没有合适的资源?快使用搜索试试~ 我知道了~
首页OWASP_ASVS_2014
OWASP_ASVS_2014
需积分: 10 9 下载量 191 浏览量
更新于2023-03-16
评论
收藏 1.67MB PDF 举报
安全评估标准,OWASP_ASVS_2014,OWASP业界标准,安全评估标准,OWASP_ASVS_2014,OWASP业界标准
资源详情
资源评论
资源推荐
ASVS 2014 Web Application Standard!
1!
!
Application Security Verification
Standard (2014)
ASVS 2014 Web Application Standard!
2!
!
Preface
Our biggest goal with this version of the standard
was to increase adoption.
One of the major challenges of a standard such as this is that it needs to satisfy two distinct, and very
different, targets: individuals who are involved in organizing or executing a software security program within
their organization, and software security professionals who conduct verification of applications. While both
targets seek an industry-accepted standard for verification of applications, they operate under different
constraints. For example, one of the most widely voiced criticisms of ASVS 2009 standard was that it
specified automated assessments as one of the levels (or sub-levels). Many large organizations see
automated assessments as a point of entry into the verification hierarchy, and thus a fully automated level is
a convenient concept for them. Information security professionals, however, know that the depth and
breadth of such a review will depend on what technology is used to perform the scan, thus leaving too much
room for interpretation of the standard. ASVS 2014 introduces a Cursory Level 0 to allow for the flexibility
needed to overcome this challenge.
On a similar note, one of the main goals for this version of the standard was to focus on the "what" and not
the "how". Whereas the previous version of the standard talked about dynamic scanning, static analysis,
Threat Modeling, and design reviews, you will notice that such terms do not appear in this version of the
standard. Instead, we essentially define security requirements that must be verified for an application to
achieve a certain level. How those requirements are verified is left up to the verifier.
Another major challenge that we overcame is to clearly separate requirements from design from scope. The
previous version of the standard did not clearly distinguish between these concepts, leaving room for
confusion. In this version, Level 3 is where design considerations are introduced and clearly separated from
detailed verification requirements. Furthermore, we have now separated out the concept of scope
completely – the new (+) notation allows for a verifier to optionally include third party components and
frameworks in their review.
We expect that there will most likely never be 100% agreement on this standard. Risk analysis is always
subjective to some extent, which creates a challenge when attempting to generalize in a one size fits all
standard. However, we hope that the latest updates made in this version are a step in the right direction, and
respectfully enhance the concepts introduced in this important industry standard.
ASVS 2014 Web Application Standard!
3!
!
Acknowledgements
Version 2014
Project Leads: Sahba Kazerooni (Security Compass, http://www.securitycompass.com),
Daniel Cuthbert (SensePost, http://www.sensepost.com/)
Lead Authors: Andrew van der Stock, Sahba Kazerooni, Daniel Cuthbert, Krishna Raja
Reviewers and contributors: Jerome Athias, Boy Baukema, Archangel Cuison, Sebastien Deleersnyder,
Antonio Fontes, Evan Gaustad, Safuat Hamdy, Ari Kesäniemi, Scott Luc, Jim Manico, Mait Peekma, Pekka
Sillanpää, Jeff Sergeant, Etienne Stalmans, Colin Watson, Dr Emin Tatli.
Additionally, thanks are given to the application security verification community and others interested in
trusted web computing for their enthusiastic advice and assistance throughout this effort.
Version 2009
As ASVS 2014 includes many of the original requirements, the following contributors are recognized for their
efforts during the original Application Security Verification Standard effort: Mike Boberski, Jeff Williams, Dave
Wichers, Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin,
Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave
Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan,
Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave
van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah
Grossman.
Copyright and License
Copyright © 2008 – 2014 The OWASP Foundation. This document is released under the Creative Commons
Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make clear to
others the license terms of this work.
ASVS 2014 Web Application Standard!
4!
!
Table of Contents
Introduction!............................................................................................................................................................!5!
How to Use This Standard!......................................................................................................................................!6!
Application Security Verification Levels!................................................................................................................!9!
Level 0: Cursory!.................................................................................................................................................!10!
Level 1: Opportunistic!......................................................................................................................................!11!
Level 2: Standard!..............................................................................................................................................!12!
Level 3: Advanced!.............................................................................................................................................!13!
Scope of Verification! ................................................................ ........................................................................!15!
Detailed Verification Requirements!.....................................................................................................................!16!
V2: Authentication Verification Requirements!................................................................................................!17!
V3: Session Management Verification Requirements!......................................................................................!19!
V4: Access Control Verification Requirements!.................................................................................................!21!
V5: Malicious Input Handling Verification Requirements!................................................................................!23!
V7: Cryptography at Rest Verification Requirements!......................................................................................!25!
V8: Error Handling and Logging Verification Requirements!...........................................................................!26!
V9: Data Protection Verification Requirements!...............................................................................................!28!
V10: Communications Security Verification Requirements!.............................................................................!29!
V11: HTTP Security Verification Requirements!................................................................................................!31!
V13: Malicious Controls Verification Requirements!.........................................................................................!32!
V15: Business Logic Verification Requirements!...............................................................................................!33!
V16: Files and Resources Verification Requirements!.......................................................................................!35!
V17: Mobile Verification Requirements! ................................................................ ...........................................!36!
Appendix A: Applying ASVS in Practice!...............................................................................................................!39!
Appendix B: Glossary!............................................................................................................................................!44!
Appendix C: Where To Go From Here!..................................................................................................................!47!
ASVS 2014 Web Application Standard!
5!
!
Introduction
The primary aim of the OWASP Application
Security Verification Standard (ASVS) is to
normalize the range in the coverage and level of
rigor available in the market when it comes to
performing web application security verification.
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling
organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools,
documents, forums, and chapters are free and open to anyone interested in improving application security.
We advocate approaching application security as a people, process, and technology problem, because the
most effective approaches to application security include improvements in all of these areas. We can be
found at www.owasp.org.
OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any
technology company, although we support the informed use of commercial security technology. Similar to
many open-source software projects, OWASP produces many types of materials in a collaborative, open way.
The OWASP Foundation is a not-for-profit entity that ensures the project’s long-term success.
The ASVS standard provides a basis for verifying application technical security controls, as well as any
technical security controls in the environment that are relied on to protect against vulnerabilities such as
Cross-Site Scripting (XSS) and SQL injection.
1
This standard can be used to establish a level of confidence in
the security of Web applications.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1
!For!more!information!about!common!Web!application!vulnerabilities,!see!the!OWASP!Top!Ten!(OWASP,!2013).!
剩余46页未读,继续阅读
花米徐
- 粉丝: 202
- 资源: 3
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- 数据结构1800题含完整答案详解.doc
- 医疗企业薪酬系统设计与管理方案.pptx
- 界面与表面技术界面理论与表面技术要点PPT学习教案.pptx
- Java集合排序及java集合类详解(Collection、List、Map、Set)讲解.pdf
- 网页浏览器的开发 (2).pdf
- 路由器原理与设计讲稿6-交换网络.pptx
- 火电厂锅炉过热汽温控制系统设计.doc
- 企业识别CIS系统手册[收集].pdf
- 物业管理基础知识.pptx
- 第4章财务预测.pptx
- 《集成电路工艺设计及器件特性分析》——实验教学计算机仿真系.pptx
- 局域网内共享文件提示没有访问权限的问题借鉴.pdf
- 第5章网络营销策略.pptx
- 固井质量测井原理PPT教案.pptx
- 毕业实习总结6篇.doc
- UGNX建模基础篇草图模块PPT学习教案.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0