-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
326 changed files
with
7,246 additions
and
4,358 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
83 changes: 55 additions & 28 deletions
83
...architecture-design-and-threat-modeling/02-authentication-architecture/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,55 @@ | ||
| # Authentication Architecture | ||
| ## V1.2.1 | ||
| Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [250](https://cwe.mitre.org/data/definitions/250) | ||
| ## V1.2.2 | ||
| Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [306](https://cwe.mitre.org/data/definitions/306) | ||
| ## V1.2.3 | ||
| Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [306](https://cwe.mitre.org/data/definitions/306) | ||
| ## V1.2.4 | ||
| Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [306](https://cwe.mitre.org/data/definitions/306) | ||
| ## Disclaimer: | ||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. | ||
| ## Authentication Architecture | ||
|
|
||
| ## V1.2.1 | ||
|
|
||
| Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [250](https://cwe.mitre.org/data/definitions/250) | ||
|
|
||
| ## V1.2.2 | ||
|
|
||
| Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [306](https://cwe.mitre.org/data/definitions/306) | ||
|
|
||
| ## V1.2.3 | ||
|
|
||
| Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [306](https://cwe.mitre.org/data/definitions/306) | ||
|
|
||
| ## V1.2.4 | ||
|
|
||
| Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [306](https://cwe.mitre.org/data/definitions/306) | ||
|
|
||
|
|
||
|
|
||
| ## Disclaimer: | ||
|
|
||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. |
11 changes: 7 additions & 4 deletions
11
...itecture-design-and-threat-modeling/03-session-management-architecture/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,7 @@ | ||
| # Session Management Architecture | ||
| ## Disclaimer: | ||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. | ||
| ## Session Management Architecture | ||
|
|
||
|
|
||
|
|
||
| ## Disclaimer: | ||
|
|
||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. |
101 changes: 67 additions & 34 deletions
101
...architecture-design-and-threat-modeling/04-access-control-architecture/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,34 +1,67 @@ | ||
| # Access Control Architecture | ||
| ## V1.4.1 | ||
| Verify that trusted enforcement points, such as access control gateways, servers, and serverless functions, enforce access controls. Never enforce access controls on the client. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [602](https://cwe.mitre.org/data/definitions/602) | ||
| ## V1.4.2 | ||
| [DELETED, NOT ACTIONABLE] | ||
| Level 1 required: False | ||
| Level 2 required: False | ||
| Level 3 required: False | ||
| CWE: [](https://cwe.mitre.org/data/definitions/) | ||
| ## V1.4.3 | ||
| [DELETED, DUPLICATE OF 4.1.3] | ||
| Level 1 required: False | ||
| Level 2 required: False | ||
| Level 3 required: False | ||
| CWE: [](https://cwe.mitre.org/data/definitions/) | ||
| ## V1.4.4 | ||
| Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [284](https://cwe.mitre.org/data/definitions/284) | ||
| ## V1.4.5 | ||
| Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [275](https://cwe.mitre.org/data/definitions/275) | ||
| ## Disclaimer: | ||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. | ||
| ## Access Control Architecture | ||
|
|
||
| ## V1.4.1 | ||
|
|
||
| Verify that trusted enforcement points, such as access control gateways, servers, and serverless functions, enforce access controls. Never enforce access controls on the client. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [602](https://cwe.mitre.org/data/definitions/602) | ||
|
|
||
| ## V1.4.2 | ||
|
|
||
| [DELETED, NOT ACTIONABLE] | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: False | ||
|
|
||
| Level 3 required: False | ||
|
|
||
| CWE: [](https://cwe.mitre.org/data/definitions/) | ||
|
|
||
| ## V1.4.3 | ||
|
|
||
| [DELETED, DUPLICATE OF 4.1.3] | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: False | ||
|
|
||
| Level 3 required: False | ||
|
|
||
| CWE: [](https://cwe.mitre.org/data/definitions/) | ||
|
|
||
| ## V1.4.4 | ||
|
|
||
| Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [284](https://cwe.mitre.org/data/definitions/284) | ||
|
|
||
| ## V1.4.5 | ||
|
|
||
| Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [275](https://cwe.mitre.org/data/definitions/275) | ||
|
|
||
|
|
||
|
|
||
| ## Disclaimer: | ||
|
|
||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. |
83 changes: 55 additions & 28 deletions
83
...chitecture-design-and-threat-modeling/05-input-and-output-architecture/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,55 @@ | ||
| # Input and Output Architecture | ||
| ## V1.5.1 | ||
| Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [1029](https://cwe.mitre.org/data/definitions/1029) | ||
| ## V1.5.2 | ||
| Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [502](https://cwe.mitre.org/data/definitions/502) | ||
| ## V1.5.3 | ||
| Verify that input validation is enforced on a trusted service layer. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [602](https://cwe.mitre.org/data/definitions/602) | ||
| ## V1.5.4 | ||
| Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [116](https://cwe.mitre.org/data/definitions/116) | ||
| ## Disclaimer: | ||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. | ||
| ## Input and Output Architecture | ||
|
|
||
| ## V1.5.1 | ||
|
|
||
| Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [1029](https://cwe.mitre.org/data/definitions/1029) | ||
|
|
||
| ## V1.5.2 | ||
|
|
||
| Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [502](https://cwe.mitre.org/data/definitions/502) | ||
|
|
||
| ## V1.5.3 | ||
|
|
||
| Verify that input validation is enforced on a trusted service layer. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [602](https://cwe.mitre.org/data/definitions/602) | ||
|
|
||
| ## V1.5.4 | ||
|
|
||
| Verify that output encoding occurs close to or by the interpreter for which it is intended. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [116](https://cwe.mitre.org/data/definitions/116) | ||
|
|
||
|
|
||
|
|
||
| ## Disclaimer: | ||
|
|
||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. |
83 changes: 55 additions & 28 deletions
83
...-architecture-design-and-threat-modeling/06-cryptographic-architecture/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1,55 @@ | ||
| # Cryptographic Architecture | ||
| ## V1.6.1 | ||
| Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
| ## V1.6.2 | ||
| Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
| ## V1.6.3 | ||
| Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
| ## V1.6.4 | ||
| Verify that the architecture treats client-side secrets--such as symmetric keys, passwords, or API tokens--as insecure and never uses them to protect or access sensitive data. | ||
| Level 1 required: False | ||
| Level 2 required: True | ||
| Level 3 required: True | ||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
| ## Disclaimer: | ||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. | ||
| ## Cryptographic Architecture | ||
|
|
||
| ## V1.6.1 | ||
|
|
||
| Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
|
|
||
| ## V1.6.2 | ||
|
|
||
| Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
|
|
||
| ## V1.6.3 | ||
|
|
||
| Verify that all keys and passwords are replaceable and are part of a well-defined process to re-encrypt sensitive data. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
|
|
||
| ## V1.6.4 | ||
|
|
||
| Verify that the architecture treats client-side secrets--such as symmetric keys, passwords, or API tokens--as insecure and never uses them to protect or access sensitive data. | ||
|
|
||
| Level 1 required: False | ||
|
|
||
| Level 2 required: True | ||
|
|
||
| Level 3 required: True | ||
|
|
||
| CWE: [320](https://cwe.mitre.org/data/definitions/320) | ||
|
|
||
|
|
||
|
|
||
| ## Disclaimer: | ||
|
|
||
| Credit via [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). For more information visit [The OWASP ASVS Project](https://owasp.org/www-project-application-security-verification-standard/) or [Github respository.](https://github.com/OWASP/ASVS). OWASP ASVS is under the [Creative Commons Attribution-Share Alike v3.0](https://creativecommons.org/licenses/by-sa/3.0/) license. |
Oops, something went wrong.