- Table of contents
- Objective
- V1: Architecture, Design and Threat Modeling Requirements
- V1.1 Secure Software Development Lifecycle Requirements
- V1.2 Authentication Architectural Requirements
- V1.3 Session Management Architectural Requirements
- V1.4 Access Control Architectural Requirements
- V1.5 Input and Output Architectural Requirements
- V1.6 Cryptographic Architectural Requirements
- V1.7 Errors, Logging and Auditing Architectural Requirements
- V1.8 Data Protection and Privacy Architectural Requirements
- V1.9 Communications Architectural Requirements
- V1.10 Malicious Software Architectural Requirements
- V1.11 Business Logic Architectural Requirements
- V1.12 Secure File Upload Architectural Requirements
- V1.13 API Architectural Requirements
- V1.14 Configuration Architectural Requirements
- V2: Authentication Verification Requirements
- V2.1 Password Security Requirements
- V2.2 General Authenticator Requirements
- V2.3 Authenticator Lifecycle Requirements
- V2.4 Credential Storage Requirements
- V2.5 Credential Recovery Requirements
- V2.6 Look-up Secret Verifier Requirements
- V2.7 Out of Band Verifier Requirements
- V2.8 Single or Multi Factor One Time Verifier Requirements
- V2.9 Cryptographic Software and Devices Verifier Requirements
- V2.10 Service Authentication Requirements
- V3: Session Management Verification Requirements
- V4: Access Control Verification Requirements
- V5: Validation, Sanitization and Encoding Verification Requirements
- V6: Stored Cryptography Verification Requirements
- V7: Error Handling and Logging Verification Requirements
- V8: Data Protection Verification Requirements
- V9: Communications Verification Requirements
- V10: Malicious Code Verification Requirements
- V11: Business Logic Verification Requirements
- V12: File and Resources Verification Requirements
- V13: API and Web Service Verification Requirements
- V14: Configuration Verification Requirements
Table of contents
- Objective
- V1: Architecture, Design and Threat Modeling Requirements
- V1.1 Secure Software Development Lifecycle Requirements
- V1.2 Authentication Architectural Requirements
- V1.3 Session Management Architectural Requirements
- V1.4 Access Control Architectural Requirements
- V1.5 Input and Output Architectural Requirements
- V1.6 Cryptographic Architectural Requirements
- V1.7 Errors, Logging and Auditing Architectural Requirements
- V1.8 Data Protection and Privacy Architectural Requirements
- V1.9 Communications Architectural Requirements
- V1.10 Malicious Software Architectural Requirements
- V1.11 Business Logic Architectural Requirements
- V1.12 Secure File Upload Architectural Requirements
- V1.13 API Architectural Requirements
- V1.14 Configuration Architectural Requirements
- V2: Authentication Verification Requirements
- V2.1 Password Security Requirements
- V2.2 General Authenticator Requirements
- V2.3 Authenticator Lifecycle Requirements
- V2.4 Credential Storage Requirements
- V2.5 Credential Recovery Requirements
- V2.6 Look-up Secret Verifier Requirements
- V2.7 Out of Band Verifier Requirements
- V2.8 Single or Multi Factor One Time Verifier Requirements
- V2.9 Cryptographic Software and Devices Verifier Requirements
- V2.10 Service Authentication Requirements
- V3: Session Management Verification Requirements
- V4: Access Control Verification Requirements
- V5: Validation, Sanitization and Encoding Verification Requirements
- V6: Stored Cryptography Verification Requirements
- V7: Error Handling and Logging Verification Requirements
- V8: Data Protection Verification Requirements
- V9: Communications Verification Requirements
- V10: Malicious Code Verification Requirements
- V11: Business Logic Verification Requirements
- V12: File and Resources Verification Requirements
- V13: API and Web Service Verification Requirements
- V14: Configuration Verification Requirements
Objective
The objective of this index is to help an OWASP Application Security Verification Standard (ASVS) user clearly identify which cheat sheets are useful for each section during his or her usage of the ASVS.
This index is based on the version 4.x of the ASVS.
V1: Architecture, Design and Threat Modeling Requirements
V1.1 Secure Software Development Lifecycle Requirements
Attack Surface Analysis Cheat Sheet.
V1.2 Authentication Architectural Requirements
None.
V1.3 Session Management Architectural Requirements
None.
V1.4 Access Control Architectural Requirements
V1.5 Input and Output Architectural Requirements
V1.6 Cryptographic Architectural Requirements
Cryptographic Storage Cheat Sheet.
V1.7 Errors, Logging and Auditing Architectural Requirements
V1.8 Data Protection and Privacy Architectural Requirements
User Privacy Protection Cheat Sheet.
V1.9 Communications Architectural Requirements
Transport Layer Protection Cheat Sheet.
TLS Cipher String Cheat Sheet.
V1.10 Malicious Software Architectural Requirements
Third Party Javascript Management Cheat Sheet.
V1.11 Business Logic Architectural Requirements
V1.12 Secure File Upload Architectural Requirements
None.
V1.13 API Architectural Requirements
V1.14 Configuration Architectural Requirements
None.
V2: Authentication Verification Requirements
V2.1 Password Security Requirements
Choosing and Using Security Questions Cheat Sheet.
Credential Stuffing Prevention Cheat Sheet
V2.2 General Authenticator Requirements
Transport Layer Protection Cheat Sheet.
TLS Cipher String Cheat Sheet.
V2.3 Authenticator Lifecycle Requirements
None.
V2.4 Credential Storage Requirements
V2.5 Credential Recovery Requirements
Choosing and Using Security Questions Cheat Sheet.
V2.6 Look-up Secret Verifier Requirements
None.
V2.7 Out of Band Verifier Requirements
V2.8 Single or Multi Factor One Time Verifier Requirements
None.
V2.9 Cryptographic Software and Devices Verifier Requirements
Cryptographic Storage Cheat Sheet.
V2.10 Service Authentication Requirements
None.
V3: Session Management Verification Requirements
V3.1 Fundamental Session Management Requirements
None.
V3.2 Session Binding Requirements
Session Management Cheat Sheet.
V3.3 Session Logout and Timeout Requirements
Session Management Cheat Sheet.
V3.4 Cookie-based Session Management
Session Management Cheat Sheet.
Cross-Site Request Forgery Prevention Cheat Sheet.
V3.5 Token-based Session Management
JSON Web Token Cheat Sheet for Java.
V3.6 Re-authentication from a Federation or Assertion
None.
V3.7 Defenses Against Session Management Exploits
Session Management Cheat Sheet.
Transaction Authorization Cheat Sheet.
V4: Access Control Verification Requirements
V4.1 General Access Control Design
Authorization Testing Automation.
V4.2 Operation Level Access Control
Insecure Direct Object Reference Prevention Cheat Sheet.
Cross-Site Request Forgery Prevention Cheat Sheet.
Authorization Testing Automation.
V4.3 Other Access Control Considerations
V5: Validation, Sanitization and Encoding Verification Requirements
V5.1 Input Validation Requirements
V5.2 Sanitization and Sandboxing Requirements
Server Side Request Forgery Prevention Cheat Sheet.
DOM based XSS Prevention Cheat Sheet.
Unvalidated Redirects and Forwards Cheat Sheet.
V5.3 Output encoding and Injection Prevention Requirements
DOM based XSS Prevention Cheat Sheet.
Injection Prevention Cheat Sheet.
Injection Prevention Cheat Sheet in Java.
LDAP Injection Prevention Cheat Sheet.
OS Command Injection Defense Cheat Sheet.
Protect File Upload Against Malicious File.
Query Parameterization Cheat Sheet.
SQL Injection Prevention Cheat Sheet.
Unvalidated Redirects and Forwards Cheat Sheet.
V5.4 Memory, String, and Unmanaged Code Requirements
None.
V5.5 Deserialization Prevention Requirements
V6: Stored Cryptography Verification Requirements
V6.1 Data Classification
User Privacy Protection Cheat Sheet.
V6.2 Algorithms
Cryptographic Storage Cheat Sheet.
V6.3 Random Values
None.
V6.4 Secret Management
V7: Error Handling and Logging Verification Requirements
V7.1 Log Content Requirements
V7.2 Log Processing Requirements
V7.3 Log Protection Requirements
V7.4 Error Handling
V8: Data Protection Verification Requirements
V8.1 General Data Protection
None.
V8.2 Client-side Data Protection
None.
V8.3 Sensitive Private Data
None.
V9: Communications Verification Requirements
V9.1 Communications Security Requirements
HTTP Strict Transport Security Cheat Sheet.
Transport Layer Protection Cheat Sheet.
TLS Cipher String Cheat Sheet.
V9.2 Server Communications Security Requirements
None.
V10: Malicious Code Verification Requirements
V10.1 Code Integrity Controls
Third Party Javascript Management Cheat Sheet.
V10.2 Malicious Code Search
None.
V10.3 Deployed Application Integrity Controls
V11: Business Logic Verification Requirements
V11.1 Business Logic Security Requirements
V12: File and Resources Verification Requirements
V12.1 File Upload Requirements
Protect File Upload Against Malicious File.
V12.2 File Integrity Requirements
Protect File Upload Against Malicious File.
Third Party Javascript Management Cheat Sheet.
V12.3 File execution Requirements
None.
V12.4 File Storage Requirements
None.
V12.5 File Download Requirements
None.
V12.6 SSRF Protection Requirements
Server Side Request Forgery Prevention Cheat Sheet.
Unvalidated Redirects and Forwards Cheat Sheet.
V13: API and Web Service Verification Requirements
V13.1 Generic Web Service Security Verification Requirements
Web Service Security Cheat Sheet.
Server Side Request Forgery Prevention Cheat Sheet.
V13.2 RESTful Web Service Verification Requirements
Cross-Site Request Forgery Prevention Cheat Sheet.
V13.3 SOAP Web Service Verification Requirements
V13.4 GraphQL and other Web Service Data Layer Security Requirements
None.
V14: Configuration Verification Requirements
V14.1 Build
V14.2 Dependency
Vulnerable Dependency Management Cheat Sheet.
V14.3 Unintended Security Disclosure Requirements
V14.4 HTTP Security Headers Requirements
Content Security Policy Cheat Sheet.
V14.5 Validate HTTP Request Header Requirements
None.