirements¶
DOM based XSS Prevention Cheat Sheet
Injection Prevention Cheat Sheet
Injection Prevention Cheat Sheet in Java
LDAP Injection Prevention Cheat Sheet
OS Command Injection Defense Cheat Sheet
Protect File Upload Against Malicious File
Query Parameterization Cheat Sheet
SQL Injection Prevention Cheat Sheet
Unvalidated Redirects and Forwards Cheat Sheet
V5.4 Memory, String, and Unmanaged Code Requirements¶
None.
V5.5 Deserialization Prevention Requirements¶
V6: Stored Cryptography Verification Requirements¶
V6.1 Data Classification¶
User Privacy Protection Cheat Sheet
V6.2 Algorithms¶
Cryptographic Storage Cheat Sheet
V6.3 Random Values¶
None.
V6.4 Secret Management¶
V7: Error Handling and Logging Verification Requirements¶
V7.1 Log Content Requirements¶
V7.2 Log Processing Requirements¶
V7.3 Log Protection Requirements¶
V7.4 Error Handling¶
V8: Data Protection Verification Requirements¶
V8.1 General Data Protection¶
None.
V8.2 Client-side Data Protection¶
None.
V8.3 Sensitive Private Data¶
None.
V9: Communications Verification Requirements¶
V9.1 Communications Security Requirements¶
HTTP Strict Transport Security Cheat Sheet
Transport Layer Security Cheat Sheet
V9.2 Server Communications Security Requirements¶
Transport Layer Security Cheat Sheet
V10: Malicious Code Verification Requirements¶
V10.1 Code Integrity Controls¶
Third Party Javascript Management Cheat Sheet
V10.2 Malicious Code Search¶
None.
V10.3 Deployed Application Integrity Controls¶
V11: Business Logic Verification Requirements¶
V11.1 Business Logic Security Requirements¶
V12: File and Resources Verification Requirements¶
V12.1 File Upload Requirements¶
Protect File Upload Against Malicious File
V12.2 File Integrity Requirements¶
Protect File Upload Against Malicious File
Third Party Javascript Management Cheat Sheet
V12.3 File execution Requirements¶
None.
V12.4 File Storage Requirements¶
None.
V12.5 File Download Requirements¶
None.
V12.6 SSRF Protection Requirements¶
Server Side Request Forgery Prevention Cheat Sheet
Unvalidated Redirects and Forwards Cheat Sheet
V13: API and Web Service Verification Requirements¶
V13.1 Generic Web Service Security Verification Requirements¶
Web Service Security Cheat Sheet
Server Side Request Forgery Prevention Cheat Sheet
V13.2 RESTful Web Service Verification Requirements¶
Cross-Site Request Forgery Prevention Cheat Sheet
Transport Layer Security Cheat Sheet
V13.3 SOAP Web Service Verification Requirements¶
V13.4 GraphQL and other Web Service Data Layer Security Requirements¶
None.
V14: Configuration Verification Requirements¶
V14.1 Build¶
V14.2 Dependency¶
Vulnerable Dependency Management Cheat Sheet
V14.3 Unintended Security Disclosure Requirements¶
V14.4 HTTP Security Headers Requirements¶
Content Security Policy Cheat Sheet
V14.5 Validate HTTP Request Header Requirements¶
None.