Application Security Verification Standard 4.0, OWASP 2019 . 14 . (V1) , , , , . .
ASVS, , .
(Application Security Verification Standard – ASVS 4.0)
1.
ASVS – , , , , , , , .
1.1 ASVS
ASVS :
- ;
- .
1.2
, .
- 1 .
- 2 , , .
- 3 – , , .
ASVS . , .
1 – , . , , , . 1 « » ( ), , . , , . , , . « », , , .
30 « » , , . , « » , . , , , . .
, DAST (Dynamic Application Security Testing) SAST (Static Application Security Testing), , .
ASVS . , , , , . - .
1.3
– - , . ASVS , .
1 - , (First steps, automated, or whole of portfolio view)
1 ASVS, , OWASP Top 10 -, , CVE (Common Vulnerabilities and Exposures) CWE (Common Weakness Enumeration).
1 – , . 1 , , , 2 3. 1 , . 1 , .
, , , . , . , , , 1.
2 –
2 ASVS, , .
2 , . 2 , B2B-, , . , , , , .
2, , , , , .
3 - ,
3 – ASVS. , , , , , , ..
3 , , . 3- ASVS, , .
3 ASVS , , . ( , , , ), ( / ) , . (, ), (, , ), (, ), ( ), , ().
1.4 ASVS
, . - ASVS.
2.
2.1 OWASP ASVS
OWASP, , , , .
, , OWASP. , - , ASVS.
, OWASP.
2.2
, , , , , ( ), 2 3.
, , . (, , , SSOauthentication), , , , .
. , API- , (V3 Session Management) . - ASVS, .
, , , , , , . . , . , , .
2.3
, . , . , , .
. ASVS . 1 , . , . , .
4.0 1 , . , , . .
2 3 , , . , , , « » « ».
3. ASVS
, ASVS.
- . Sherwood Applied Business Security Architecture (SABSA) , . ASVS , , .
ASVS, ASVS, , . , . , 4.1 ASVS, 4.1 .
ASVS . , , . , , , , , XSS, LDAP- SQL-. , , , , XSS .
ASVS . « » - . , . ASVS, , -10 .
Agile-
ASVS Agile , , . : 1, ASVS , , , . Agile-. , ASVS , «», .
ASVS - , . , , , X ASVS, . OWASP .
. .
4. V1: ,
, - . - , , , «». , . , , .
-, , , , , . – , , . , , , .
, SAML, , NIST 800-63, . , , , . SAML – , , . , , .
ASVS : , , , . . Shift-left , , , , , , , , . , , production . Agile-, , , , .
1 – V1.1
№ | 1 | 2 | 3 | CWE | |
1.1.1 | . |
| + | + |
|
1.1.2 | , , . |
| + | + | 1053 |
1.1.3 | , « , . ». |
| + | + | 1110 |
1.1.4 | , . |
| + | + | 1059 |
1.1.5 | . |
| + | + | 1059 |
1.1.6 | , , , , , , . |
| + | + | 637 |
1.1.7 | , , . |
| + | + | 637 |
V1.2
, , , . .
2 – V1.2
№ | 1 | 2 | 3 | CWE | |
1.2.1 | , . |
| + | + | 250 |
1.2.2 | , API-, , . . |
| + | + | 306 |
1.2.3 | , , . |
| + | + | 306 |
1.2.4 | API- , , . |
| + | + | 306 |
V1.3
.
V1.4
3 – V1.4
№ | 1 | 2 | 3 | CWE | |
1.4.1 | , , , . . |
| + | + | 602 |
1.4.2 | , , . |
| + | + | 284 |
1.4.3 | , , URL-, , . . |
| + | + | 272 |
1.4.4 | . , . |
| + | + | 284 |
1.4.5 | , / , . - . |
| + | + | 275 |
V1.5
4.0 « » . - – . . , ASVS « », , , , API, , API , API . .
4 – V1.5
№ | 1 | 2 | 3 | CWE | |
1.5.1 | , , , , . |
| + | + | 1029 |
1.5.2 | , . , , (, ), , . |
| + | + | 502 |
1.5.3 | . |
| + | + | 602 |
1.5.4 | , . |
| + | + | 116 |
V1.6
. , – . , .
5 – V1.6
№ | 1 | 2 | 3 | CWE | |
1.6.1 | , , NIST SP 800-57. |
| + | + | 320 |
1.6.2 | , , API. |
| + | + | 320 |
1.6.3 | . |
| + | + | 320 |
1.6.4 | , , API, , , , , . . |
| + | + | 320 |
V1.7 ,
6 – V1.7 ,
№ | 1 | 2 | 3 | CWE | |
1.7.1 | . |
| + | + | 1009 |
1.7.2 | ( ) , , . |
| + | + |
|
V1.8
7 – V1.8
№ | 1 | 2 | 3 | CWE | |
1.8.1 | . |
| + | + |
|
1.8.2 | , , , , , . |
| + | + |
|
V1.9
8 – V1.9
№ | 1 | 2 | 3 | CWE | |
1.9.1 | , , , . |
| + | + | 319 |
1.9.2 | , « ». , TLS. |
| + | + | 295 |
V1.10
9 – V1.10
№ | 1 | 2 | 3 | CWE | |
1.10.1 | , , , . , . |
| + | + | 284 |
V1.11 -
10 – V1.11 -
№ | 1 | 2 | 3 | CWE | |
1.11.1 | - , . |
| + | + | 1059 |
1.11.2 | -, , , . |
| + | + | 362 |
1.11.3 | -, , , Time-of-check to time-of-use . |
|
| + | 367 |
V1.12
11 – V1.12
№ | 1 | 2 | 3 | CWE | |
1.12.1 | . |
| + | + | 552 |
1.12.2 | , - – octet-stream , , , . , XSS- . |
| + | + | 646 |
V1.13 API
API .
V1.14
12 – V1.14
№ | 1 | 2 | 3 | CWE | |
1.14.1 | , , API, -, (cloud-based security groups) . |
| + | + | 923 |
1.14.2 | , . |
| + | + | 494 |
1.14.3 | (build pipeline) . |
| + | + | 1104 |
1.14.4 | (build pipeline) , , , . |
| + | + |
|
1.14.5 | , , / , , , . |
| + | + | 256 |
1.14.6 | , , NSAPI, Flash, Shockwave, ActiveX, Silverlight, NACL Java-. |
| + | + | 477 |
. :
- OWASP Threat Modeling Cheat Sheet;
- OWASP Attack Surface Analysis Cheat Sheet;