[PDF] Application Security Verification Standard 4.0 - Final





Previous PDF Next PDF



Application Security Verification Standard 4.0 - Final

1.12.2 Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads 



Forcepoint One Endpoint Solutions Installation and Deployment Guide

24 Mar 2020 2. Go to Endpoint Security > Forcepoint One Endpoint select a version



Testing Guide

2. The Open Web Application Security Project (OWASP) is a worldwide free and open com- Testing Directory traversal/file include (OTG-AUTHZ-001).



CitiDirect BE Payments

CitiDirect BE® allows you to save the information in a summary grid as a PDF an MS Excel file



Amazon Connect - Administrator Guide

13 Apr 2021 Chat message content . ... Step 2: Add permissions to Amazon Lex bot . ... Download a Login/Logout report as a CSV File .



BlackBerry Workspaces - REST Developers Guide

3 Jun 2019 from and download files received from other Workspaces users ... Content-Disposition: form-data; name="data"; filename="Filename.doc".



IPC-A-610G: Acceptability of Electronic Assemblies table of contents

If a conflict occurs between the English language and translated versions of this document the English version will take precedence. ®. Page 2. 1 General ..



Resttemplate responseentity inputstreamresource

Here are some ways to create a file download feature: Write a response Content Type: Image/png Content-Disposition: Inline; ?? ?? =??.png <?xml ...



ENGINEERING GROUP MATERIALS & WORKMANSHIP

2 Sept 2020 1.1.2. The Contractor shall ensure that these requirements are ... For control work the angular spread of horizontal angles shall not ...



citrix-workspace-app-for-windows.pdf

6 days ago When using Citrix Workspace app for Windows with Browser Content ... When you download a file from Citrix Files some non-English file names ...

Application Security Verification Standard 4.0 - Final

Application Security Verification Standard 4.0

Final

March 2019

OWASP Application Security Verification Standard 4.0 2

Table of Contents

Frontispiece ......................................................................................................................................................... 7

About the Standard .................................................................................................................................................. 7

Copyright and License ............................................................................................................................................... 7

Project Leads ............................................................................................................................................................ 7

Contributors and Reviewers ...................................................................................................................................... 7

Preface ................................................................................................................................................................ 8

What's new in 4.0 ..................................................................................................................................................... 8

Using the ASVS .................................................................................................................................................... 9

Application Security Verification Levels .................................................................................................................... 9

How to use this standard ........................................................................................................................................ 10

Level 1 - First steps, automated, or whole of portfolio view .............................................................................. 10

Level 2 - Most applications ................................................................................................................................. 10

Level 3 - High value, high assurance, or high safety ........................................................................................... 11

Applying ASVS in Practice ....................................................................................................................................... 11

Assessment and Certification ............................................................................................................................. 11

OWASP's Stance on ASVS Certifications and Trust Marks ...................................................................................... 11

Guidance for Certifying Organizations ................................................................................................................... 11

Testing Method .................................................................................................................................................. 12

Other uses for the ASVS .......................................................................................................................................... 12

As Detailed Security Architecture Guidance ....................................................................................................... 12

As a Replacement for Off-the-shelf Secure Coding Checklists ........................................................................... 13

As a Guide for Automated Unit and Integration Tests ....................................................................................... 13

For Secure Development Training ...................................................................................................................... 13

As a Driver for Agile Application Security ........................................................................................................... 13

As a Framework for Guiding the Procurement of Secure Software ................................................................... 13

V1: Architecture, Design and Threat Modeling Requirements ............................................................................ 14

Control Objective .................................................................................................................................................... 14

V1.1 Secure Software Development Lifecycle Requirements .................................................................................. 14

V1.2 Authentication Architectural Requirements ................................................................................................... 15

V1.3 Session Management Architectural Requirements ........................................................................................ 15

V1.4 Access Control Architectural Requirements .................................................................................................... 15

V1.5 Input and Output Architectural Requirements ............................................................................................... 16

V1.6 Cryptographic Architectural Requirements .................................................................................................... 16

V1.7 Errors, Logging and Auditing Architectural Requirements ............................................................................. 17

V1.8 Data Protection and Privacy Architectural Requirements .............................................................................. 17

OWASP Application Security Verification Standard 4.0 3

V1.9 Communications Architectural Requirements ................................................................................................ 17

V1.10 Malicious Software Architectural Requirements .......................................................................................... 17

V1.11 Business Logic Architectural Requirements .................................................................................................. 18

V1.12 Secure File Upload Architectural Requirements ........................................................................................... 18

V1.13 API Architectural Requirements ................................................................................................................... 18

V1.14 Configuration Architectural Requirements ................................................................................................... 18

References .............................................................................................................................................................. 19

V2: Authentication Verification Requirements ................................................................................................... 20

Control Objective .................................................................................................................................................... 20

NIST 800-63 - Modern, evidence-based authentication standard .......................................................................... 20

Selecting an appropriate NIST AAL Level ............................................................................................................ 20

Legend .................................................................................................................................................................... 20

V2.1 Password Security Requirements ................................................................................................................... 21

V2.2 General Authenticator Requirements ............................................................................................................. 22

V2.3 Authenticator Lifecycle Requirements ............................................................................................................ 23

V2.4 Credential Storage Requirements ................................................................................................................... 23

V2.5 Credential Recovery Requirements ................................................................................................................. 24

V2.6 Look-up Secret Verifier Requirements ............................................................................................................ 25

V2.7 Out of Band Verifier Requirements ................................................................................................................. 25

V2.8 Single or Multi Factor One Time Verifier Requirements ................................................................................. 26

V2.9 Cryptographic Software and Devices Verifier Requirements .......................................................................... 27

V2.10 Service Authentication Requirements ........................................................................................................... 27

Additional US Agency Requirements ...................................................................................................................... 27

Glossary of terms .................................................................................................................................................... 28

References .............................................................................................................................................................. 28

V3: Session Management Verification Requirements ......................................................................................... 29

Control Objective .................................................................................................................................................... 29

Security Verification Requirements ......................................................................................................................... 29

V3.1 Fundamental Session Management Requirements ........................................................................................ 29

V3.2 Session Binding Requirements ........................................................................................................................ 29

V3.3 Session Logout and Timeout Requirements .................................................................................................... 29

V3.4 Cookie-based Session Management ............................................................................................................... 30

V3.5 Token-based Session Management ................................................................................................................ 31

V3.6 Re-authentication from a Federation or Assertion ......................................................................................... 31

OWASP Application Security Verification Standard 4.0 4

V3.7 Defenses Against Session Management Exploits ........................................................................................... 31

Description of the half-open Attack ................................................................................................................... 31

References .............................................................................................................................................................. 32

V4: Access Control Verification Requirements .................................................................................................... 33

Control Objective .................................................................................................................................................... 33

Security Verification Requirements ......................................................................................................................... 33

V4.1 General Access Control Design ....................................................................................................................... 33

V4.2 Operation Level Access Control ...................................................................................................................... 33

V4.3 Other Access Control Considerations .............................................................................................................. 33

References .............................................................................................................................................................. 34

V5: Validation, Sanitization and Encoding Verification Requirements ................................................................. 35

Control Objective .................................................................................................................................................... 35

V5.1 Input Validation Requirements ....................................................................................................................... 35

V5.2 Sanitization and Sandboxing Requirements ................................................................................................... 36

V5.3 Output encoding and Injection Prevention Requirements .............................................................................. 36

V5.4 Memory, String, and Unmanaged Code Requirements .................................................................................. 37

V5.5 Deserialization Prevention Requirements ....................................................................................................... 37

References .............................................................................................................................................................. 38

V6: Stored Cryptography Verification Requirements .......................................................................................... 39

Control Objective .................................................................................................................................................... 39

V6.1 Data Classification .......................................................................................................................................... 39

V6.2 Algorithms ...................................................................................................................................................... 39

V6.3 Random Values ............................................................................................................................................... 40

V6.4 Secret Management ....................................................................................................................................... 40

References .............................................................................................................................................................. 40

V7: Error Handling and Logging Verification Requirements ................................................................................ 42

Control Objective .................................................................................................................................................... 42

V7.1 Log Content Requirements ............................................................................................................................. 42

V7.2 Log Processing Requirements ......................................................................................................................... 42

V7.3 Log Protection Requirements ......................................................................................................................... 43

V7.4 Error Handling ................................................................................................................................................ 43

References .............................................................................................................................................................. 44

V8: Data Protection Verification Requirements .................................................................................................. 45

OWASP Application Security Verification Standard 4.0 5

Control Objective .................................................................................................................................................... 45

V8.1 General Data Protection ................................................................................................................................. 45

V8.2 Client-side Data Protection ............................................................................................................................. 45

V8.3 Sensitive Private Data ..................................................................................................................................... 46

References .............................................................................................................................................................. 47

V9: Communications Verification Requirements ................................................................................................ 48

Control Objective .................................................................................................................................................... 48

V9.1 Communications Security Requirements ........................................................................................................ 48

V9.2 Server Communications Security Requirements ............................................................................................. 48

References .............................................................................................................................................................. 49

V10: Malicious Code Verification Requirements ................................................................................................. 50

Control Objective .................................................................................................................................................... 50

V10.1 Code Integrity Controls ................................................................................................................................. 50

V10.2 Malicious Code Search .................................................................................................................................. 50

V10.3 Deployed Application Integrity Controls ....................................................................................................... 51

References .............................................................................................................................................................. 51

V11: Business Logic Verification Requirements .................................................................................................. 52

Control Objective .................................................................................................................................................... 52

V11.1 Business Logic Security Requirements .......................................................................................................... 52

References .............................................................................................................................................................. 53

V12: File and Resources Verification Requirements ............................................................................................ 54

Control Objective .................................................................................................................................................... 54

V12.1 File Upload Requirements ............................................................................................................................ 54

V12.2 File Integrity Requirements .......................................................................................................................... 54

V12.3 File execution Requirements ......................................................................................................................... 54

V12.4 File Storage Requirements ............................................................................................................................ 55

V12.5 File Download Requirements ........................................................................................................................ 55

V12.6 SSRF Protection Requirements ..................................................................................................................... 55

References .............................................................................................................................................................. 55

V13: API and Web Service Verification Requirements ........................................................................................ 56

Control Objective .................................................................................................................................................... 56

V13.1 Generic Web Service Security Verification Requirements ............................................................................. 56

V13.2 RESTful Web Service Verification Requirements ........................................................................................... 56

OWASP Application Security Verification Standard 4.0 6

V13.3 SOAP Web Service Verification Requirements .............................................................................................. 57

V13.4 GraphQL and other Web Service Data Layer Security Requirements ........................................................... 57

References .............................................................................................................................................................. 59

V14: Configuration Verification Requirements ................................................................................................... 60

Control Objective .................................................................................................................................................... 60

V14.1 Build .............................................................................................................................................................. 60

V14.2 Dependency .................................................................................................................................................. 61

V14.3 Unintended Security Disclosure Requirements ............................................................................................. 61

V14.4 HTTP Security Headers Requirements .......................................................................................................... 62

V14.5 Validate HTTP Request Header Requirements ............................................................................................. 62

References .............................................................................................................................................................. 62

Appendix A: Glossary ......................................................................................................................................... 63

Appendix B: References ..................................................................................................................................... 65

OWASP Core Projects .............................................................................................................................................. 65

Mobile Security Related Projects ............................................................................................................................ 65

OWASP Internet of Things related projects ............................................................................................................ 65

OWASP Serverless projects ..................................................................................................................................... 65

quotesdbs_dbs2.pdfusesText_2
[PDF] angular 2 download file from api

[PDF] angular 2 download file from path

[PDF] angular 2 download file from url

[PDF] angular 2 download file on click

[PDF] angular 2 download image

[PDF] angular 2 download pdf blob

[PDF] angular 2 download pdf from api and display it in view

[PDF] angular 2 download pdf from url

[PDF] angular 2 download zip file from server

[PDF] angular 2 file download example

[PDF] angular 2 http get example

[PDF] angular 2 modules best practices

[PDF] angular 2 node js tutorial

[PDF] angular 2 pdf download example

[PDF] angular 2 pdf download tutorialspoint