https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Sajjad+PouraliOWASP - User contributions [en]2026-05-27T02:54:16ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=255735Category:OWASP Application Security Verification Standard Project2019-10-25T16:01:33Z<p>Sajjad Pourali: /* Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 Released! ==<br />
<br />
Get the new version of the ASVS 4.0 from the Downloads page.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br />
* Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
* Jim Manico [mailto:jim.manico@owasp.org @]<br />
* Mark Burnett<br />
* Josh C Grossman<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/tree/master/4.0 ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 released!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/tree/master/4.0 ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 (GitHub hosted)<br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
Translations are coming for Hindi. If you want ASVS in your language, please contact the leadership directly or on Slack, and let's make it happen!<br />
<br />
ASVS 4.0 (OWASP.org hosted)<br />
<br />
* OWASP ASVS v4.0 English [[Media:OWASP_Application_Security_Verification_Standard_4.0-en.pdf|PDF]]<br />
* OWASP ASVS v4.0 English [[Media:OWASP_Application_Security_Verification_Standard_4.0-en.docx|Word]]<br />
* OWASP ASVS v4.0 Persian [[Media:OWASP Application Security Verification Standard 4.0-FA_.pdf|PDF]]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=File:OWASP_Application_Security_Verification_Standard_4.0-FA_.pdf&diff=255734File:OWASP Application Security Verification Standard 4.0-FA .pdf2019-10-25T15:38:32Z<p>Sajjad Pourali: </p>
<hr />
<div>Persian Translation of OWASP Application Security Verification Standard 4.0 (High-quality)</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=255732Category:OWASP Application Security Verification Standard Project2019-10-25T14:05:21Z<p>Sajjad Pourali: /* Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 Released! ==<br />
<br />
Get the new version of the ASVS 4.0 from the Downloads page.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br />
* Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
* Jim Manico [mailto:jim.manico@owasp.org @]<br />
* Mark Burnett<br />
* Josh C Grossman<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/tree/master/4.0 ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 released!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/tree/master/4.0 ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 (GitHub hosted)<br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
Translations are coming for Hindi. If you want ASVS in your language, please contact the leadership directly or on Slack, and let's make it happen!<br />
<br />
ASVS 4.0 (OWASP.org hosted)<br />
<br />
* OWASP ASVS v4.0 English [[Media:OWASP_Application_Security_Verification_Standard_4.0-en.pdf|PDF]]<br />
* OWASP ASVS v4.0 English [[Media:OWASP_Application_Security_Verification_Standard_4.0-en.docx|Word]]<br />
* OWASP ASVS v4.0 Persian [[Media:OWASP Application Security Verification Standard 4.0-FA.pdf|PDF]]<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=File:OWASP_Application_Security_Verification_Standard_4.0-FA.pdf&diff=255731File:OWASP Application Security Verification Standard 4.0-FA.pdf2019-10-25T14:04:21Z<p>Sajjad Pourali: </p>
<hr />
<div>Persian Translation of OWASP Application Security Verification Standard 4.0</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=243855User:Sajjad Pourali2018-09-30T19:32:07Z<p>Sajjad Pourali: add owasp asvs 3.0.1</p>
<hr />
<div>==About==<br />
'''Sajjad Pourali''' is the cyber security specialist and founder of [http://www.securation.com/ Securation].<br />
<br />
----<br />
<br />
<li>ASVS 3.0.1 in Persian ([[Media:OWASP ASVS Version 2 Persian.pdf|<nowiki/>]][https://www.owasp.org/images/3/30/OWASP_ASVS_3.0.1_%28Persian%29.pdf download PDF - 2.84MB]) </li><br />
<br />
<li>ASVS 2.0 in Persian ([[Media:OWASP ASVS Version 2 Persian.pdf|download PDF - 1.6MB]]) <br />
</li><br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_3.0.1_(Persian).pdf&diff=236270File:OWASP ASVS 3.0.1 (Persian).pdf2017-12-14T14:13:23Z<p>Sajjad Pourali: Sajjad Pourali uploaded a new version of File:OWASP ASVS 3.0.1 (Persian).pdf</p>
<hr />
<div>ترجمه فارسی استاندارد OWASP ASVS 3.0.1<br />
ترجمه شده توسط آزمایشگاه آپا دانشگاه فردوسی مشهد بسفارش مرکز ماهر<br />
cert.um.ac.ir<br />
certcc.ir</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=236126User:Sajjad Pourali2017-12-11T09:23:56Z<p>Sajjad Pourali: </p>
<hr />
<div>==About==<br />
'''Sajjad Pourali''' is the cyber security specialist and founder of [http://www.securation.com/ Securation].<br />
<br />
----<br />
<br />
<li>ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]]) </li><br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=236125Category:OWASP Application Security Verification Standard Project2017-12-11T09:06:45Z<p>Sajjad Pourali: Add Persian Translation of ASVS 3.0.1 Standard</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 3.1 (early access) ==<br />
<br />
* [[ASVS V1 Architecture]]<br />
* [[ASVS V2 Authentication]]<br />
* [[ASVS V3 Session Management]]<br />
* [[ASVS V4 Access Control]]<br />
* [[ASVS V5 Input validation and output encoding]]<br />
* [[ASVS V7 Cryptography]]<br />
* [[ASVS V8 Error Handling]]<br />
* [[ASVS V9 Data Protection]]<br />
* [[ASVS V10 Communications]]<br />
* [[ASVS V13 Malicious Code]]<br />
* [[ASVS V15 Business Logic Flaws]]<br />
* [[ASVS V16 Files and Resources]]<br />
* [[ASVS V17 Mobile]]<br />
* [[ASVS V18 API]]<br />
* [[ASVS V19 Configuration]]<br />
* [[ASVS V20 Internet of Things]]<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2016)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2013)] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0.1 in English.<br/><br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== News and Events ==<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 3.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_3.0.1_(Persian).pdf&diff=236124File:OWASP ASVS 3.0.1 (Persian).pdf2017-12-11T09:03:15Z<p>Sajjad Pourali: </p>
<hr />
<div>ترجمه فارسی استاندارد OWASP ASVS 3.0.1<br />
ترجمه شده توسط آزمایشگاه آپا دانشگاه فردوسی مشهد بسفارش مرکز ماهر<br />
cert.um.ac.ir<br />
certcc.ir</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=203623User:Sajjad Pourali2015-11-20T08:15:09Z<p>Sajjad Pourali: </p>
<hr />
<div>==About==<br />
'''Sajjad Pourali''' is the developer of the [http://atossa.securation.com/ Atossa Framework] and founder of [http://www.securation.com/ Securation].<br />
<br />
----<br />
<br />
<li>ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]]) </li><br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201961Category:OWASP Application Security Verification Standard Project2015-10-11T16:55:40Z<p>Sajjad Pourali: /* Acknowledgements */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0 in English.<br/><br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
<br />
<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=201960Category:OWASP Application Security Verification Standard Project2015-10-11T16:52:31Z<p>Sajjad Pourali: /* Downloads */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
<br />
<paypal>ASVS</paypal><br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0 in English.<br/><br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
== News and Events ==<br />
* [9 Oct 2015] Version 3.0 released!<br />
* [20 May 2015] "First Cut" Version 3.0 released!<br />
* [11 Aug 2014] Version 2.0 released!<br />
* [28 Mar 2014] List of contributors added<br />
* [27 Mar 2014] New wiki template!<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0 '''<br />
<br />
* ASVS 3.0 in English <br />
([[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]])<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
<br />
<br />
<br />
'''Contributed'''<br />
We are looking for contributors to create excel sheets for version 3.0.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
<br />
The ASVS project is always on the lookout for volunteers who are interested in translating ASVS into another language. <br />
<br />
[http://owasp-project-management.googlecode.com/svn/trunk/documentation/asvs-translating.pdf Translation Onboarding Instructions]<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 2.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=File:OWASP_ASVS_Version_2_Persian.pdf&diff=201959File:OWASP ASVS Version 2 Persian.pdf2015-10-11T16:51:53Z<p>Sajjad Pourali: OWASP ASVS Version 2 Persian Translation</p>
<hr />
<div>OWASP ASVS Version 2 Persian Translation</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=189003User:Sajjad Pourali2015-02-04T13:32:56Z<p>Sajjad Pourali: /* About */</p>
<hr />
<div>==About==<br />
'''Sajjad Pourali''' is the developer of the [http://atossa.securation.com/ Atossa Framework] and founder of [http://www.securation.com/ Securation].<br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=189002User:Sajjad Pourali2015-02-04T13:32:11Z<p>Sajjad Pourali: </p>
<hr />
<div>==About==<br />
'''Sajjad Pourali''' is the developer of the Atossa Framework and founder of [http://www.securation.com/ Securation].<br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=182953User:Sajjad Pourali2014-09-27T11:18:25Z<p>Sajjad Pourali: /* About */</p>
<hr />
<div>==About==<br />
Founder of [http://www.securation.com/ Securation]<br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=182952User:Sajjad Pourali2014-09-27T10:48:35Z<p>Sajjad Pourali: /* About */</p>
<hr />
<div>==About==<br />
[http://www.securation.com/ Securation]<br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=182951User:Sajjad Pourali2014-09-27T10:47:36Z<p>Sajjad Pourali: /* About */</p>
<hr />
<div>==About==<br />
[http://www.securation.com/[Securation]]<br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=182950User:Sajjad Pourali2014-09-27T10:47:11Z<p>Sajjad Pourali: /* Contact */</p>
<hr />
<div>==About==<br />
http://www.securation.com/[Securation]<br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=182949User:Sajjad Pourali2014-09-27T09:58:03Z<p>Sajjad Pourali: /* About */</p>
<hr />
<div>==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]<br />
<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=182948User:Sajjad Pourali2014-09-27T09:54:18Z<p>Sajjad Pourali: /* Contact */</p>
<hr />
<div>==About==<br />
Founder of [Securation][http://www.securation.com]<br />
==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=175959Category:OWASP Top Ten Project2014-05-28T15:39:23Z<p>Sajjad Pourali: </p>
<hr />
<div>{{Social Media Links}}<br />
<br />
=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Top 10==<br />
<br />
The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.<br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
==Translation Efforts==<br />
<br />
The OWASP Top 10 has been translated to many different languages by numerous volunteers. These translations are available as follows:<br />
<br />
* [[Top10#OWASP_Top_10_for_2013 | All versions of the OWASP Top 10 - 2013]]<br />
* [[Top10#OWASP_Top_10_for_2010 | All versions of the OWASP Top 10 - 2010]]<br />
* [[Top10#Translation_Efforts | Information about the various translation teams]]<br />
<br />
==Licensing==<br />
The OWASP Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Top 10? ==<br />
<br />
The OWASP Top 10 provides:<br />
<br />
* A list of the 10 Most Critical Web Application Security Risks<br />
<br />
And for each Risk it provides:<br />
* A description<br />
* Example vulnerabilities<br />
* Example attacks<br />
* Guidance on how to avoid<br />
* References to OWASP and other related resources<br />
<br />
== Project Leader ==<br />
<br />
* [[User:Wichers | Dave Wichers]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks | OWASP Mobile Top 10 Risks]]<br />
<br />
* [[OWASP_Top_Ten_Cheat_Sheet | OWASP Top 10 Cheat Sheet]]<br />
<br />
* [[OWASP_Proactive_Controls | Top 10 Proactive Controls]]<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/OWASP-Top-10<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Covering Each Item in the Top 10 (PPTX)].<br />
<br />
== Email List ==<br />
<br />
[https://lists.owasp.org/mailman/listinfo/Owasp-topten Project Email List]<br />
== News and Events ==<br />
* [12 Jun 2013] OWASP Top 10 - 2013 Final Released<br />
* [Feb 2013] Draft OWASP Top 10 - 2013 - Released for Public Comment<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
* [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)]<br />
* [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian (PDF)]<br />
* [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf (PDF direct download)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
*[https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
*[https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)].<br />
* [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf (PDF direct download)]. <br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
= Translation Efforts =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
2013 Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*Spanish 2013: [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)] Gerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger: fabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley: johnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez: mateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez: rodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria: felipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil: rafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez jonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre: hector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon: johnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes: carlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez: manuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada: mpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel Bahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge Correa: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez Guerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar: edgar.salazar@owasp.org<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Arabic: [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic PDF] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org<br />
*Ukrainian 2013: [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian PDF] Kateryna Ovechenko, Yuriy Fedko, Gleb Paharenko, Yevgeniya Maskayeva, Sergiy Shabashkevich, Bohdan Serednytsky<br />
*Japanese 2013: [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)] Translated by: Chia-Lung Hsieh: ryusuke.tw(at)gmail.com, Reviewed by: Hiroshi Tokumaru, Takanori Nakanowatari<br />
* Hebrew 2013: [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf (PDF direct download)] Translated by: Or Katz, Eyal Estrin, Oran Yitzhak, Dan Peled, Shay Sivan.<br />
<br />
<br />
2010 Completed Translations:<br />
<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew: [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew Project]] -- [https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]. Lead by Or Katz, see translation page for list of contributors.<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
*Hungarian: tibor.fekete@owasp.org<br />
*Persian (Farsi): Shahab Namazikhah (namazikhah@hotmail.com)<br />
<br />
= Project Details =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= Some Commercial & OWASP Uses of the Top 10 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (WAF) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[[OWASP_Top_10/Mapping_to_WHID | OWASP]]<br />
:OWASP Top 10 Mapped to the Web Hacking Incident Database<br />
<br />
;[[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | OWASP]]<br />
:OWASP Mobile Top 10 Risks<br />
<br />
;[[OWASP_Top_Ten_Cheat_Sheet | OWASP]]<br />
:OWASP Top 10 Cheat Sheet<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=User:Sajjad_Pourali&diff=165531User:Sajjad Pourali2014-01-07T12:51:09Z<p>Sajjad Pourali: </p>
<hr />
<div>==Contact==<br />
[mailto:sajjad@securation.com sajjad@securation.com]</div>Sajjad Pouralihttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=165530Category:OWASP Top Ten Project2014-01-07T11:52:30Z<p>Sajjad Pourali: Adding Persian (Farsi) language .</p>
<hr />
<div>{{OWASP Book|1400974}} <br />
<br />
{{Social Media Links}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
'''Welcome to the OWASP Top Ten Project''' - if you're looking for the OWASP Top 10 Mobile [[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | Click Here]]<br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
* [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx OWASP Top 10 2013 Presentation - Focusing on What Changed Since 2010 (PPTX)]<br />
* [http://owasptop10.googlecode.com/files/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
<br />
The OWASP Top 10 - 2013 is as follows:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and they will be posted as they become available. <br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== 2013 Versions ==<br />
<br />
2013 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 - PDF] <br />
*[[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
*[https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
*[https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
*[https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
*[https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
*[https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)].<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the Top Ten. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org Thanks! <br />
<br />
To join the OWASP Top Ten mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top Ten project is sponsored by {{MemberLinks|link=http://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
The OWASP Top 10 Web Application Security Risks for 2010 are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 2010 - German PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[http://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[http://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [http://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
<br />
= Translation Efforts =<br />
<br />
Efforts are underway in numerous languages to translate the OWASP Top 10 for 2013. If you are interested in helping, please contact the other members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language too!!<br />
<br />
Here is the original source document for the [https://www.owasp.org/images/4/4d/OWASP_Top_10_-_2013_Final_-_English.pptx OWASP Top 10 - 2013 which is in PowerPoint]. Please use this document as the basis for your translation efforts.<br />
<br />
Completed Translations:<br />
<br />
*French 2013: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
*Brazilian Portuguese 2013: [http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*Spanish 2013: [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)] Gerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger: fabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley: johnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez: mateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez: rodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria: felipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil: rafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez jonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre: hector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon: johnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes: carlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez: manuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada: mpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel Bahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge Correa: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez Guerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar: edgar.salazar@owasp.org<br />
*French 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [https://www.owasp.org/images/b/b8/OWASPTop10_DE_Version_1_0.pdf OWASP Top 10 - German PDF] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [http://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Korean 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish 2010: [http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*Chinese: [http://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [http://owasptop10.googlecode.com/files/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] (NEW) Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew (New): [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew]]. Lead by Or Katz, see translation page for list of contributors.<br />
*Arabic (New): [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org<br />
<br />
Volunteer Translation Efforts Underway: <br />
<br />
*Portuguese: carlos.j.serrao@gmail.com; taquiles@gmail.com; wagner.elias@owasp.org; victoreufrasio@gmail.com; leo.cavallari@owasp.org; victoreufrasio@gmail.com; <br />
*Greek: Konstantinos Papapanagiotou (conpap@di.uoa.gr) <br />
*Turkish: bora@abi.com.tr <br />
*Malay: cecil.su@owasp.org <br />
*Czech: petr.zavodsky@owasp-czech-republic.cz<br />
*Dutch: marinus@kuivenhoven.com<br />
*Swedish: ake.bengtsson@owasp.org<br />
*Hungarian: tibor.fekete@owasp.org<br />
*Persian (Farsi): Shahab Namazikhah (shahab@securation.com), Sajjad Pourali (sajjad@securation.com) <br />
<br />
= Project Details =<br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= How Are Companies-Projects-Vendors Using the OWASP Top 10 =<br />
<br />
Click the links for more details on each use! <br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (waf) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[http://blogs.msdn.com/b/sdl/archive/2008/05/01/sdl-and-the-owasp-top-ten.aspx Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[http://www.nsa.gov/applications/search/index.cfm?q=owasp NSA] <br />
:in their developer guidance on web application security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://community.citrix.com/display/ocb/2010/06/02/NetScaler+Application+Firewall+and+the+OWASP+Top+10+2010 Citrix] <br />
:in a guide showing how to configure their NetScalar product<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[http://www.web2py.com/examples/default/security web2py] <br />
:to demonstrate the security of this Python web framework<br />
<br />
;[http://www.owasp.org/index.php/Commentary_OWASP_Top_Ten_2004_Project Oracle] <br />
:for developer awareness<br />
<br />
;[http://www.theatremanagerhelp.com/book/export/html/1640 TheatreManager] <br />
:to show how their product is secure for web use<br />
<br />
;[http://knol.google.com/k/automated-vulnerabilty-scanners-and-the-owasp-top-10# WhiteHat] <br />
:as a way to explain the coverage of their service<br />
<br />
;[http://www.imperva.com/docs/TB_SecureSphere_OWASP_2010-Top-Ten.pdf Imperva] <br />
:to show the coverage of the SecureSphere tool<br />
<br />
;[http://blog.cenzic.com/public/item/254309 Cenzic] <br />
:to enable "focused scans for compliance testing with the updated PCI standard"<br />
<br />
== Users and Adopters ==<br />
<br />
The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process ([http://iase.disa.mil/diacap/ DIACAP]). <br />
<br />
In the commercial market, the [http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf Payment Card Industry (PCI) standard] has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including: <br />
<br />
*A.G. Edwards <br />
*Bank of Newport <br />
*Best Software <br />
*British Telecom <br />
*Bureau of Alcohol, Tobacco, and Firearms (ATF) <br />
*Citibank <br />
*Cboss Internet <br />
*Cognizant <br />
*Contra Costa County, CA <br />
*Corillian Corporation <br />
*Digital Payment Technologies <br />
*Foundstone Strategic Security <br />
*HP <br />
*IBM Global Services <br />
*MorphoTrust USA<br />
*National Australia Bank <br />
*Norfolk Southern <br />
*OneSAS.com <br />
*Online Business Systems <br />
*Predictive Systems <br />
*Price Waterhouse Coopers <br />
*Recreational Equipment, Inc. (REI) <br />
*SSP Solutions <br />
*Samsung SDS (Korea) <br />
*Sempra Energy <br />
*Sprint <br />
*Sun Microsystems <br />
*Swiss Federal Institute of Technology <br />
*Symantec <br />
*Texas Dept of Human Services <br />
*The Hartford <br />
*Zapatec <br />
*ZipForm <br />
*...and many others<br />
<br />
Several schools have also adopted the OWASP Top Ten as a part of their curriculum, including Michigan State University (MSU), and the University of California at San Diego (UCSD). <br />
<br />
Several open source projects have adopted the OWASP Top Ten as part of their security audits, including: <br />
<br />
*[http://plone.org Plone open source CMS project] (managed by the Plone Foundation)<br />
<br />
<br />
= Other uses and resources =<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]</div>Sajjad Pourali