https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=VanderajOWASP - User contributions [en]2026-04-09T21:04:39ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248188Category:OWASP Application Security Verification Standard Project2019-03-02T03:06:18Z<p>Vanderaj: Fix Github links</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 Released! ==<br />
<br />
Get the new version of the ASVS 4.0 from the Downloads page.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br />
* Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
* Jim Manico [mailto:jim.manico@owasp.org @]<br />
* Mark Burnett<br />
* Josh C Grossman<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/tree/master/4.0 ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 released!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/tree/master/4.0 ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
Translations are coming for Hindi. If you want ASVS in your language, please contact the leadership directly or on Slack, and let's make it happen!<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248129Category:OWASP Application Security Verification Standard Project2019-03-01T11:29:17Z<p>Vanderaj: ASVS 4.0 release</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 Released! ==<br />
<br />
Get the new version of the ASVS 4.0 from the Downloads page.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br />
* Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
* Jim Manico [mailto:jim.manico@owasp.org @]<br />
* Mark Burnett<br />
* Josh C Grossman<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 released!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
Translations are coming for Hindi. If you want ASVS in your language, please contact the leadership directly or on Slack, and let's make it happen!<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248128Category:OWASP Application Security Verification Standard Project2019-03-01T11:27:10Z<p>Vanderaj: /* Project Leader */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br />
* Andrew van der Stock [mailto:vanderaj@owasp.org @]<br />
* Jim Manico [mailto:jim.manico@owasp.org @]<br />
* Mark Burnett<br />
* Josh C Grossman<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 released!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248127Category:OWASP Application Security Verification Standard Project2019-03-01T11:26:37Z<p>Vanderaj: /* Project Leader */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
Mark Burnett<br />
Josh C Grossman<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 released!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248126Category:OWASP Application Security Verification Standard Project2019-03-01T11:26:07Z<p>Vanderaj: /* News and Events */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 released!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248125Category:OWASP Application Security Verification Standard Project2019-03-01T11:25:38Z<p>Vanderaj: /* Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
* [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 to be released at Nullcon Goa at 2 pm IST. Come back soon!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248124Category:OWASP Application Security Verification Standard Project2019-03-01T11:25:06Z<p>Vanderaj: /* Quick Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== GitHub Repo ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
== Download ==<br />
<br />
ASVS 4.0 <br />
<br />
- [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
- [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
- [https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 to be released at Nullcon Goa at 2 pm IST. Come back soon!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248123Category:OWASP Application Security Verification Standard Project2019-03-01T11:24:27Z<p>Vanderaj: /* Quick Download */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[https://github.com/OWASP/ASVS/4.0/ ASVS GitHub Repo]<br />
<br />
ASVS 4.0 <br />
<br />
[https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf English PDF (1.1 MB)]<br />
[https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx English Word (560 kB)]<br />
[https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv English CSV (65 kB)]<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 to be released at Nullcon Goa at 2 pm IST. Come back soon!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248122Category:OWASP Application Security Verification Standard Project2019-03-01T11:19:57Z<p>Vanderaj: Final uploads</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
[ASVS GitHub Repo](https://github.com/OWASP/ASVS/4.0/)<br />
<br />
ASVS 4.0 <br />
- [English PDF (1.1 MB)](https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf)<br />
- [English Word (507 kB)](https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.docx)<br />
- [English CSV (65 kB)](https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.csv)<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 to be released at Nullcon Goa at 2 pm IST. Come back soon!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248116Category:OWASP Application Security Verification Standard Project2019-03-01T04:20:56Z<p>Vanderaj: 4.0 release readiness</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 4.0 (coming soon!)<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 to be released at Nullcon Goa at 2 pm IST. Come back soon!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
OWASP ASVS 4.0 coming in a few hours. Older versions including the (current for the next few hours) 3.0.1 are available in the archives.<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that the current version of ASVS is v4.0. The information on this page is for archival purposes only.*'''<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248115Category:OWASP Application Security Verification Standard Project2019-03-01T04:18:17Z<p>Vanderaj: /* OWASP ASVS 4.0 will be released in early 2019 */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 at 2 pm IST today ==<br />
<br />
Please come back in a few hours to download the latest, dramatically improved version of the OWASP Application Security Verification Standard 4.0.<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 4.0 (coming soon!)<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 to be released at Nullcon Goa at 2 pm IST. Come back soon!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 3.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248114Category:OWASP Application Security Verification Standard Project2019-03-01T04:17:24Z<p>Vanderaj: 4.0 release readiness</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 will be released in early 2019 ==<br />
<br />
Please note there will <b>not be a 3.1 release</b> and we will be going directly from <b>ASVS 3.0.1 to 4.0 in February 2019</b>!<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 4.0 (coming soon!)<br />
<br />
== News and Events ==<br />
<br />
* [1 March 2019] ASVS 4.0 to be released at Nullcon Goa at 2 pm IST. Come back soon!<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 3.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=248113Category:OWASP Application Security Verification Standard Project2019-03-01T04:16:43Z<p>Vanderaj: 4.0 release readiness</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 4.0 will be released in early 2019 ==<br />
<br />
Please note there will <b>not be a 3.1 release</b> and we will be going directly from <b>ASVS 3.0.1 to 4.0 in February 2019</b>!<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2018)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2017)] <br />
*[https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series OWASP Cheatsheet Series] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 4.0 (coming soon!)<br />
<br />
== News and Events ==<br />
<br />
* [9 March 2018] [https://docs.google.com/spreadsheets/d/1ic7gsib--Cn4ujrA8rhvzuUmMFpQ2Jkl96SZDCEtqJg/edit?ts=5a6bafe1#gid=950526877 OWASP Application Security Verification Standard 3.1 Spreadsheet] created by August Detlefsen<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
== ASVS 3.0.1 in Persian==<br />
* [[Media:OWASP ASVS 3.0.1 (Persian).pdf|Download PDF - 2.84 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 3.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=July_4th,_2018&diff=241648July 4th, 20182018-07-04T14:36:58Z<p>Vanderaj: New agenda item</p>
<hr />
<div><br />
Meeting Date: July 4th, 2018<br />
<br />
Meeting Location: Virtual (GoToMeeting) and [http://sched.co/FMAM Burns room, 4th Floor, QEII Centre, London, UK]<br />Meeting Times: [https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=7&day=4&hour=14&min=30&sec=0&p1=136&iv=1800 July 4th, 2018 at 3:30 PM]<br />Virtual: GoToMeeting Meeting ID: 861-328-838 <br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
<u>Additional meeting at AppSec EU 2018</u><br />
<br />
Meeting Date: July 4th, 2018<br />
<br />
Meeting Location: Virtual (GoToMeeting) and [http://sched.co/FMAS Chaucer room, 4th Floor, QEII Centre, London, UK]<br />Meeting Times: July 4th at 12:00 PM<br />Virtual: GoToMeeting Meeting ID: 861-328-838 <br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''Note: Joining the call acknowledges your awareness of recording and consent to be recorded and public dissemination of the recording'''<br />
<br />
AGENDA<br />
OWASP Executive Director<br />
* [https://docs.google.com/document/d/1nb_K0vsCFN2Rc5EgxLBLJnvwkpSWLbKQn7lVV6g9cDA/edit?usp=sharing Draft Strategic Plan] <br />
* [https://drive.google.com/open?id=1jb0SoyECHVe_XrylsPrJ5crfm9r0pBFzRSBM9CL2seY AppSec Conference Selection Criteria] <br />
* Action on sponsorship guidelines. No sponsorship can be used to solicit additional chapter donations. As a non profit it is prohibited to solicit or trade out commercial exposure for donations to chapters. <br />
* New Chapter Opening Guidelines: Chapter's can only be opened by those who reside and will manage the chapters in the said country and region of the chapter. Opening of a chapter must be predicated by interviews with the required leadership in said location of the chapter with a confirmation by the leaders that they live and work and will manage the chapter in the location. <br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA<br />
<br />
APPROVAL OF MINUTES [https://docs.google.com/document/d/1pHfL68xVupCb8LXxwTFs5hfL92VajkbN3HTuPfsdatc/edit?usp=sharing prior meeting minutes]<br />
<br />
REPORTS<br />
[https://drive.google.com/open?id=0Bzb3QwFMHCXrZ3N4b1NDS0N3RDNnNzVvSlpxbnYyZXI4OE9r Executive Director Board report for July 2018] <br />
<br />
[https://drive.google.com/open?id=0Bzb3QwFMHCXrak0wS1Rsb2k5aG1MVWhGNHJ4RGY3WkFyc0Fv Registration report for AppSec EU 2018] <br />
OLD BUSINESS<br />
<br />
NEW BUSINESS<br />
<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
ADJOURNMENT<br />
<br />
==Old Business==<br />
<br />
==New Business==<br />
* To vote on the events strategy as discussed during the June Board meeting http://sl.owasp.org/globalappsecstrategy<br />
* To hear the foundations feedback on a global (AppSec) event in Tel Aviv and '''vote''' on hosting an event there in 2018.<br />
** I could urge the board to listen back to the recordings on what has been communicated to the community.<br />
** The recodring can be found here: https://drive.google.com/file/d/1yXPSr8XcFnO63vXSTOCRTb16tn5YTFww/view<br />
* Vote of the compliance committee charter.<br />
* Coursera<br />
** UC Davis would like to use OWASP ideas and content to create coursware on Coursera consisting of:<br />
*** Unchanged OWASP reference materials (we would link these directly from OWASP site so they are always current).<br />
*** Video lectures based on OWASP materials and instructor experience.<br />
*** Quizzes and small practice exercises based on the OWASP materials.<br />
*** Exercises with OWASP tools such as JuiceShop (we would not modify the tools, but will create prompts, context, and peer grading rubrics).<br />
*** This course would be marketed to Coursera's audience of 30M+ learners globally.<br />
*** Video, quiz, and exercise content may be derivative work from the OWASP source content.<br />
*** Videos can be accessed without login or any other authentication requirement from UC Davis, Coursera, and OWASP.<br />
*** Access to the videos within context of the course requires learners to set up a Coursera login.<br />
*** Assignments and exercises will be behind the paywall for the courses. Scholarships are available and widely used for the courses.<br />
* Amend bylaws in relation to board meeting attendance<br />
== Discussion ==<br />
# '''The structure of the board:'''<br />
## Do we need more diverse views on the board? e.g. adding 1 or 2 indpependent board memebers who have difference experiences in charities/foundations (i.e. specialise in finance/HR/Governance etc..).<br />
## The concern is we have a rotating list of board memebers who specialise in AppSec, but not necessarily the skills needed to set the strategy for a foundation. For most foundations (can companies their boards are people form diverse backgrounds for that very reason.<br />
# '''Adding Resilence in the managment of the foundation:'''<br />
## An ED for OWASP must be a full time epmployee. If the chairperson would like to step in the role of (interim) ED they can do so, but only if they take a full time position within OWASP (which also means resigning from their current full eomployment roles). <br />
## Should we have a clause that says at any time we need a named iterim ED incase anything goes wrong.<br />
## Establish a process for the interm period (either we find a new ED, or tranistion the interm ED into the permanent role.<br />
# '''Setting Scheduled Cycles for the foundation strategy:'''<br />
## We need a process to develop, review, and adjust the strategic direction for the foundation on a regularl basis, that is also in-sync with the BoD elections.<br />
## We still (as of end of June) do not have a strategy for the foundation agreed for the foundation to execute, granted we have a few initiatives we need to address in peice meal but we have not set the over all picture. <br />
## I have seen a proposal from Karen but this needs to be reviewed and agreed with the BoD ammendments. As a board we have yet to set one, and I would like us to go over this during the meetings.<br />
## '''Addressing the effectiveness of OWASP Board meetings'''<br />
## How do we bring more votable items and valuable strategic discussions to our meetings.</div>Vanderajhttps://wiki.owasp.org/index.php?title=March_7,_2018&diff=238391March 7, 20182018-03-06T21:27:14Z<p>Vanderaj: </p>
<hr />
<div><br />
Meeting Date: March 7 2018<br />
<br />
3:00pm - 4:00pm EST<br />
<br />
Meeting Location: Virtual<br />
<br />
Virtual: GoToMeeting Meeting ID: 861-328-838 <br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
AGENDA<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA<br />
<br />
APPROVAL OF MINUTES<br />
<br />
REPORTS<br />
<br />
OLD BUSINESS<br />
<br />
NEW BUSINESS<br />
* Approve SAFEcode.org future cooperation - AJV (Sherif Mansour to discuss, ajv vote to be proxied by Sherif)<br />
* Approve SAFEcode.org document - AJV (Sherif Mansour to discuss, ajv vote to be proxied with Sherif) <br />
* Status update from staff on DefCon cooperation with Jon McCoy. (AJV)<br />
* Status update from staff on AppSec Au Day with Julian Berton. (AJV)<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
ADJOURNMENT<br />
<br />
<br />
===<br />
<br />
==Old Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]<br />
<br />
==New Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V20_Internet_of_Things&diff=235603ASVS V20 Internet of Things2017-11-19T06:30:56Z<p>Vanderaj: Created page with "# V20: Internet of Things Verification Requirements This section contains controls that are Embedded/IoT device specific. These controls must be taken in conjunction with all..."</p>
<hr />
<div># V20: Internet of Things Verification Requirements<br />
This section contains controls that are Embedded/IoT device specific. These controls must be taken in conjunction with all other sections of the relevant ASVS Verification Level.<br />
<br />
## Control Objective<br />
<br />
Embedded/IoT devices should:<br />
<br />
* Have the same level of security controls within the device as found in the server, by enforcing security controls in a trusted environment.<br />
* Sensitive data stored on the device should be done so in a secure manner.<br />
* All sensitive data transmitted from the device should utilize transport layer security.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **20.1** | Verify that application layer debugging interfaces such USB or serial are disabled. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that cryptographic keys are unique to each individual device. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that memory protection controls such as ASLR and DEP are enabled by the embedded/IoT operating system, if applicable. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that on-chip debugging interfaces such as JTAG or SWD are disabled or that available protection mechanism is enabled and configured appropriately. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that physical debug headers are not present on the device. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that sensitive data is not stored unencrypted on the device. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that the device prevents leaking of sensitive information. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that the firmware apps protect data-in-transit using transport security. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that the firmware apps validate the digital signature of server connections. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that wireless communications are mutually authenticated. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that wireless communications are sent over an encrypted channel. | ✓ | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that the firmware apps pin the digital signature to a trusted server(s). | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify the presence of physical tamper resistance and/or tamper detection features, including epoxy. | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that identifying markings on chips have been removed. | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that any available Intellectual Property protection technologies provided by the chip manufacturer are enabled. | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify security controls are in place to hinder firmware reverse engineering (e.g., removal of verbose debugging strings). | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify the device validates the boot image signature before loading. | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that the firmware update process is not vulnerable to time-of-check vs time-of-use attacks. | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify the device uses code signing and validates firmware upgrade files before installing. | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that the device cannot be downgraded to old versions of valid firmware. | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify usage of cryptographically secure pseudo-random number generator on embedded device (e.g., using chip-provided random number generators). | | ✓ | ✓ | 3.1 |<br />
| **20.1** | Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message. | | | ✓ | 3.1 |<br />
| **20.1** | Verify that only microcontrollers that support disabling debugging interfaces (e.g. JTAG, SWD) are used. | | | ✓ | 3.1 |<br />
| **20.1** | Verify that only microcontrollers that provide substantial protection from de-capping and side channel attacks are used. | | | ✓ | 3.1 |<br />
| **20.1** | Verify that sensitive traces are not exposed to outer layers of the printed circuit board. | | | ✓ | 3.1 |<br />
| **20.1** | Verify that inter-chip communication is encrypted. | | | ✓ | 3.1 |<br />
| **20.1** | Verify the device uses code signing and validates code before execution. | | | ✓ | 3.1 |<br />
| **20.1** | Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required. | | | ✓ | 3.1 |<br />
| **20.1** | Verify that the firmware apps utilize kernel containers for isolation between apps. | | | ✓ | 3.1 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Internet of Things Top 10](https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf)<br />
* [OWASP Internet of Things Project](https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project)<br />
* [Trudy TCP Proxy Tool](https://github.com/praetorian-inc/trudy)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V19_Configuration&diff=235602ASVS V19 Configuration2017-11-19T06:30:40Z<p>Vanderaj: Created page with "# V19: Configuration Verification Requirements ## Control Objective Ensure that a verified application has: * Up to date libraries and platform(s). * A secure by default co..."</p>
<hr />
<div># V19: Configuration Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Ensure that a verified application has:<br />
<br />
* Up to date libraries and platform(s).<br />
* A secure by default configuration.<br />
* Sufficient hardening that user initiated changes to default configuration do not unnecessarily expose or create security weaknesses or flaws to underlying systems.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **19.1** | Verify that all components are up to date with proper security configuration(s) and version(s). This should include removal of unneeded configurations and folders such as sample applications, platform documentation, and default or example users. | ✓ | ✓ | ✓ | 3.1 |<br />
| **19.2** | Verify that communications between components, such as between the application server and the database server, are encrypted, particularly when the components are in different containers or on different systems. | | ✓ | ✓ | 3.1 |<br />
| **19.3** | Verify that communications between components, such as between the application server and the database server, is authenticated using an account with the least necessary privileges. | | ✓ | ✓ | 3.1 |<br />
| **19.4** | Verify application deployments are adequately sandboxed, containerized or isolated to delay and deter attackers from attacking other applications. | | ✓ | ✓ | 3.0 |<br />
| **19.5** | Verify that the application build and deployment processes are performed in a secure and repeatable method, such as CI / CD automation and automated configuration management. | | ✓ | ✓ | 3.1 |<br />
| **19.6** | Verify that authorised administrators have the capability to verify the integrity of all security-relevant configurations to detect tampering. | | | ✓ | 3.1 |<br />
| **19.7** | Verify that all application components are signed. | | | ✓ | 3.0 |<br />
| **19.8** | Verify that third party components come from trusted repositories. | | | ✓ | 3.0 |<br />
| **19.9** | Verify that build processes for system level languages have all security flags enabled, such as ASLR, DEP, and security checks. | | | ✓ | 3.0 |<br />
| **19.10** | Verify that all application assets are hosted by the application, such as JavaScript libraries, CSS stylesheets and web fonts are hosted by the application rather than rely on a CDN or external provider. | | | ✓ | 3.0.1 |<br />
| **19.11** | Verify that all application components, services, and servers each use their own low privilege service account, that is not shared between applications nor used by administrators. | | ✓ | ✓ | 3.1 |<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Configuration and Deployment Management Testing](https://www.owasp.org/index.php/Testing_for_configuration_management)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V18_API&diff=235601ASVS V18 API2017-11-19T06:30:29Z<p>Vanderaj: Created page with "# V18: API and Web Service Verification Requirements ## Control Objective Ensure that a verified application that uses RESTful or SOAP based web services has: * Adequate au..."</p>
<hr />
<div># V18: API and Web Service Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Ensure that a verified application that uses RESTful or SOAP based web services has:<br />
<br />
* Adequate authentication, session management and authorization of all web services<br />
* Input validation of all parameters that transit from a lower to higher trust level<br />
* Basic interoperability of SOAP web services layer to promote API use<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **18.1** | Verify that the same encoding style is used between the client and the server. | ✓ | ✓ | ✓ | 3.0 |<br />
| **18.2** | Verify that access to administration and management functions within the Web Service Application is limited to web service administrators. | ✓ | ✓ | ✓ | 3.0 |<br />
| **18.3** | Verify that XML or JSON schema is in place and verified before accepting input. | ✓ | ✓ | ✓ | 3.0 |<br />
| **18.4** | Verify that all input is limited to an appropriate size limit. | ✓ | ✓ | ✓ | 3.0 |<br />
| **18.5** | Verify that SOAP based web services are compliant with Web Services-Interoperability (WS-I) Basic Profile at minimum. This essentially means TLS encryption. | ✓ | ✓ | ✓ | 3.0.1 |<br />
| **18.7** | Verify that the REST service is protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, ORIGIN request header checks, and referrer request header checks. | ✓ | ✓ | ✓ | 3.0.1 |<br />
| **18.8** | Verify the REST service explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. | | ✓ | ✓ | 3.0 |<br />
| **18.9** | Verify that the message payload is signed to ensure reliable transport between client and service, using JSON Web Signing or WS-Security for SOAP requests. | | ✓ | ✓ | 3.0.1 |<br />
| **18.10** | Verify that alternative and less secure access paths do not exist. | | ✓ | ✓ | 3.0 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Configuration and Deployment Management Testing](https://www.owasp.org/index.php/Testing_for_configuration_management)<br />
* [OWASP Cross-Site Request Forgery cheat sheet](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)<br />
* [JSON Web Tokens (and Signing)](https://jwt.io/)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V17_Mobile&diff=235600ASVS V17 Mobile2017-11-19T06:30:11Z<p>Vanderaj: Created page with "# V17: Mobile Verification Requirements ## ASVS Mobile Removal Notifice This section previously contained controls that are mobile application specific. This section is bein..."</p>
<hr />
<div># V17: Mobile Verification Requirements<br />
<br />
## ASVS Mobile Removal Notifice<br />
<br />
This section previously contained controls that are mobile application specific. This section is being removed and replaced by the OWASP Mobile Application Security Verification Standard. <br />
<br />
## References<br />
<br />
* [OWASP Mobile Application Security Verification Standard](https://www.owasp.org/index.php/OWASP_Mobile_Security_Project)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V16_Files_and_Resources&diff=235599ASVS V16 Files and Resources2017-11-19T06:29:55Z<p>Vanderaj: Created page with "# V16: File and Resources Verification Requirements ## Control Objective Ensure that a verified application satisfies the following high level requirements: * Untrusted fil..."</p>
<hr />
<div># V16: File and Resources Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* Untrusted file data should be handled accordingly and in a secure manner<br />
* Obtained from untrusted sources are stored outside the webroot and limited permissions.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **16.1** | Verify that URL redirects and forwards only allow whitelisted destinations, or show a warning when redirecting to potentially untrusted content. | ✓ | ✓ | ✓ | 2.0 |<br />
| **16.2** | Verify that untrusted file data submitted to the application is not used directly with file I/O commands, particularly to protect against path traversal, local file include, file mime type, reflective file download, and OS command injection vulnerabilities. | ✓ | ✓ | ✓ | 3.1 |<br />
| **16.3** | Verify that files obtained from untrusted sources are validated to be of expected type and scanned by antivirus scanners to prevent upload of known malicious content. | ✓ | ✓ | ✓ | 2.0 |<br />
| **16.4** | Verify that untrusted data is not used within inclusion, class loader, or reflection capabilities to prevent remote/local code execution vulnerabilities. | ✓ | ✓ | ✓ | 3.1 |<br />
| **16.5** | Verify that untrusted data is not used within cross-domain resource sharing (CORS) to protect against arbitrary remote content. | ✓ | ✓ | ✓ | 2.0 |<br />
| **16.6** | Verify that files obtained from untrusted sources are stored outside the webroot, with limited permissions, preferably with strong validation. | | ✓ | ✓ | 3.0 |<br />
| **16.7** | Verify that the web or application server is configured by default to deny access to remote resources or systems outside the web or application server. | | ✓ | ✓ | 2.0 |<br />
| **16.8** | Verify the application code does not execute uploaded data obtained from untrusted sources. | ✓ | ✓ | ✓ | 3.0 |<br />
| **16.9** | Verify that unsupported, insecure or deprecated client-side technologies are not used, such as NSAPI plugins, Flash, Shockwave, Active-X, Silverlight, NACL, or client-side Java applets. | ✓ | ✓ | ✓ | 3.1 |<br />
| **16.10** | Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header does not simply reflect the request's origin header or support the "null" origin. | ✓ | ✓ | ✓ | 3.1 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [File Extension Handling for Sensitive Information](https://www.owasp.org/index.php/Unrestricted_File_Upload)<br />
* [Reflective file download by Oren Hatif](https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector/)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V15_Business_Logic_Flaws&diff=235598ASVS V15 Business Logic Flaws2017-11-19T06:29:34Z<p>Vanderaj: Created page with "# V15: Business Logic Verification Requirements ## Control Objective Ensure that a verified application satisfies the following high level requirements: * The business logi..."</p>
<hr />
<div># V15: Business Logic Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* The business logic flow is sequential and in order<br />
* Business logic includes limits to detect and prevent automated attacks, such as continuous small funds transfers, or adding a million friends one at a time, and so on.<br />
* High value business logic flows have considered abuse cases and malicious actors, and have protections against spoofing, tampering, repudiation, information disclosure, and elevation of privilege attacks.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **15.1** | Verify the application will only process business logic flows in sequential step order, with all steps being processed in realistic human time, and not process out of order, skipped steps, process steps from another user, or too quickly submitted transactions. | | ✓ | ✓ | 2.0 |<br />
| **15.2** | Verify the application has business limits and correctly enforces on a per user basis, with configurable alerting and automated reactions to automated or unusual attack. | | ✓ | ✓ | 2.0 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Business Logic Testing ](https://www.owasp.org/index.php/Testing_for_business_logic)<br />
* [OWASP Cheat Sheet](https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V13_Malicious_Code&diff=235597ASVS V13 Malicious Code2017-11-19T06:29:23Z<p>Vanderaj: Created page with "# V13: Malicious Code Verification Requirements ## Control Objective Ensure that a verified application satisfies the following high level requirements: * Malicious activit..."</p>
<hr />
<div># V13: Malicious Code Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* Malicious activity is handled securely and properly as to not affect the rest of the application.<br />
* Do not have time bombs or other time based attacks built into them<br />
* Do not “phone home” to malicious or unauthorized destinations<br />
* Applications do not have back doors, Easter eggs, salami attacks, or logic flaws that can be controlled by an attacker<br />
<br />
Malicious code is extremely rare, and is difficult to detect. Manual line by line code review can assist looking for logic bombs, but even the most experienced code reviewer will struggle to find malicious code even if they know it exists. This section is not possible to complete without access to source code, including as many third party libraries as possible.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **13.1** | Verify all malicious activity is adequately sandboxed, containerized or isolated to delay and deter attackers from attacking other applications. | ✓ | ✓ | ✓ | 2.0 |<br />
| **13.2** | Verify that the application source code, and as many third party libraries as possible, does not contain back doors, Easter eggs, and logic flaws in authentication, access control, input validation, and the business logic of high value transactions. | ✓ | ✓ | ✓ | 3.0.1 |<br />
<br />
<br />
<br />
## References</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V10_Communications&diff=235596ASVS V10 Communications2017-11-19T06:29:12Z<p>Vanderaj: Created page with "# V10: Communications Verification Requirements ## Control Objective Ensure that a verified application satisfies the following high level requirements: * That TLS is used..."</p>
<hr />
<div># V10: Communications Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* That TLS is used where sensitive data is transmitted.<br />
* That strong algorithms and ciphers are used at all times.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **10.1** | Verify that a path can be built from a trusted CA to each Transport Layer Security (TLS) server certificate, and that each server certificate is valid. | ✓ | ✓ | ✓ | 1.0 |<br />
| **10.1** | Verify that TLS is used for all connections (including both external and backend connections) that are authenticated or that involve sensitive data or functions, and does not fall back to insecure or unencrypted protocols. Ensure the strongest alternative is the preferred algorithm. | ✓ | ✓ | ✓ | 3.0 |<br />
| **10.1** | Verify that backend TLS connection failures are logged. | | | ✓ | 1.0 |<br />
| **10.1** | Verify that certificate paths are built and verified for all client certificates using configured trust anchors and revocation information. | | | ✓ | 1.0 |<br />
| **10.1** | Verify that all connections to external systems that involve sensitive information or functions are authenticated. | | ✓ | ✓ | 1.0 |<br />
| **10.1** | Verify that there is a single standard TLS implementation that is used by the application that is configured to operate in an approved mode of operation. | | | ✓ | 1.0 |<br />
| **10.1** | Verify that TLS certificate public key pinning (HPKP) is implemented with production and backup public keys. For more information, please see the references below. | | ✓ | ✓ | 3.0.1 |<br />
| **10.1** | Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains | ✓ | ✓ | ✓ | 3.0 |<br />
| **10.1** | Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors. Please see the references below. | | | ✓ | 3.0 |<br />
| **10.1** | Verify that perfect forward secrecy is configured to mitigate passive attackers recording traffic. | ✓ | ✓ | ✓ | 3.1 |<br />
| **10.1** | Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured. | ✓ | ✓ | ✓ | 3.0 |<br />
| **10.1** | Verify that only strong algorithms, ciphers, and protocols are used, through all the certificate hierarchy, including root and intermediary certificates of your selected certifying authority. | ✓ | ✓ | ✓ | 3.0 |<br />
| **10.1** | Verify that the TLS settings are in line with current leading practice, particularly as common configurations, ciphers, and algorithms become insecure. | ✓ | ✓ | ✓ | 3.0 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP – TLS Cheat Sheet. ](https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet)<br />
* [Notes on “Approved modes of TLS”. In the past, the ASVS referred to the US standard FIPS 140-2, but as a global standard, applying US standards this can be difficult, contradictory, or confusing to apply. A better method of achieving compliance with 10.8 would be to review guides such as (https://wiki.mozilla.org/Security/Server_Side_TLS), generate known good configurations (https://mozilla.github.io/server-side-tls/ssl-config-generator/), and use known TLS evaluation tools, such as sslyze, various vulnerability scanners or trusted TLS online assessment services to obtain a desired level of security. In general, we see non-compliance for this section being the use of outdated or insecure ciphers and algorithms, the lack of perfect forward secrecy, outdated or insecure SSL protocols, weak preferred ciphers, and so on.]<br />
* [Certificate pinning. For more information please review ](https://tools.ietf.org/html/rfc7469.)The rationale behind certificate pinning for production and backup keys is business continuity - see (https://noncombatant.org/2015/05/01/about-http-public-key-pinning/)<br />
* [OWASP Certificate Pinning Cheat Sheet](https://www.owasp.org/index.php/Pinning_Cheat_Sheet)<br />
* [OWASP Certificate and Public Key Pinning](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning)<br />
* [Time of first use (TOFU) Pinning](https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning)<br />
* [Pre-loading HTTP Strict Transport Security](https://www.chromium.org/hsts)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V9_Data_Protection&diff=235595ASVS V9 Data Protection2017-11-19T06:28:55Z<p>Vanderaj: Created page with "# V9: Data Protection Verification Requirements ## Control Objective There are three key elements to sound data protection: Confidentiality, Integrity and Availability (CIA)..."</p>
<hr />
<div># V9: Data Protection Verification Requirements<br />
<br />
## Control Objective<br />
<br />
There are three key elements to sound data protection: Confidentiality, Integrity and Availability (CIA). This standard assumes that data protection is enforced on a trusted system, such as a server, which has been hardened and has sufficient protections.<br />
<br />
Applications have to assume that all user devices are compromised in some way. Where an application transmits or stores sensitive information on insecure devices, such as shared computers, phones and tablets, the application is responsible for ensuring data stored on these devices is encrypted and cannot be easily illicitly obtained, altered or disclosed.<br />
<br />
Ensure that a verified application satisfies the following high level data protection requirements:<br />
<br />
* Confidentiality: Data should be protected from unauthorised observation or disclosure both in transit and when stored.<br />
* Integrity: Data should be protected being maliciously created, altered or deleted by unauthorized attackers.<br />
* Availability: Data should be available to authorized users as required<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **9.1** | Verify that all forms containing sensitive information have disabled client side caching, including autocomplete features. | ✓ | ✓ | ✓ | 1.0 |<br />
| **9.2** | Verify that the list of sensitive data processed by the application is identified, and that there is an explicit policy for how access to this data must be controlled, encrypted and enforced under relevant data protection directives. | | | ✓ | 3.0 |<br />
| **9.3** | Verify that all sensitive data is sent to the server in the HTTP message body or headers (i.e., URL parameters are never used to send sensitive data). | ✓ | ✓ | ✓ | 1.0 |<br />
| **9.4** | Verify that the application sets sufficient anti-caching headers such that any sensitive and personal information displayed by the application or entered by the user should not be cached on disk by mainstream modern browsers (e.g. visit about:cache to review disk cache). | ✓ | ✓ | ✓ | 3.1 |<br />
| **9.5** | Verify that on the server, all cached or temporary copies of sensitive data stored are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data. | | ✓ | ✓ | 1.0 |<br />
| **9.6** | Verify that there is a method to remove each type of sensitive data from the application at the end of the required retention policy. | | | ✓ | 1.0 |<br />
| **9.7** | Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values. | | ✓ | ✓ | 2.0 |<br />
| **9.8** | Verify the application has the ability to detect and alert on abnormal numbers of requests for data harvesting for an example screen scraping. | | | ✓ | 2.0 |<br />
| **9.9** | Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII. | ✓ | ✓ | ✓ | 3.0.1 |<br />
| **9.10** | Verify accessing sensitive data is logged, if the data is collected under relevant data protection directives or where logging of accesses is required. | | ✓ | ✓ | 3.0 |<br />
| **9.11** | Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required, to mitigate memory dumping attacks. | | ✓ | ✓ | 3.0.1 |<br />
| **9.12** | Placeholder for GDPR | ✓ | ✓ | ✓ | 3.0.1 |<br />
| **9.13** | Placeholder for GDPR | ✓ | ✓ | ✓ | 3.0.1 |<br />
| **9.14** | Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated. | | ✓ | ✓ | 3.0 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [Consider using Security Headers website to check security and anti-caching headers](https://securityheaders.io)<br />
* [OWASP Secure Headers project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)<br />
* [User Privacy Protection Cheat Sheet](https://www.owasp.org/index.php/User_Privacy_Protection_Cheat_Sheet)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V8_Error_Handling&diff=235594ASVS V8 Error Handling2017-11-19T06:28:38Z<p>Vanderaj: Created page with "# V8: Error Handling and Logging Verification Requirements ## Control Objective The primary objective of error handling and logging is to provide a useful reaction by the us..."</p>
<hr />
<div># V8: Error Handling and Logging Verification Requirements<br />
<br />
## Control Objective<br />
<br />
The primary objective of error handling and logging is to provide a useful reaction by the user, administrators, and incident response teams. The objective is not to create massive amounts of logs, but high quality logs, with more signal than discarded noise.<br />
<br />
High quality logs will often contain sensitive data, and must be protected as per local data privacy laws or directives. This should include:<br />
<br />
* Not collecting or logging sensitive information if not specifically required.<br />
* Ensuring all logged information is handled securely and protected as per its data classification.<br />
* Ensuring that logs are not forever, but have an absolute lifetime that is as short as possible.<br />
<br />
If logs contain private or sensitive data, the definition of which varies from country to country, the logs become some of the most sensitive information held by the application and thus very attractive to attackers in their own right.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **8.1** | Verify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, software/framework versions and personal information. | ✓ | ✓ | ✓ | 1.0 |<br />
| **8.1** | Verify that error handling logic in security controls denies access by default. | | ✓ | ✓ | 1.0 |<br />
| **8.1** | Verify security logging controls provide the ability to log success and particularly failure events that are identified as security-relevant. | | ✓ | ✓ | 1.0 |<br />
| **8.1** | Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. | | ✓ | ✓ | 1.0 |<br />
| **8.1** | Verify that all events that include untrusted data will not execute as code in the intended log viewing software. | | ✓ | ✓ | 1.0 |<br />
| **8.1** | Verify that security logs are protected from unauthorized access and modification. | | ✓ | ✓ | 1.0 |<br />
| **8.1** | Verify that the application does not log sensitive data as defined under local privacy laws or regulations, organizational sensitive data as defined by a risk assessment, or sensitive authentication data that could assist an attacker, including user’s session identifiers, passwords, hashes, or API tokens. | | ✓ | ✓ | 3.0 |<br />
| **8.1** | Verify that all non-printable symbols and field separators are properly encoded in log entries, to prevent log injection. | | | ✓ | 2.0 |<br />
| **8.1** | Verify that log fields from trusted and untrusted sources are distinguishable in log entries. | | | ✓ | 2.0 |<br />
| **8.1** | Verify that an audit log or similar allows for non-repudiation of key transactions. | ✓ | ✓ | ✓ | 3.0 |<br />
| **8.1** | Verify that security logs have some form of integrity checking or controls to prevent unauthorized modification. | | | ✓ | 3.0 |<br />
| **8.1** | Verify that logs are stored on a different partition than the application is running with proper log rotation. | | | ✓ | 3.1 |<br />
| **8.1** | Verify that time sources are synchronized to the correct time and time zone. | ✓ | ✓ | ✓ | 3.1 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0 content: Testing for Error Handling](https://www.owasp.org/index.php/Testing_for_Error_Handling)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V7_Cryptography&diff=235593ASVS V7 Cryptography2017-11-19T06:28:25Z<p>Vanderaj: Created page with "# V7: Cryptography Verification Requirements ## Control Objective Ensure that a verified application satisfies the following high level requirements: * That all cryptograph..."</p>
<hr />
<div># V7: Cryptography Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* That all cryptographic modules fail in a secure manner and that errors are handled correctly.<br />
* That a suitable random number generator is used when randomness is required.<br />
* That access to keys is managed in a secure way.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **7.2** | Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle. | ✓ | ✓ | ✓ | 1.0 |<br />
| **7.6** | Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker. | | ✓ | ✓ | 1.0 |<br />
| **7.7** | Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard. | ✓ | ✓ | ✓ | 1.0 |<br />
| **7.8** | Verify that cryptographic modules operate in their approved mode according to their published security policies. | | | ✓ | 1.0 |<br />
| **7.9** | Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced. | | ✓ | ✓ | 1.0 |<br />
| **7.11** | Verify that all consumers of cryptographic services do not have direct access to key material. Isolate cryptographic processes, including master secrets and consider the use of a virtualized or physical hardware key vault (HSM). | | | ✓ | 3.0.1 |<br />
| **7.12** | Verify that Personally Identifiable Information (PII) and other sensitive data is stored encrypted while at rest. | | ✓ | ✓ | 3.1 |<br />
| **7.13** | Verify that sensitive passwords or key material maintained in memory is overwritten with zeros as soon as it is no longer required, to mitigate memory dumping attacks. | | ✓ | ✓ | 3.1 |<br />
| **7.14** | Verify that all keys and passwords are replaceable, and are generated or replaced at installation time. | | ✓ | ✓ | 3.0 |<br />
| **7.15** | Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances. | | | ✓ | 3.0 |<br />
<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Testing for weak Cryptography](https://www.owasp.org/index.php/Testing_for_weak_Cryptography)<br />
* [OWASP Cheat Sheet: Cryptographic Storage](https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V5_Input_validation_and_output_encoding&diff=235592ASVS V5 Input validation and output encoding2017-11-19T06:28:09Z<p>Vanderaj: Created page with "# V5: Input Validation and Output Encoding Verification Requirements ## Control Objective The most common web application security weakness is the failure to properly valida..."</p>
<hr />
<div># V5: Input Validation and Output Encoding Verification Requirements<br />
<br />
## Control Objective<br />
<br />
The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.<br />
<br />
Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* All input is validated to be correct and fit for the intended purpose.<br />
* Data from an external entity or client should never be trusted and should be handled accordingly.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **5.3** | Verify that server side input validation failures result in request rejection and are logged. | ✓ | ✓ | ✓ | 1.0 |<br />
| **5.5** | Verify that input validation routines are enforced on the server side. | ✓ | ✓ | ✓ | 1.0 |<br />
| **5.6** | Verify that a centralized input validation control mechanism is used by the application. | ✓ | ✓ | ✓ | 1.0 |<br />
| **5.10** | Verify that all database queries are protected by the use of parameterized queries or proper ORM usage to avoid SQL injection. | ✓ | ✓ | ✓ | 2.0 |<br />
| **5.11** | Verify that the application is not susceptible to LDAP Injection, or that security controls prevent LDAP Injection. | ✓ | ✓ | ✓ | 2.0 |<br />
| **5.12** | Verify that the application is not susceptible to OS Command Injection, or that security controls prevent OS Command Injection. | ✓ | ✓ | ✓ | 2.0 |<br />
| **5.13** | Verify that the application is not susceptible to Remote File Inclusion (RFI) or Local File Inclusion (LFI) when content is used that is a path to a file. | ✓ | ✓ | ✓ | 3.0 |<br />
| **5.14** | Verify that the application is not susceptible XPath injection or XML injection attacks. | ✓ | ✓ | ✓ | 2.0 |<br />
| **5.15** | Verify that all string variables placed into HTML or other web client code are either properly contextually encoded manually, or utilize templates that automatically contextually encode to ensure the application is not susceptible to reflected, stored or DOM Cross-Site Scripting (XSS) attacks. | ✓ | ✓ | ✓ | 3.1 |<br />
| **5.16** | Verify that the application does not contain mass parameter assignment (AKA automatic variable binding) vulnerabilities. | | ✓ | ✓ | 3.1 |<br />
| **5.17** | Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, environment, etc.) | | ✓ | ✓ | 2.0 |<br />
| **5.19** | Verify that all input data is validated, not only HTML form fields but all sources of input such as REST calls, query parameters, HTTP headers, cookies, batch files, RSS feeds, etc; using positive validation (whitelisting), then lesser forms of validation such as grey listing (eliminating known bad strings), or rejecting bad inputs (blacklisting). | | ✓ | ✓ | 3.0 |<br />
| **5.20** | Verify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as validating suburbs and zip or post codes match). | | ✓ | ✓ | 3.0 |<br />
| **5.21** | Verify that unstructured data is sanitized to enforce generic safety measures such as allowed characters and length, and characters potentially harmful in given context should be escaped (e.g. natural names with Unicode or apostrophes, such as ねこ or O'Hara) | | ✓ | ✓ | 3.0 |<br />
| **5.22** | Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. | ✓ | ✓ | ✓ | 3.0 |<br />
| **5.24** | Verify that where data is transferred from one DOM context to another, the transfer uses safe JavaScript methods, such as using innerText or .val to ensure the application is not susceptible to DOM Cross-Site Scripting (XSS) attacks. | | ✓ | ✓ | 3.1 |<br />
| **5.25** | Verify when parsing JSON in browsers or JavaScript based backends, that JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON. | | ✓ | ✓ | 3.0 |<br />
| **5.27** | Verify the application for Server Side Request Forgery vulnerabilities. | ✓ | ✓ | ✓ | 3.1 |<br />
| **5.28** | Verify that the application correctly restricts XML parsers to only use the most restrictive configuration possible and to ensure that dangerous features such as resolving external entities are disabled. | ✓ | ✓ | ✓ | 3.1<br />
| **5.29** | Verify that deserialization of untrusted data is avoided or is extensively protected when deserialization cannot be avoided. | ✓ | ✓ | ✓ | 3.1<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Input Validation Testing](https://www.owasp.org/index.php/Testing_for_Input_Validation)<br />
* [OWASP Cheat Sheet: Input Validation](https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet)<br />
* [OWASP Testing Guide 4.0: Testing for HTTP Parameter Pollution](https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OTG-INPVAL-004%29)<br />
* [OWASP LDAP Injection Cheat Sheet ](https://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet)<br />
* [OWASP Testing Guide 4.0: Client Side Testing ](https://www.owasp.org/index.php/Client_Side_Testing)<br />
* [OWASP Cross Site Scripting Prevention Cheat Sheet ](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet)<br />
* [OWASP DOM Based Cross Site Scripting Prevention Cheat Sheet ](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet)<br />
* [OWASP Java Encoding Project](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project)<br />
<br />
For more information on auto-escaping, please see:<br />
<br />
* [Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems](http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html)<br />
* [AngularJS Strict Contextual Escaping](https://docs.angularjs.org/api/ng/service/$sce)<br />
* [ReactJS Escaping](https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks)<br />
* [Improperly Controlled Modification of Dynamically-Determined Object Attributes](https://cwe.mitre.org/data/definitions/915.html)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V4_Access_Control&diff=235591ASVS V4 Access Control2017-11-19T06:27:49Z<p>Vanderaj: Created page with "# V4: Access Control Verification Requirements ## Control Objective Authorization is the concept of allowing access to resources only to those permitted to use them. Ensure..."</p>
<hr />
<div># V4: Access Control Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Authorization is the concept of allowing access to resources only to those permitted to use them. Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* Persons accessing resources holds valid credentials to do so.<br />
* Users are associated with a well-defined set of roles and privileges.<br />
* Role and permission metadata is protected from replay or tampering.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **4.1** | Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. | ✓ | ✓ | ✓ | 1.0 |<br />
| **4.4** | Verify that access to sensitive records is protected, such that only authorized objects or data is accessible to each user (for example, protect against users tampering with a parameter to see or alter another user's account). | ✓ | ✓ | ✓ | 1.0 |<br />
| **4.5** | Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders. | ✓ | ✓ | ✓ | 1.0 |<br />
| **4.8** | Verify that access controls fail securely. | ✓ | ✓ | ✓ | 1.0 |<br />
| **4.9** | Verify that the same access control rules implied by the presentation layer are enforced on the server side. | ✓ | ✓ | ✓ | 1.0 |<br />
| **4.10** | Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized. | | ✓ | ✓ | 1.0 |<br />
| **4.11** | Verify that there is a centralized mechanism (including libraries that call external authorization services) for protecting access to each type of protected resource. | | | ✓ | 1.0 |<br />
| **4.12** | Verify that all access control decisions can be logged and all failed decisions are logged. | | ✓ | ✓ | 2.0 |<br />
| **4.13** | Verify that the application or framework uses strong random anti-CSRF tokens or has another transaction protection mechanism. | ✓ | ✓ | ✓ | 2.0 |<br />
| **4.14** | Verify the system can protect against aggregate or continuous access of secured functions, resources, or data. For example, consider the use of a resource governor to limit the number of edits per hour or to prevent the entire database from being scraped by an individual user. | | ✓ | ✓ | 2.0 |<br />
| **4.15** | Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud. | | ✓ | ✓ | 3.0 |<br />
| **4.16** | Verify that the application correctly enforces context-sensitive authorisation so as to not allow unauthorised manipulation by means of parameter tampering. | ✓ | ✓ | ✓ | 3.0 |<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Authorization](https://www.owasp.org/index.php/Testing_for_Authorization)<br />
* [OWASP Cheat Sheet: Access Control](https://www.owasp.org/index.php/Access_Control_Cheat_Sheet)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V3_Session_Management&diff=235590ASVS V3 Session Management2017-11-19T06:27:34Z<p>Vanderaj: Create v3</p>
<hr />
<div># V3: Session Management Verification Requirements<br />
<br />
## Control Objective<br />
<br />
One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. This is referred to this as Session Management and is defined as the set of all controls governing state-full interaction between a user and the web-based application.<br />
<br />
Ensure that a verified application satisfies the following high level session management requirements:<br />
<br />
* Sessions are unique to each individual and cannot be guessed or shared<br />
* Sessions are invalidated when no longer required and timed out during periods of inactivity.<br />
<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
<br />
| **3.2** | Verify that sessions are invalidated when the user logs out. | ✓ | ✓ | ✓ | 1.0 |<br />
| **3.3** | Verify that sessions timeout after a specified period of inactivity. | | | ✓ | 1.0 |<br />
| **3.4** | Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout). | | ✓ | ✓ | 1.0 |<br />
| **3.5** | Verify that all pages that require authentication have easy and visible access to logout functionality. | ✓ | ✓ | ✓ | 1.0 |<br />
| **3.6** | Test that the session ID is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies. | | | ✓ | 1.0 |<br />
| **3.7** | Verify that all successful authentication and re-authentication generates a new session and session id. | ✓ | ✓ | ✓ | 1.0 |<br />
| **3.10** | Verify that only session ids generated by the application framework are recognised as active by the application. | | ✓ | ✓ | 1.0 |<br />
| **3.11** | Test session IDs against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage. | ✓ | ✓ | ✓ | 1.0 |<br />
| **3.12** | Verify that session IDs stored in cookies are scoped using the 'path' attribute; and have the 'HttpOnly' and 'Secure' cookie flags enabled. | ✓ | ✓ | ✓ | 3.0 |<br />
| **3.17** | Verify that the application tracks all active sessions. And allows users to terminate sessions selectively or globally from their account. | | ✓ | ✓ | 3.0 |<br />
| **3.18** | Verify for high value applications that the user is prompted with the option to terminate all other active sessions after a successful change password process. | | | ✓ | 3.1 |<br />
| **3.1** | TBA | ✓ | ✓ | ✓ | 1.0 |<br />
<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Session Management Testing](https://www.owasp.org/index.php/Testing_for_Session_Management)<br />
* [OWASP Session Management Cheat Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V2_Authentication&diff=235589ASVS V2 Authentication2017-11-19T06:27:14Z<p>Vanderaj: Create V2</p>
<hr />
<div># V2: Authentication Verification Requirements<br />
<br />
## Control Objective<br />
<br />
Authentication is the act of establishing, or confirming, something (or someone) as authentic, that is, that claims made by or about the thing are true. Ensure that a verified application satisfies the following high level requirements:<br />
<br />
* Verifies the digital identity of the sender of a communication.<br />
* • Ensures that only those authorised are able to authenticate and credentials are transported in a secure manner.<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **2.1** | Verify all pages and resources are protected by server-side authentication, except those specifically intended to be public. | ✓ | ✓ | ✓ | 3.1 |<br />
| **2.2** | Verify that the application does not automatically fill in credentials – either as hidden fields, URL arguments, Ajax requests, or in forms, as this implies plain text, reversible or de-cryptable password storage. Random time limited nonces are acceptable as stand ins, such as to protect change password forms or forgot password forms. | ✓ | ✓ | ✓ | 3.1 |<br />
| **2.6** | Verify all authentication controls fail securely to ensure attackers cannot log in. | ✓ | ✓ | ✓ | 1.0 |<br />
| **2.7** | Verify password entry fields allow, or encourage, the use of passphrases, and do not prevent long passphrases or highly complex passwords being entered. | ✓ | ✓ | ✓ | 3.0.1 |<br />
| **2.8** | Verify all identity functions (e.g. forgot password, change password, change email, manage 2FA token, etc.) have the security controls, as the primary authentication mechanism (e.g. login form). | ✓ | ✓ | ✓ | 2.0 |<br />
| **2.9** | Verify that the changing password functionality includes the old password, the new password, and a password confirmation. | ✓ | ✓ | ✓ | 1.0 |<br />
| **2.12** | Verify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations. | | ✓ | ✓ | 3.0.1 |<br />
| **2.13** | Verify that account passwords are one way hashed with a salt, and there is sufficient work factor to defeat brute force and password hash recovery attacks. | | ✓ | ✓ | 3.0.1 |<br />
| **2.16** | Verify that all application data is transmitted over an encrypted channel (e.g. TLS). | ✓ | ✓ | ✓ | 3.1 |<br />
| **2.17** | Verify that the forgotten password function and other recovery paths do not reveal the current password and that the new password is not sent in clear text to the user. A one time password reset link should be used instead. | ✓ | ✓ | ✓ | 2.0 |<br />
| **2.18** | Verify that information enumeration is not possible via login, password reset, or forgot account functionality. | | ✓ | ✓ | 2.0 |<br />
| **2.19** | Verify there are no default passwords in use for the application framework or any components used by the application (such as “admin/password”). | ✓ | ✓ | ✓ | 2.0 |<br />
| **2.20** | Verify that anti-automation is in place to prevent breached credential testing, brute forcing, and account lockout attacks. | | ✓ | ✓ | 3.0.1 |<br />
| **2.21** | Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location. | | ✓ | ✓ | 2.0 |<br />
| **2.22** | Verify that forgotten password and other recovery paths use a TOTP or other soft token, mobile push, or other offline recovery mechanism. The use of SMS has been deprecated by NIST and should not be used. | | ✓ | ✓ | 3.0.1 |<br />
| **2.23** | Verify that account lockout is divided into soft and hard lock status, and these are not mutually exclusive. If an account is temporarily soft locked out due to a brute force attack, this should not reset the hard lock status. | | ✓ | ✓ | 3.0 |<br />
| **2.24** | Verify that if secret questions are required, the questions do not violate privacy laws and are sufficiently strong to protect accounts from malicious recovery. | ✓ | ✓ | ✓ | 3.0.1 |<br />
| **2.25** | Verify that high value applications can be configured to disallow the use of a configurable number of previous passwords. | | ✓ | ✓ | 3.1 |<br />
| **2.26** | Verify that sensitive operations (e.g. change password, change email address, add new biller, etc.) require re-authentication (e.g. password or 2FA token). This is in addition to CSRF measures, not instead. | | ✓ | ✓ | 3.0.1 |<br />
| **2.27** | Verify that measures are in place to block the use of commonly chosen passwords and weak pass-phrases. | | ✓ | ✓ | 3.0 |<br />
| **2.28** | Verify that all authentication challenges, whether successful or failed, should respond in the same average response time. | | | ✓ | 3.0 |<br />
| **2.29** | Verify that secrets, API keys, and passwords are not included in the source code, or online source code repositories. | | ✓ | ✓ | 3.0 |<br />
| **2.31** | Verify that users can enrol and use TOTP verification, two-factor, biometric (Touch ID or similar), or equivalent multi-factor authentication mechanism that provides protection against single factor credential disclosure. | | ✓ | ✓ | 3.1 |<br />
| **2.32** | Verify that access to administrative interfaces are strictly controlled and not accessible to untrusted parties. | ✓ | ✓ | ✓ | 3.0 |<br />
| **2.33** | Verify that the application is compatible with browser based and third party password managers, unless prohibited by risk based policy. | ✓ | ✓ | ✓ | 3.1 |<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
* [OWASP Testing Guide 4.0: Testing for Authentication](https://www.owasp.org/index.php/Testing_for_authentication)<br />
* [Password storage cheat sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet)<br />
* [Forgot password cheat sheet](https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet)<br />
* [Choosing and Using Security Questions at](https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet)</div>Vanderajhttps://wiki.owasp.org/index.php?title=ASVS_V1_Architecture&diff=235588ASVS V1 Architecture2017-11-19T06:26:00Z<p>Vanderaj: Create v1</p>
<hr />
<div># V1: Architecture, Design and Threat Modeling Requirements<br />
<br />
## Control Objective<br />
<br />
In a perfect world, security would be considered throughout all phases of development. In reality however, security is often only a consideration at a late stage in the SDLC. Besides the technical controls, the ASVS requires processes to be in place that ensure that the security has been explicitly addressed when planning the architecture of the application or API, and that the functional and security roles of all components are known. Since single page applications and act as clients to remote API or services, it must be ensured that appropriate security standards are also applied to those services - testing the app in isolation is not sufficient.<br />
<br />
The category “V1” lists requirements pertaining to architecture and design of the app. As such, this is the only category that does not map to technical test cases in the OWASP Testing Guide. To cover topics such as threat modelling, secure SDLC, key management, users of the ASVS should consult the respective OWASP projects and/or other standards such as the ones linked below.<br />
<br />
## Security Verification Requirements<br />
<br />
| # | Description | L1 | L2 | L3 | Since |<br />
| --- | --- | --- | --- | -- | -- |<br />
| **1.1** | All app components are identified and known to be needed. | ✓ | ✓ | ✓ | 1.0 |<br />
| **1.2** | Security controls are never enforced only on the client side, but on the respective remote endpoints. | | ✓ | ✓ | 1.0 |<br />
| **1.3** | A high-level architecture for the application and all connected remote services has been defined and security has been addressed in that architecture. | | ✓ | ✓ | 1.0 |<br />
| **1.4** | Data considered sensitive in the context of the application is clearly identified. | | | ✓ | 1.0 |<br />
| **1.5** | All app components are defined in terms of the business functions and/or security functions they provide. | | | ✓ | 1.0 |<br />
| **1.6** | A threat model for the application and the associated remote services has been produced that identifies potential threats and countermeasures. | | | ✓ | 1.0 |<br />
| **1.7** | All security controls have a centralized implementation. | |✓ |✓ | 3.0 |<br />
| **1.8** | Components are segregated from each other via a defined security control, such as network segmentation, firewall rules, or cloud based security groups. | |✓ |✓ | 3.0 |<br />
| **1.9** | A mechanism for enforcing updates of the application exists. | |✓ |✓ | 3.0 |<br />
| **1.10** | Security is addressed within all parts of the software development lifecycle. | |✓ |✓ | 3.0 |<br />
| **1.11** | all application components, libraries, modules, frameworks, platform, and operating systems are free from known vulnerabilities | |✓ |✓ | 3.0.1 |<br />
| **1.12** | There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57. | |✓ |✓ | 3.1 |<br />
<br />
## References<br />
<br />
For more information, see also:<br />
<br />
For more information, please see:<br />
* [OWASP Threat Modeling Cheat Sheet](https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet)<br />
* [OWASP Attack Surface Analysis Cheat Sheet](https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet)<br />
* [OWASP Security Architecture Cheat Sheet](https://www.owasp.org/index.php/Application_Security_Architecture_Cheat_Sheet)<br />
* [OWASP Thread modelling](https://www.owasp.org/index.php/Application_Threat_Modeling)<br />
* [OWASP Secure SDLC Cheat Sheet](https://www.owasp.org/index.php/Secure_SDLC_Cheat_Sheet)<br />
* [Microsoft SDL](https://www.microsoft.com/en-us/sdl/)<br />
* [NIST SP 800-57](http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf)</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Application_Security_Verification_Standard_Project&diff=235587Category:OWASP Application Security Verification Standard Project2017-11-19T06:20:33Z<p>Vanderaj: /* What is ASVS? */</p>
<hr />
<div>= Home =<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is ASVS? ==<br />
<br />
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.<br />
<br />
The primary aim of the '''OWASP Application Security Verification Standard (ASVS) Project''' is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind: <br />
<br />
*'''Use as a metric''' - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications, <br />
*'''Use as guidance''' - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and <br />
*'''Use during procurement''' - Provide a basis for specifying application security verification requirements in contracts.<br />
<br />
== OWASP ASVS 3.1 (early access) ==<br />
<br />
* [[ASVS V1 Architecture]]<br />
* [[ASVS V2 Authentication]]<br />
* [[ASVS V3 Session Management]]<br />
* [[ASVS V4 Access Control]]<br />
* [[ASVS V5 Input validation and output encoding]]<br />
* [[ASVS V7 Cryptography]]<br />
* [[ASVS V8 Error Handling]]<br />
* [[ASVS V9 Data Protection]]<br />
* [[ASVS V10 Communications]]<br />
* [[ASVS V13 Malicious Code]]<br />
* [[ASVS V15 Business Logic Flaws]]<br />
* [[ASVS V16 Files and Resources]]<br />
* [[ASVS V17 Mobile]]<br />
* [[ASVS V18 API]]<br />
* [[ASVS V19 Configuration]]<br />
* [[ASVS V20 Internet of Things]]<br />
<br />
== Email List ==<br />
<br />
[[Image:Asvs-bulb.jpg]] [https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard Project Email List]<br />
<br />
== Project Leader ==<br />
<br />
Daniel Cuthbert [mailto:Daniel.Cuthbert@owasp.org @]<br/><br />
Andrew van der Stock [mailto:vanderaj@owasp.org @]<br/><br />
Jim Manico [mailto:jim.manico@owasp.org@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''OWASP Resources''' <br />
<br />
*[https://www.owasp.org/index.php/OWASP_Proactive_Controls OWASP Top Ten Proactive Controls (2016)]<br />
*[http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Top Ten Risks (2013)] <br />
*[http://www.owasp.org/index.php/Category:OWASP_Guide_Project OWASP Development Guide] <br />
<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
ASVS 3.0.1 in English.<br/><br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== News and Events ==<br />
* [29 June 2016] [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Version 3.0.1]] released!<br />
* [9 Oct 2015] Version 3.0 released<br />
* [20 May 2015] "First Cut" Version 3.0 released<br />
* [11 Aug 2014] Version 2.0 released<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Downloads =<br />
<br />
'''Application Security Verification Standard 3.0.1 '''<br />
<br />
== ASVS 3.0.1 in English ==<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:OWASP_Application_Security_Verification_Standard_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Spanish==<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.pdf|Download PDF - 1.7 MB]]<br />
* [[Media:Estándar_de_Verificación_de_Seguridad_en_Aplicaciones_3.0.1.docx|Download Word - 835 kB]]<br />
<br />
== ASVS 3.0.1 in Polish==<br />
* [[Media:OWASP Application Security Verification Standard 3.0.1 PL.pdf|Download PDF - 1.5 MB]]<br />
<br />
We are looking for translators for this version. If you can help us, please contact the project mail list!<br />
<br />
'''Legacy Application Security Verification Standard 3.0'''<br />
<br />
== ASVS 3.0 in English ==<br />
* [[Media:OWASPApplicationSecurityVerificationStandard3.0.pdf|download PDF - 1.2 MB]]<br />
* [[Media:ASVS-excel.xlsx|ASVS 3.0 excel sheet - 39 kB]]<br />
<br />
== Older versions ==<br />
<br />
'''Application Security Verification Standard 2.0 (final)'''<br />
<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.pdf|download PDF - 1.6 MB]])<br />
* ASVS 2.0 in English ([[Media:OWASP_ASVS_Version_2.docx|download Word - 1.0MB]])<br />
* ASVS 2.0 in Persian ([[Media:OWASP_ASVS_Version_2_Persian.pdf|download PDF - 1.6MB]])<br />
* ASVS 2.0 in Polish (checklist) ([[Media:Asvs_2_PL.xlsx|download Excel]])<br />
<br />
'''Application Security Verification Standard 1.0 - 2009'''<br />
<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.pdf|download PDF - 2.5 MB]])<br />
* ASVS 1.0 Final (English) ([[Media:OWASP_ASVS_2009_Web_App_Std_Release.doc|download Word - 2.3 MB]])<br />
<br />
= Acknowledgements =<br />
<br />
== Volunteers ==<br />
<br />
=== Version 3 (2015) ===<br />
<br />
Project Leaders<br />
<br />
*Daniel Cuthbert<br />
*Andrew van der Stock<br />
<br />
Lead Author<br />
*Jim Manico<br />
<br />
Other reviewers and contributors<br />
*Boy Baukema <br />
*Ari Kesäniemi<br />
*Colin Watson <br />
*François-Eric Guyomarc’h<br />
*Cristinel Dumitru <br />
*James Holland<br />
*Gary Robinson<br />
*Stephen de Vries<br />
*Glenn Ten Cate<br />
*Riccardo Ten Cate<br />
*Martin Knobloch<br />
*Abhinav Sejpal<br />
*David Ryan<br />
*Steven van der Baan<br />
*Ryan Dewhurst<br />
*Raoul Endres<br />
*Roberto Martelloni<br />
<br />
=== Version 2 (2014) ===<br />
<br />
Project leaders<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
<br />
Lead authors<br />
*Andrew van der Stock<br />
*Sahba Kazerooni<br />
*Daniel Cuthbert<br />
*Krishna Raja<br />
<br />
Other reviewers and contributors<br />
*Jerome Athias<br />
*Boy Baukema<br />
*Archangel Cuison<br />
*Sebastien.Deleersnyder<br />
*Antonio Fontes<br />
*Evan Gaustad<br />
*Safuat Hamdy<br />
*Ari Kesäniemi<br />
*Scott Luc<br />
*Jim Manico<br />
*Mait Peekma<br />
*Pekka Sillanpää<br />
*Jeff Sergeant<br />
*Etienne Stalmans<br />
*Colin Watson<br />
*Dr. Emin İslam Tatlı<br />
<br />
Translators<br />
*Abbas Javan Jafari (Persian)<br />
*Sajjad Pourali (Persian)<br />
<br />
<br />
=== Version 2009 ===<br />
<br />
Project leader<br />
*Mike Boberski<br />
<br />
Lead authors<br />
*Mike Boberski<br />
*Jeff Williams<br />
*Dave Wichers<br />
<br />
Other reviewers and contributors<br />
<br />
Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.<br />
<br />
== OWASP Summer of Code 2008 ==<br />
<br />
The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.<br />
<br />
= Glossary =<br />
<br />
[[Image:Asvs-letters.jpg]]'''ASVS Terminology''' <br />
<br />
*'''Access Control''' – A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong. <br />
*'''Application Component''' – An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application. <br />
*'''Application Security''' – Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks. <br />
*'''Application Security Verification''' – The technical assessment of an application against the OWASP ASVS. <br />
*'''Application Security Verification Report''' – A report that documents the overall results and supporting analysis produced by the verifier for a particular application. <br />
*'''Application Security Verification Standard (ASVS)''' – An OWASP standard that defines four levels of application security verification for applications. <br />
*'''Authentication''' – The verification of the claimed identity of an application user. <br />
*'''Automated Verification''' – The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems. <br />
*'''Back Doors''' – A type of malicious code that allows unauthorized access to an application. <br />
*'''Blacklist''' – A list of data or operations that are not permitted, for example a list of characters that are not allowed as input. <br />
*'''Common Criteria (CC)''' – A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products. <br />
*'''Communication Security''' – The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application. <br />
*'''Design Verification''' – The technical assessment of the security architecture of an application. <br />
*'''Internal Verification''' – The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS. <br />
*'''Cryptographic module''' – Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys. <br />
*'''Denial of Service (DOS) Attacks''' – The flooding of an application with more requests than it can handle. <br />
*'''Dynamic Verification''' – The use of automated tools that use vulnerability signatures to find problems during the execution of an application. <br />
*'''Easter Eggs''' – A type of malicious code that does not run until a specific user input event occurs. <br />
*'''External Systems''' – A server-side application or service that is not part of the application. <br />
*'''FIPS 140-2''' – A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules <br />
*'''Input Validation''' – The canonicalization and validation of untrusted user input. <br />
*'''Malicious Code''' – Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm! <br />
*'''Malware''' – Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator. <br />
*'''Open Web Application Security Project (OWASP)''' – The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. See: http://www.owasp.org/ <br />
*'''Output Validation''' – The canonicalization and validation of application output to Web browsers and to external systems. <br />
*'''OWASP Enterprise Security API (ESAPI)''' – A free and open collection of all the security methods that developers need to build secure Web applications. See: http://www.owasp.org/index.php/ESAPI <br />
*'''OWASP Risk Rating Methodology''' – A risk rating methodology that has been customized for application security. See: http://www.owasp.org/index.php/How_to_value_the_real_risk <br />
*'''OWASP Testing Guide''' – A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: http://www.owasp.org/index.php/Category:OWASP_Testing_Project <br />
*'''OWASP Top Ten''' – A document that represents a broad consensus about what the most critical Web application security flaws are. See: http://www.owasp.org/index.php/Top10 <br />
*'''Positive''' – See whitelist. <br />
*'''Salami Attack''' – A type of malicious code that is used to redirect small amounts of money without detection in financial transactions. <br />
*'''Security Architecture''' – An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data. <br />
*'''Security Control''' – A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record). <br />
*'''Security Configuration''' – The runtime configuration of an application that affects how security controls are used. <br />
*'''Static Verification''' – The use of automated tools that use vulnerability signatures to find problems in application source code. <br />
*'''Target of Verification (TOV)''' – If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. <br />
*'''Threat Modeling''' - A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets. <br />
*'''Time Bomb''' – A type of malicious code that does not run until a preconfigured time or date elapses. <br />
*'''Verifier''' - The person or team that is reviewing an application against the OWASP ASVS requirements. <br />
*'''Whitelist''' – A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.<br />
<br />
= ASVS Users =<br />
[[Image:Asvs-handshake.JPG]]<br />
<br />
A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including [http://www.aspectsecurity.com Aspect Security], [http://www.astyran.com Astyran], [http://www.boozallen.com Booz Allen Hamilton], [http://casabasecurity.com Casaba Security], [http://www.cgi.com/web/en/industries/governments/us_federal/services_solutions.htm CGI Federal], [http://denimgroup.com Denim Group], [http://etebaran.com Etebaran Informatics], [http://www.mindedsecurity.com Minded Security], [http://www.nixu.com Nixu], [http://www.pstestware.com/ ps_testware], [http://www.proactiverisk.com Proactive Risk], [http://quince.co.uk Quince Associates Limited (SeeMyData)], [http://www.serpro.gov.br/ Serviço Federal de Processamento de Dados (SERPRO)], [http://www.udistrital.edu.co/ Universidad Distrital Francisco José de Caldas] Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached [mailto:sahba@securitycompass.com here].<br />
<br />
= Precedents-Interpretations =<br />
<br />
'''PI-0001: Are there levels between the levels?''' <br />
<br />
*Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"? <br />
*Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged. <br />
*References: ASVS section "Application Security Verification Levels"<br />
<br />
'''PI-0002: Is use of a master key simply another level of indirection?''' <br />
<br />
*Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection? <br />
*Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection. <br />
*References: ASVS verification requirement V2.14<br />
<br />
'''PI-0003: What is a "TOV" or "Target of Verification"?''' <br />
<br />
*Issue: New terminology <br />
*Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the "Target of Verification" or simply the TOV. The TOV should be identified in verification documentation as follows: <br />
**TOV Identification – &lt;name and version of the application&gt; or &lt;Application name&gt;, &lt;application version&gt;, dynamic testing was performed in a staging environment, not the production environment <br />
**TOV Developer – &lt;insert name of the developer or verification customer&gt; <br />
*References: ASVS section "Approach"<br />
<br />
= Internationalization =<br />
<br />
[[Image:Asvs-writing.JPG]]<br />
If you can help with translations, please download the latest draft here:<br />
<br />
https://github.com/OWASP/ASVS<br />
<br />
If there are any incomprehensible English idiom or phrases in there, please don't hesitate to ask for clarification, because if it's hard to translate, it's almost certainly wrong in English as well. We recommend logging translation issues in GitHub, too, so please make yourself known. <br />
<br />
Translations are coordinated through OWASP's Crowd In account, so you don't have to do the entire thing yourself. <br />
<br />
https://crowdin.com/project/owasp-asvs/<br />
<br />
You don't HAVE to use Crowd In, but it would be nice to indicate to other native speakers of your language that you are willing to work together. This is a 70 page document, and in all honesty, will take a dedicated person a week or more to translate, so please please please work together rather than apart. You have full access to the original document and the original images, so you have everything I have.<br />
<br />
= Archive - Previous Version =<br />
<br />
'''*Please note that ASVS is currently on version 3.0. The information on this page is for archival purposes only.*'''<br />
<br />
[[Image:Asvs-step1.jpg]]'1. About ASVS 1.0' <br />
<br />
*Video presentation in English [https://www.youtube.com/watch?v=Ba6ncpIfaJA (YouTube)] <br />
*ASVS vs. WASC et al [http://www.owasp.org/index.php/ASVS_vs_WASC_Et_Al (Wiki)]<br />
<br />
[[Image:Asvs-step2.jpg]]'2. Get ASVS 1.0' <br />
<br />
*ASVS in Bahasa Indonesia (Indonesian language) ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-id.pdf PDF])<br />
*ASVS in Bahasa Malaysia (Malay) (Currently under development!)<br />
*ASVS in Chinese(Currently under development!) <br />
*ASVS in English ([http://www.owasp.org/images/4/4e/OWASP_ASVS_2009_Web_App_Std_Release.pdf PDF], [http://www.owasp.org/images/3/35/OWASP_ASVS_2009_Web_App_Std_Release.doc Word], [http://code.google.com/p/owasp-asvs/wiki/ASVS '''Online'''], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-xml.zip XML]) <br />
*ASVS in French ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-fr.odt OpenOffice]) <br />
*ASVS in German ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-de.doc Word])<br />
*ASVS in Hungarian (Currently under development!) <br />
*ASVS in Japanese ([http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.pdf PDF], [http://owasp-asvs.googlecode.com/svn/trunk/documentation/asvs-webapp-release-2009-jp.doc Word]) <br />
*ASVS in Persian (Farsi) ([http://abiusx.com/archive/document/OWASP-ASVS-fa-20111115.pdf PDF]) beta 0.7<br />
*ASVS in Polish ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pl.pdf PDF])<br />
*ASVS in Portuguese-Brazil ([http://owasp-asvs.googlecode.com/files/asvs-webapp-release-2009-pt-br.pdf PDF])<br />
*ASVS in Spanish (Currently under development!)<br />
*ASVS in Thai (Currently under development!)<br />
<br />
[[Image:Asvs-step3.jpg]]'3. Learn ASVS 1.0' <br />
<br />
*ASVS Article: Getting Started Using ASVS ([http://www.owasp.org/images/f/f8/OWASP_ASVS_Article_-_Getting_Started_Using_ASVS.pdf PDF]) <br />
*ASVS Article: Code Reviews and Other Verification Activities: USELESS Unless Acted Upon IMMEDIATELY [http://www.owasp.org/index.php/Code_Reviews_and_Other_Verification_Activities:_USELESS_Unless_Acted_Upon_IMMEDIATELY (Wiki)] <br />
*ASVS Article: Agile Software Development: Don't Forget EVIL User Stories ([http://www.owasp.org/index.php/Agile_Software_Development:_Don%27t_Forget_EVIL_User_Stories Wiki]) <br />
*ASVS Article: Man vs. Code ([http://www.owasp.org/index.php/Man_vs._Code Wiki]) <br />
*ASVS Article: Getting started designing for a level of assurance ([http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf PDF]) <br />
*ASVS Template: Sample verification fee schedule template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Fee_Schedule_Template.xls Excel]) <br />
*ASVS Template: Sample verification report template ([http://www.owasp.org/index.php/Image:Sample_ASVS_Report_Template.doc Word]) <br />
*ASVS Training: An ASVS training presentation ([http://www.owasp.org/index.php/Image:OWASP_AU_Secure_Architecture_and_Coding.ppt PowerPoint]) <br />
*ASVS Presentation: Executive-Level Presentation ([http://www.owasp.org/images/9/99/About_OWASP_ASVS_Executive_Presentation.ppt PowerPoint]) <br />
*ASVS Presentation: Presentation Abstract ([http://www.owasp.org/images/1/10/OWASP_ASVS_Presentation_Abstract.doc Word]) <br />
*Articles [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#Articles_Below_-_More_About_ASVS_and_Using_It (More About ASVS and Using It)]<br />
<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project|Application Security Verification Standard Project]]<br />
[[Category:OWASP_Document]]<br />
[[Category:OWASP_Download]]<br />
[[Category:OWASP_Release_Quality_Document|OWASP Stable Quality Document]]<br />
[[Category:SAMM-CR-1]]<br />
[[Category:SAMM-DR-2]]<br />
[[Category:SAMM-ST-3]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=October_11,_2017&diff=234309October 11, 20172017-10-11T21:02:17Z<p>Vanderaj: Updated agenda</p>
<hr />
<div>Meeting Location: <br />
<br />
'''VIRTUAL'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''AGENDA'''<br />
This is the VIRTUAL packet that is provided to everyone at the same time to review, make comments and be prepared for the meeting. There is no paper handout for the meeting.<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA<br />
<br />
APPROVAL OF MINUTES<br />
- Approval of prior [https://docs.google.com/a/owasp.org/document/d/1TzXYoQNYo3Agv6yS9GOBpiPipvELnnhdqk-f-L12Z5c/edit?usp=sharing Minutes - September 19, 2017]<br />
<br />
REPORTS<br />
OWASP Foundation is managed by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors Operations Director] who provides a monthly roll-up report in collaboration of all staff members, contractors and efforts being manged by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors back office team.] A link to the monthly operational report can be found here: [http://owasp.blogspot.com/2017/01/owasp-operations-update-for-january-2017.html REPORT]<br />
<br />
<br />
OLD BUSINESS<br />
<br />
<br />
NEW BUSINESS<br />
OWASP Project Summit 2018 (AJV)<br />
* Seba and Dinis want to do the event without Board funding<br />
* OCMS event registered again<br />
* Considering the cost of Centre Parcs (££££££), does this leave OWASP on the hook - who signs for this?<br />
* Vote: Let Seba and DInis go forward with planning and execution of OWASP Summit in 2018 without funding from the Organization and without the organization signing contracts. <br />
<br />
Strategic Goals (Konda) - Timeboxed to 15 minutes.<br />
* Recap on 2017<br />
* Discussion for 2018<br />
** 2017 Reloaded from Konda: https://docs.google.com/document/d/1ZgZotdu3TglKCiyOxyQVwS16YDJj0qmEkdYz0LT7hf4/edit<br />
** Reference: <br />
*** 2017: https://docs.google.com/document/d/1maFqH9NEdQB8ULDU03S_zsXI5k3NiCDKcy9xian63cE/edit#heading=h.divazhxd68t1<br />
*** 2016: https://docs.google.com/document/d/1Ux8lRGjXShjKr6BtJ-4WKJNVx3mZC3TN5EITC_zUW2A/edit<br />
*** 2015: https://docs.google.com/document/d/1BZx7Wjo5L6JGOIvCFeQUWmmYtrIcRatGuJltWobXdZo/edit<br />
*** 2014: https://docs.google.com/document/d/19BJMDMTVWlwqMcvUfDy1Mcjtd_bKGbhu-D-VBE-7kFU/edit (Also includes summary of previous)<br />
<br />
* Facilitated discussion based on: https://docs.google.com/a/owasp.org/spreadsheets/d/1EBm6XvVmN2lQrS15X7PDER5X8S4nsISKkdK1PGgpx24/edit?usp=sharing<br />
<br />
Audit (AJV)<br />
* Tom Pappas to describe the outcomes<br />
* Items that need Board attention (timesheets, staff CC / expense management, and ensuring that we have visibility of pay changes within the ESC system)<br />
* Likely to sign it off once we have final draft. <br />
<br />
Fix Project Balance for the OWASP SAMM project (AJV)<br />
* They have access to 6600 Euros in their EU chapter funds (Tom Pappas to confirm) as that's not listed in the consolidated document which is where I got the $0 from, but in the attachments for EU chapter. This is the danger of running two sets of books, and two accounts<br />
* Please delay until I can join (ajv)<br />
* They donated $10k to the Project Summit, and the rest on travel, which is perfectly fine as it uses OWASP funds for mission. <br />
* The project asks for the return 3677.22 USD to the SAMM project funds removed on 2-Jan-2017 as per the Board's Fund recovery vote on October 2015. No budget was received. <br />
* see email http://lists.owasp.org/pipermail/owasp-board/2017-October/018357.html (see attachment)<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
<br />
ADJOURNMENT</div>Vanderajhttps://wiki.owasp.org/index.php?title=September_19,_2017&diff=233497September 19, 20172017-09-19T20:53:34Z<p>Vanderaj: Budget Discussion</p>
<hr />
<div>Meeting Location: <br />
<br />
'''VIRTUAL'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''AGENDA'''<br />
This is the VIRTUAL packet that is provided to everyone at the same time to review, make comments and be prepared for the meeting. There is no paper handout for the meeting.<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA (Open to anyone including members of the public)<br />
<br />
APPROVAL OF MINUTES<br />
- Approval of prior [https://docs.google.com/a/owasp.org/document/d/1jA8EuT496FWy2s2N1CHcDRTDEy3gaNJ9RRzYMQu1MHo/edit?usp=sharing Prior Meeting Minutes]<br />
<br />
REPORTS<br />
OWASP Foundation is managed by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors Operations Director] who provides a monthly roll-up report in collaboration of all staff members, contractors and efforts being manged by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors back office team.] A link to the monthly operational report can be found here: [http://owasp.blogspot.com/2017/01/owasp-operations-update-for-january-2017.html REPORT]<br />
<br />
=== Finance Report ===<br />
From Tom Pappas:<br />
<br />
"Attached please find the preliminary (due to Dev Summit 2017 not completely closed out yet) OWASP Combined (Converted to USD for all reports) financial pkg for July 2017 which represents financial performance through seven months of 2017. I have used the approved version of the Budget for a comparison. Matt T for the Board call I have attached a pdf of the Board summary and the Balance Sheet Summary which you can put up on the wiki, as the full fin pkg have quite a few tabs that are used for internal tracking only.<br />
<br />
Here is a summary of the Activity YTD. All amounts are combined with the EU and converted to USD in these reports: <br />
<br />
'''Income Statement:''' <br />
<br />
'''Revenue:''' On an accrual basis, total revenue YTD through Jul 2017 was $1.423.8 million as compared to a plan of $1,196 million. The results are a $227.7K ahead of plan as of 7.31.17, due primarily to AppSec Cali being over vs AppSec EU being under budget. <br />
<br />
'''Expenses:''' Total spending YTD was over plan by $50.1K due the Over Spending on Conference and Chapters offset by underspending in Community outreach (Marketing), Professional services (No Wiki proj spending) and Grant expense.<br />
<br />
'''Net Income/Loss:''' YTD on a combined Accrual basis we are at a loss of $252.9K vs a budgeted '''LOSS''' of $430.6K for a net gain to the budget of $177.6K. I want to add some caution here as AppSec EU 2017 was about $57K under budget. We also, more than ever need AppSec 2017 US to be a success (meet or exceed Bud of $585K net income or the total 2017 budgeted loss of $235K will be more, though it is not looking like we will achieve this) and we just agreed to $45K for the ED search so we need to continue to monitor revenue and spending VERY closely as we move throughout the rest of 2017. <br />
<br />
'''Chapter Funds:''' On an accrual basis, as of 7.31.17 The US Bal is $758.5K, while down a couple of thousand dollars from last month is still a large draw on funds. This is an issue that is only going to magnify as our events continue to be successful. Chapter balances will continue to grow to a point where they exceed the amount of cash OWASP has on hand in its Bank accounts, which could happen as soon Aug 2017. Also, the EU Ch was up a couple of thousand dollars at $74.8K balance. I also ran the Proj balances and they are now Combined at $114.4K vs the $95K at the end of June.<br />
<br />
POINTS of NOTE:<br />
<br />
About AppSec EU 2017, I am told there are a few minor stragglers for minor bills to fully close it out in Aug 17 but as of now please review the AppSec EU 2017 tab, as we were about $84K under in revenue and $27K Under in expense (if no more come in) which takes us to <$57K> in Net income, which is being offset by other events such as AppSec Cali. As noted in previous months not sure that will continue, so Spending should still be monitored and we need to have AppSec US in Sept meet or exceed the budget of $585K Net income.<br />
<br />
There are a couple of points I want to highlight. The first is about cash while we had almost $1.7 million in the bank and if we add in half of the Open AR of $172K the Balance would be $1.872 million and to be conservative the balance would be and there are between accounts payable, Credit Card chgs and VAT payable for the Italian event in 2016 over $460K, which takes cash down to about $1.24 Million. So while not a true cash flow issue, yet, if you take out the Ch balance of $833K and the Proj balance of $115K it leaves us with just about $292K of liquid cash and couple that with half the open AR of $172K we have $464K of operational reserves. I just want to keep this on EVERYONE’s radar as we move forward. This leaves our Operating cash reserve at 2.6 months and add in half the open AR it takes us to just over 4 months, again this need to continue to be monitored closely.<br />
<br />
[Update to previous paragraph] " I am sending this to you as in taking another look at the numbers this morning, I noticed I had not factored in the $213K of OWASP EU payables into the Reserve calculation when I sent this last night. '''This now takes the Oper reserve to less than one month, when the AP, Proj and Chapter balances are removed from the cash balance'''. If we add back in half of the open AR balance ( this is a conservative estimate) then the reserve goes up to about 3 months. So while we do not have a true cash issue, with $1.675 million in the bank at the end of July, the CH and Proj balances have now almost eclipsed the Oper funds, which has been a noted concern for a while now. I have made the adjustment to the narrative below as well. Again sorry for any confusion. "<br />
<br />
With regard to Accounts Receivable the US balance is $275K and the EU balance is another $69K. We have started and are seeing success in following up on the invoices we have created, however will need assistance as any invoices created prior to 6.30.17 do not seem to have contact info, specifically email addresses in Quickbooks so we are working on putting a list together. Also in conversation with a Ch leader they are offering if we give them a list of open AR by Ch they will follow up as some of these invoices are funds earmarked for them."<br />
<br />
* July 2017 Balance Sheet https://drive.google.com/open?id=0B4xgbqJzimL4Ql93RVZVTGRzcVFqTXdrUnhSenMxNVJ0cU9J<br />
* July 2017 Board Summary https://drive.google.com/open?id=0B4xgbqJzimL4UFpGUzhyVVotcS04RUZWMWNjWEJhU3BMemZV<br />
* July 2017 Combined Financial Package https://drive.google.com/open?id=0B4xgbqJzimL4eEJqT0xKcFlha2RYWDlhYUt4a1h6WEh1YlUw<br />
OLD BUSINESS<br />
<br />
<br />
NEW BUSINESS<br />
<br />
[Martin] For Vote:<br><br />
1. Approve the OWASP Summit 2018 venue contract (see email Seba http://lists.owasp.org/pipermail/owasp-board/2017-September/018332.html)<br><br />
2. Recognize the OWASP Summit 2018 as a global event with equal staff support as for a Global AppSec conference<br><br />
3. Set aside 100.000 USD as seed fund for the OWASP Summit 2018 to cover travel for selected working-session organizers <br />
<br />
[Andrew] For discussion <br />
# Chapter and project balances - We can't put off finance reform any longer, we need to make changes to the way projects and chapters are funded <br />
# Operational reserves - How do we get back to six months of operational reserves <br />
# Accounts receivable - need to work on getting aged receivables fixed <br />
[Matt T] For Vote:<br />
<br />
Clarification/modification of change approved in the [[August 9, 2017|August 9th Board Meeting]] to handle minor payables <br />
<br />
Modification: The original proposal removed the board approval from specific types of reimbursements and payables. However, the intent of the change (streamlining payments) was blocked by the need for board members (Chairman or Treasurer) to "release" the funds from the US bank account. The proposed modification would allow for the release of funds from the US bank for any of the specific reimbursement categories below. As we are currently doing, the details of all payables will be sent to the board during the bi-monthly payment batches so the board is apprised of all payables regardless of the categories below. <br />
<br />
Previous wording from the August meeting is below for reference. Changes to the original text are underlined.<br />
<br />
'''''{previous proposal start}'''''<br />
* Proposed: Adjust approval processes to meet operational needs as outlined below. [Matt Tesauro] Also supported by Matt Konda.<br />
** Remove board approval <u>and funds release</u> for any expense that meets any one of the criteria below<br />
*** Reimbursement from chapter/project funds which have a sufficient balance capped at $10k<br />
*** Routine expenses who already have budget allocated e.x. mobile phone bill capped at $10k<br />
*** Expenses under $10k which O&A Committee have approved and are already budgeted<br />
*** Payroll expenses that<br />
**** Are the same as the past month’s salary (e.g. same as always) since<br />
***** For salaried staff, payroll expense is fixed<br />
***** For hourly staff, hours will be approved by Matt Tesauro<br />
**** Treasurer will review all salary payments on at least a quarterly basis<br />
*** Board must approve any changes to payroll outside the above conditions<br />
Since the board has already voted for budgeted, normal expenses and we WANT the community to spend down any chapter/project funds, I don't see benefit in the board re-approving the actual pend on the categories above.<br />
<br />
'''Benefit''': Allow payables to be handled more efficiently and in a stream-lined fashion for routine and already budgeted items so that the board is removed from day-to-day operational issues.<br />
<br />
'''''{previous proposal end}'''''<br />
* [https://docs.google.com/document/d/1YZjyyinr1O2JYVj7pFszMZyngN1IrgayRuQxCRoUVNM/edit Proposal] to host 2018 AppSecUSA in San Jose.<br />
[Andrew and Tom Pappas] For Discussion<br />
* 2018 Budget Discussion<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
2018 AppSecEU and AppSecUSA Locations <br />
<br />
[https://www.owasp.org/index.php/OWASP_Board_Votes Board Votes vs. YTD Actions] <br />
ADJOURNMENT</div>Vanderajhttps://wiki.owasp.org/index.php?title=September_19,_2017&diff=233485September 19, 20172017-09-19T18:06:12Z<p>Vanderaj: Added Tom's updates and financial packages to Board list</p>
<hr />
<div>Meeting Location: <br />
<br />
'''VIRTUAL'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''AGENDA'''<br />
This is the VIRTUAL packet that is provided to everyone at the same time to review, make comments and be prepared for the meeting. There is no paper handout for the meeting.<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA (Open to anyone including members of the public)<br />
<br />
APPROVAL OF MINUTES<br />
- Approval of prior [https://docs.google.com/a/owasp.org/document/d/1jA8EuT496FWy2s2N1CHcDRTDEy3gaNJ9RRzYMQu1MHo/edit?usp=sharing Prior Meeting Minutes]<br />
<br />
REPORTS<br />
OWASP Foundation is managed by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors Operations Director] who provides a monthly roll-up report in collaboration of all staff members, contractors and efforts being manged by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors back office team.] A link to the monthly operational report can be found here: [http://owasp.blogspot.com/2017/01/owasp-operations-update-for-january-2017.html REPORT]<br />
<br />
=== Finance Report ===<br />
From Tom Pappas:<br />
<br />
"Attached please find the preliminary (due to Dev Summit 2017 not completely closed out yet) OWASP Combined (Converted to USD for all reports) financial pkg for July 2017 which represents financial performance through seven months of 2017. I have used the approved version of the Budget for a comparison. Matt T for the Board call I have attached a pdf of the Board summary and the Balance Sheet Summary which you can put up on the wiki, as the full fin pkg have quite a few tabs that are used for internal tracking only.<br />
<br />
Here is a summary of the Activity YTD. All amounts are combined with the EU and converted to USD in these reports: <br />
<br />
'''Income Statement:''' <br />
<br />
'''Revenue:''' On an accrual basis, total revenue YTD through Jul 2017 was $1.423.8 million as compared to a plan of $1,196 million. The results are a $227.7K ahead of plan as of 7.31.17, due primarily to AppSec Cali being over vs AppSec EU being under budget. <br />
<br />
'''Expenses:''' Total spending YTD was over plan by $50.1K due the Over Spending on Conference and Chapters offset by underspending in Community outreach (Marketing), Professional services (No Wiki proj spending) and Grant expense.<br />
<br />
'''Net Income/Loss:''' YTD on a combined Accrual basis we are at a loss of $252.9K vs a budgeted '''LOSS''' of $430.6K for a net gain to the budget of $177.6K. I want to add some caution here as AppSec EU 2017 was about $57K under budget. We also, more than ever need AppSec 2017 US to be a success (meet or exceed Bud of $585K net income or the total 2017 budgeted loss of $235K will be more, though it is not looking like we will achieve this) and we just agreed to $45K for the ED search so we need to continue to monitor revenue and spending VERY closely as we move throughout the rest of 2017. <br />
<br />
'''Chapter Funds:''' On an accrual basis, as of 7.31.17 The US Bal is $758.5K, while down a couple of thousand dollars from last month is still a large draw on funds. This is an issue that is only going to magnify as our events continue to be successful. Chapter balances will continue to grow to a point where they exceed the amount of cash OWASP has on hand in its Bank accounts, which could happen as soon Aug 2017. Also, the EU Ch was up a couple of thousand dollars at $74.8K balance. I also ran the Proj balances and they are now Combined at $114.4K vs the $95K at the end of June.<br />
<br />
POINTS of NOTE:<br />
<br />
About AppSec EU 2017, I am told there are a few minor stragglers for minor bills to fully close it out in Aug 17 but as of now please review the AppSec EU 2017 tab, as we were about $84K under in revenue and $27K Under in expense (if no more come in) which takes us to <$57K> in Net income, which is being offset by other events such as AppSec Cali. As noted in previous months not sure that will continue, so Spending should still be monitored and we need to have AppSec US in Sept meet or exceed the budget of $585K Net income.<br />
<br />
There are a couple of points I want to highlight. The first is about cash while we had almost $1.7 million in the bank and if we add in half of the Open AR of $172K the Balance would be $1.872 million and to be conservative the balance would be and there are between accounts payable, Credit Card chgs and VAT payable for the Italian event in 2016 over $460K, which takes cash down to about $1.24 Million. So while not a true cash flow issue, yet, if you take out the Ch balance of $833K and the Proj balance of $115K it leaves us with just about $292K of liquid cash and couple that with half the open AR of $172K we have $464K of operational reserves. I just want to keep this on EVERYONE’s radar as we move forward. This leaves our Operating cash reserve at 2.6 months and add in half the open AR it takes us to just over 4 months, again this need to continue to be monitored closely.<br />
<br />
[Update to previous paragraph] " I am sending this to you as in taking another look at the numbers this morning, I noticed I had not factored in the $213K of OWASP EU payables into the Reserve calculation when I sent this last night. '''This now takes the Oper reserve to less than one month, when the AP, Proj and Chapter balances are removed from the cash balance'''. If we add back in half of the open AR balance ( this is a conservative estimate) then the reserve goes up to about 3 months. So while we do not have a true cash issue, with $1.675 million in the bank at the end of July, the CH and Proj balances have now almost eclipsed the Oper funds, which has been a noted concern for a while now. I have made the adjustment to the narrative below as well. Again sorry for any confusion. "<br />
<br />
With regard to Accounts Receivable the US balance is $275K and the EU balance is another $69K. We have started and are seeing success in following up on the invoices we have created, however will need assistance as any invoices created prior to 6.30.17 do not seem to have contact info, specifically email addresses in Quickbooks so we are working on putting a list together. Also in conversation with a Ch leader they are offering if we give them a list of open AR by Ch they will follow up as some of these invoices are funds earmarked for them."<br />
<br />
* July 2017 Balance Sheet https://drive.google.com/open?id=0B4xgbqJzimL4Ql93RVZVTGRzcVFqTXdrUnhSenMxNVJ0cU9J<br />
* July 2017 Board Summary https://drive.google.com/open?id=0B4xgbqJzimL4UFpGUzhyVVotcS04RUZWMWNjWEJhU3BMemZV<br />
* July 2017 Combined Financial Package https://drive.google.com/open?id=0B4xgbqJzimL4eEJqT0xKcFlha2RYWDlhYUt4a1h6WEh1YlUw<br />
OLD BUSINESS<br />
<br />
<br />
NEW BUSINESS<br />
<br />
[Martin] For Vote:<br><br />
1. Approve the OWASP Summit 2018 venue contract (see email Seba http://lists.owasp.org/pipermail/owasp-board/2017-September/018332.html)<br><br />
2. Recognize the OWASP Summit 2018 as a global event with equal staff support as for a Global AppSec conference<br><br />
3. Set aside 100.000 USD as seed fund for the OWASP Summit 2018 to cover travel for selected working-session organizers <br />
<br />
[Andrew] For discussion <br />
# Chapter and project balances - We can't put off finance reform any longer, we need to make changes to the way projects and chapters are funded <br />
# Operational reserves - How do we get back to six months of operational reserves <br />
# Accounts receivable - need to work on getting aged receivables fixed <br />
[Matt T] For Vote:<br />
<br />
Clarification/modification of change approved in the [[August 9, 2017|August 9th Board Meeting]] to handle minor payables <br />
<br />
Modification: The original proposal removed the board approval from specific types of reimbursements and payables. However, the intent of the change (streamlining payments) was blocked by the need for board members (Chairman or Treasurer) to "release" the funds from the US bank account. The proposed modification would allow for the release of funds from the US bank for any of the specific reimbursement categories below. As we are currently doing, the details of all payables will be sent to the board during the bi-monthly payment batches so the board is apprised of all payables regardless of the categories below. <br />
<br />
Previous wording from the August meeting is below for reference. Changes to the original text are underlined.<br />
<br />
'''''{previous proposal start}'''''<br />
* Proposed: Adjust approval processes to meet operational needs as outlined below. [Matt Tesauro] Also supported by Matt Konda.<br />
** Remove board approval <u>and funds release</u> for any expense that meets any one of the criteria below<br />
*** Reimbursement from chapter/project funds which have a sufficient balance capped at $10k<br />
*** Routine expenses who already have budget allocated e.x. mobile phone bill capped at $10k<br />
*** Expenses under $10k which O&A Committee have approved and are already budgeted<br />
*** Payroll expenses that<br />
**** Are the same as the past month’s salary (e.g. same as always) since<br />
***** For salaried staff, payroll expense is fixed<br />
***** For hourly staff, hours will be approved by Matt Tesauro<br />
**** Treasurer will review all salary payments on at least a quarterly basis<br />
*** Board must approve any changes to payroll outside the above conditions<br />
Since the board has already voted for budgeted, normal expenses and we WANT the community to spend down any chapter/project funds, I don't see benefit in the board re-approving the actual pend on the categories above.<br />
<br />
'''Benefit''': Allow payables to be handled more efficiently and in a stream-lined fashion for routine and already budgeted items so that the board is removed from day-to-day operational issues.<br />
<br />
'''''{previous proposal end}'''''<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
2018 AppSecEU and AppSecUSA Locations <br />
<br />
[https://www.owasp.org/index.php/OWASP_Board_Votes Board Votes vs. YTD Actions] <br />
ADJOURNMENT</div>Vanderajhttps://wiki.owasp.org/index.php?title=September_19,_2017&diff=233483September 19, 20172017-09-19T17:57:15Z<p>Vanderaj: Added Finance Report</p>
<hr />
<div>Meeting Location: <br />
<br />
'''VIRTUAL'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''AGENDA'''<br />
This is the VIRTUAL packet that is provided to everyone at the same time to review, make comments and be prepared for the meeting. There is no paper handout for the meeting.<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA (Open to anyone including members of the public)<br />
<br />
APPROVAL OF MINUTES<br />
- Approval of prior [https://docs.google.com/a/owasp.org/document/d/1jA8EuT496FWy2s2N1CHcDRTDEy3gaNJ9RRzYMQu1MHo/edit?usp=sharing Prior Meeting Minutes]<br />
<br />
REPORTS<br />
OWASP Foundation is managed by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors Operations Director] who provides a monthly roll-up report in collaboration of all staff members, contractors and efforts being manged by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors back office team.] A link to the monthly operational report can be found here: [http://owasp.blogspot.com/2017/01/owasp-operations-update-for-january-2017.html REPORT]<br />
<br />
Finance Report<br />
<br />
From Tom Pappas:<br />
<br />
"Attached please find the preliminary (due to Dev Summit 2017 not completely closed out yet) OWASP Combined (Converted to USD for all reports) financial pkg for July 2017 which represents financial performance through seven months of 2017. I have used the approved version of the Budget for a comparison. Matt T for the Board call I have attached a pdf of the Board summary and the Balance Sheet Summary which you can put up on the wiki, as the full fin pkg have quite a few tabs that are used for internal tracking only.<br />
<br />
Here is a summary of the Activity YTD. All amounts are combined with the EU and converted to USD in these reports: <br />
<br />
'''Income Statement:''' <br />
<br />
'''Revenue:''' On an accrual basis, total revenue YTD through Jul 2017 was $1.423.8 million as compared to a plan of $1,196 million. The results are a $227.7K ahead of plan as of 7.31.17, due primarily to AppSec Cali being over vs AppSec EU being under budget. <br />
<br />
'''Expenses:''' Total spending YTD was over plan by $50.1K due the Over Spending on Conference and Chapters offset by underspending in Community outreach (Marketing), Professional services (No Wiki proj spending) and Grant expense.<br />
<br />
'''Net Income/Loss:''' YTD on a combined Accrual basis we are at a loss of $252.9K vs a budgeted '''LOSS''' of $430.6K for a net gain to the budget of $177.6K. I want to add some caution here as AppSec EU 2017 was about $57K under budget. We also, more than ever need AppSec 2017 US to be a success (meet or exceed Bud of $585K net income or the total 2017 budgeted loss of $235K will be more, though it is not looking like we will achieve this) and we just agreed to $45K for the ED search so we need to continue to monitor revenue and spending VERY closely as we move throughout the rest of 2017. <br />
<br />
'''Chapter Funds:''' On an accrual basis, as of 7.31.17 The US Bal is $758.5K, while down a couple of thousand dollars from last month is still a large draw on funds. This is an issue that is only going to magnify as our events continue to be successful. Chapter balances will continue to grow to a point where they exceed the amount of cash OWASP has on hand in its Bank accounts, which could happen as soon Aug 2017. Also, the EU Ch was up a couple of thousand dollars at $74.8K balance. I also ran the Proj balances and they are now Combined at $114.4K vs the $95K at the end of June.<br />
<br />
POINTS of NOTE:<br />
<br />
About AppSec EU 2017, I am told there are a few minor stragglers for minor bills to fully close it out in Aug 17 but as of now please review the AppSec EU 2017 tab, as we were about $84K under in revenue and $27K Under in expense (if no more come in) which takes us to <$57K> in Net income, which is being offset by other events such as AppSec Cali. As noted in previous months not sure that will continue, so Spending should still be monitored and we need to have AppSec US in Sept meet or exceed the budget of $585K Net income.<br />
<br />
There are a couple of points I want to highlight. The first is about cash while we had almost $1.7 million in the bank and if we add in half of the Open AR of $172K the Balance would be $1.872 million and to be conservative the balance would be and there are between accounts payable, Credit Card chgs and VAT payable for the Italian event in 2016 over $460K, which takes cash down to about $1.24 Million. So while not a true cash flow issue, yet, if you take out the Ch balance of $833K and the Proj balance of $115K it leaves us with just about $292K of liquid cash and couple that with half the open AR of $172K we have $464K of operational reserves. I just want to keep this on EVERYONE’s radar as we move forward. This leaves our Operating cash reserve at 2.6 months and add in half the open AR it takes us to just over 4 months, again this need to continue to be monitored closely.<br />
<br />
With regard to Accounts Receivable the US balance is $275K and the EU balance is another $69K. We have started and are seeing success in following up on the invoices we have created, however will need assistance as any invoices created prior to 6.30.17 do not seem to have contact info, specifically email addresses in Quickbooks so we are working on putting a list together. Also in conversation with a Ch leader they are offering if we give them a list of open AR by Ch they will follow up as some of these invoices are funds earmarked for them."<br />
OLD BUSINESS<br />
<br />
<br />
NEW BUSINESS<br />
<br />
[Tom B] For Vote:<br><br />
1. Approve the OWASP Summit 2018 venue contract (see email Seba http://lists.owasp.org/pipermail/owasp-board/2017-September/018332.html)<br><br />
2. Recognize the OWASP Summit 2018 as a global event with equal staff support as for a Global AppSec conference<br><br />
3. Set aside 100.000 USD as seed fund for the OWASP Summit 2018 to cover travel for selected working-session organizers <br />
<br />
[Matt T] For Vote:<br />
<br />
Clarification/modification of change approved in the [[August 9, 2017|August 9th Board Meeting]] to handle minor payables <br />
<br />
Modification: The original proposal removed the board approval from specific types of reimbursements and payables. However, the intent of the change (streamlining payments) was blocked by the need for board members (Chairman or Treasurer) to "release" the funds from the US bank account. The proposed modification would allow for the release of funds from the US bank for any of the specific reimbursement categories below. As we are currently doing, the details of all payables will be sent to the board during the bi-monthly payment batches so the board is apprised of all payables regardless of the categories below. <br />
<br />
Previous wording from the August meeting is below for reference. Changes to the original text are underlined.<br />
<br />
'''''{previous proposal start}'''''<br />
* Proposed: Adjust approval processes to meet operational needs as outlined below. [Matt Tesauro] Also supported by Matt Konda.<br />
** Remove board approval <u>and funds release</u> for any expense that meets any one of the criteria below<br />
*** Reimbursement from chapter/project funds which have a sufficient balance capped at $10k<br />
*** Routine expenses who already have budget allocated e.x. mobile phone bill capped at $10k<br />
*** Expenses under $10k which O&A Committee have approved and are already budgeted<br />
*** Payroll expenses that<br />
**** Are the same as the past month’s salary (e.g. same as always) since<br />
***** For salaried staff, payroll expense is fixed<br />
***** For hourly staff, hours will be approved by Matt Tesauro<br />
**** Treasurer will review all salary payments on at least a quarterly basis<br />
*** Board must approve any changes to payroll outside the above conditions<br />
Since the board has already voted for budgeted, normal expenses and we WANT the community to spend down any chapter/project funds, I don't see benefit in the board re-approving the actual pend on the categories above.<br />
<br />
'''Benefit''': Allow payables to be handled more efficiently and in a stream-lined fashion for routine and already budgeted items so that the board is removed from day-to-day operational issues.<br />
<br />
'''''{previous proposal end}'''''<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
2018 AppSecEU and AppSecUSA Locations <br />
<br />
[https://www.owasp.org/index.php/OWASP_Board_Votes Board Votes vs. YTD Actions] <br />
ADJOURNMENT</div>Vanderajhttps://wiki.owasp.org/index.php?title=August_9,_2017&diff=232142August 9, 20172017-08-09T23:01:07Z<p>Vanderaj: Lots of items</p>
<hr />
<div>Meeting Location: <br />
<br />
'''VIRTUAL'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''AGENDA'''<br />
This is the VIRTUAL packet that is provided to everyone at the same time to review, make comments and be prepared for the meeting. There is no paper handout for the meeting.<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA<br />
<br />
APPROVAL OF MINUTES<br />
Approval of prior [https://docs.google.com/a/owasp.org/document/d/1mx9mztwmfWRHISd4fELK2LHhzY0X0w1xdYt3OaReri4/edit?usp=sharing meeting minutes]<br />
<br />
REPORTS<br />
[https://drive.google.com/open?id=0Bzb3QwFMHCXrSUItdmktdE13VmZWbExSN3R5Nk5kc192RXFj June 2017 Board Financial Summary]<br />
<br />
[https://drive.google.com/open?id=0Bzb3QwFMHCXrU3VwZHVSTHJweW5VRDJ1R0p2T1lzYmxIOHVr June 2017 Summary Balance Sheet] <br />
<br />
OWASP Foundation is managed by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors Operations Director] who provides a monthly roll-up report in collaboration of all staff members, contractors and efforts being manged by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors back office team.] A link to the monthly operational report can be found here: [http://owasp.blogspot.com/2017/01/owasp-operations-update-for-january-2017.html REPORT]<br />
OLD BUSINESS<br />
* Board Vice Chairperson - Are we moving forward with an official vote on a Board Vice Chairperson to replace Johanna Curiel - Dawn Aitken<br />
NEW BUSINESS<br />
* Proposed: Adjust approval processes to meet operational needs as outlined below. [Matt Tesauro] Also supported by Matt Konda.<br />
** Remove board approval for any expense that meets any one of the criteria below<br />
*** Reimbursement from chapter/project funds which have a sufficient balance<br />
*** Routine expenses who already have budget allocated e.x. Mobile phone bill<br />
*** Expenses under $20k which O&A Committee have approved and are already budgeted<br />
*** Payroll expenses that<br />
**** Are the same as the past month’s salary (e.g. same as always) since<br />
***** For salaried staff, payroll expense is fixed<br />
***** For hourly staff, hours will be approved by Matt Tesauro<br />
*** Board must approve any changes to payroll outside the above conditions<br />
Since the board has already voted for budgeted, normal expenses and we WANT the community to spend down any chapter/project funds, I don't see benefit in the board re-approving the actual pend on the categories above.<br />
<br />
'''Benefit''': Allow payables to be handled more efficiently and in a stream-lined fashion for routine and already budgeted items so that the board is removed from day-to-day operational issues.<br />
* Update on the status of the ED search<br />
** Staff are getting questions about when the position will be posted - would like to provide those that ask an answer. [Matt Tesauro] <br />
** Update from Scion<br />
<br />
* Update on AppSecUSA<br />
* Plan for replacing Operations Director (aka Kate) [Matt Tesauro] <br />
** What is the timeline/plans to hire a new Operations Director? Staff are getting asked this by the community and would like to provide an answer when asked.<br />
'''Status update of AppSec USA to the Board. (AJV asking)'''<br />
<br />
- Status update - where are we at - numbers, financially, sponsors, etc<br />
<br />
- Any blockers or pain points that needs Board assistance?<br />
<br />
- Who is attending from the Staff? Has everyone been registered, made accommodation and flight bookings?<br />
<br />
- Who is attending from the Board? Have you registered, made accommodation and flight bookings?<br />
<br />
'''Move to Expensify for expense management (AJV)'''<br />
<br />
- We have an issue where the credit cards and other expenses are not fully trackable<br />
<br />
- Ad hoc payments represent just over 10% of all spending, but are not fully tracked<br />
<br />
- I'd like to put in Expensify to manage expenses<br />
<br />
'''Let's discuss Face to Face board motions (AJV)'''<br />
<br />
Let's talk about motions to discuss / enacted in before the four retiring members leave the Board<br />
<br />
Let's prioritize working groups to get motions drafted and hopefully voted on in September<br />
<br />
'''Budget time (AJV)'''<br />
<br />
It's time to start drafting the budget for FY18. <br />
<br />
Let's divide this into BAU (Staff), Strategic (Board), ad hoc requests (chapters/projects/members) with different deadlines<br />
<br />
We'll know a total budget amount in December once AppSec USA bills have been paid <br />
<br />
Need to think about strategic goals with incoming board<br />
<br />
Need to fix the chapter split (Tom Pappas / AJV)<br />
<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
<br />
ADJOURNMENT</div>Vanderajhttps://wiki.owasp.org/index.php?title=August_9,_2017&diff=232141August 9, 20172017-08-09T22:55:54Z<p>Vanderaj: Added in status update for AppSec USA</p>
<hr />
<div>Meeting Location: <br />
<br />
'''VIRTUAL'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''AGENDA'''<br />
This is the VIRTUAL packet that is provided to everyone at the same time to review, make comments and be prepared for the meeting. There is no paper handout for the meeting.<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA<br />
<br />
APPROVAL OF MINUTES<br />
Approval of prior [https://docs.google.com/a/owasp.org/document/d/1mx9mztwmfWRHISd4fELK2LHhzY0X0w1xdYt3OaReri4/edit?usp=sharing meeting minutes]<br />
<br />
REPORTS<br />
[https://drive.google.com/open?id=0Bzb3QwFMHCXrSUItdmktdE13VmZWbExSN3R5Nk5kc192RXFj June 2017 Board Financial Summary]<br />
<br />
[https://drive.google.com/open?id=0Bzb3QwFMHCXrU3VwZHVSTHJweW5VRDJ1R0p2T1lzYmxIOHVr June 2017 Summary Balance Sheet] <br />
<br />
OWASP Foundation is managed by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors Operations Director] who provides a monthly roll-up report in collaboration of all staff members, contractors and efforts being manged by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors back office team.] A link to the monthly operational report can be found here: [http://owasp.blogspot.com/2017/01/owasp-operations-update-for-january-2017.html REPORT]<br />
OLD BUSINESS<br />
* Board Vice Chairperson - Are we moving forward with an official vote on a Board Vice Chairperson to replace Johanna Curiel - Dawn Aitken<br />
NEW BUSINESS<br />
* Proposed: Adjust approval processes to meet operational needs as outlined below. [Matt Tesauro] Also supported by Matt Konda.<br />
** Remove board approval for any expense that meets any one of the criteria below<br />
*** Reimbursement from chapter/project funds which have a sufficient balance<br />
*** Routine expenses who already have budget allocated e.x. Mobile phone bill<br />
*** Expenses under $20k which O&A Committee have approved and are already budgeted<br />
*** Payroll expenses that<br />
**** Are the same as the past month’s salary (e.g. same as always) since<br />
***** For salaried staff, payroll expense is fixed<br />
***** For hourly staff, hours will be approved by Matt Tesauro<br />
*** Board must approve any changes to payroll outside the above conditions<br />
Since the board has already voted for budgeted, normal expenses and we WANT the community to spend down any chapter/project funds, I don't see benefit in the board re-approving the actual pend on the categories above.<br />
<br />
'''Benefit''': Allow payables to be handled more efficiently and in a stream-lined fashion for routine and already budgeted items so that the board is removed from day-to-day operational issues.<br />
* Update on the status of the ED search<br />
** Staff are getting questions about when the position will be posted - would like to provide those that ask an answer. [Matt Tesauro] <br />
** Update from Scion<br />
<br />
* Update on AppSecUSA<br />
* Plan for replacing Operations Director (aka Kate) [Matt Tesauro] <br />
** What is the timeline/plans to hire a new Operations Director? Staff are getting asked this by the community and would like to provide an answer when asked.<br />
Status update of AppSec USA to the Board. (AJV asking)<br />
<br />
- Status update - where are we at - numbers, financially, sponsors, etc<br />
<br />
- Any blockers or pain points that needs Board assistance?<br />
<br />
- Who is attending from the Staff? Has everyone been registered, made accommodation and flight bookings?<br />
<br />
- Who is attending from the Board? Have you registered, made accommodation and flight bookings?<br />
<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
<br />
<br />
ADJOURNMENT</div>Vanderajhttps://wiki.owasp.org/index.php?title=GPC_Project_Details/OWASP_Top10&diff=231127GPC Project Details/OWASP Top102017-06-30T18:04:03Z<p>Vanderaj: Update leadership</p>
<hr />
<div>[[Category:OWASP Project|Top Ten Project]]<br />
[[Category:OWASP Document]]<br />
[[Category:OWASP Download]]<br />
[[Category:OWASP Release Quality Document]]<br />
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Project Identification Tab</noinclude><br />
| project_name = OWASP Top Ten Project<br />
| project_description = The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.<br />
| project_license = [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution Share Alike 3.0]<br />
| leader_name = Andrew van der Stock<br />
| leader_email = vanderaj@owasp.org<br />
| leader_username = vanderaj<br />
| leader_name = Neil Smithline<br />
| leader_email = neil.smithline@owasp.org<br />
| leader_username = Neil_Smithline<br />
| leader_name = Torsten Gigler<br />
| leader_email = torsten.gigler@owasp.org<br />
| leader_username = T.Gigler<br />
| past_leaders_special_contributions = Dave Wichers, Jeff Williams <br />
| maintainer_name = Andrew van der Stock<br />
| maintainer_email = vanderaj@owasp.org<br />
| maintainer_username = vanderaj<br />
| maintainer_name = Neil Smithline<br />
| maintainer_email = neil.smithline@owasp.org<br />
| maintainer_username = Neil_Smithline<br />
| maintainer_name = Torsten Gigler<br />
| maintainer_email = torsten.gigler@owasp.org<br />
| maintainer_username = T.Gigler<br />
| contributor_name1 = Jeff Williams<br />
| contributor_email1 = jeff.williams@owasp.org<br />
| contributor_username1 = Jeff Williams<br />
| contributor_name2 = Brian Glas<br />
| contributor_email2 = brian.glas@owasp.org<br />
| contributor_username2 = Brianglas<br />
| contributor_name3 = <br />
| contributor_email3 = <br />
| contributor_username3 = <br />
| contributor_name4 = <br />
| contributor_email4 = <br />
| contributor_username4 = <br />
| contributor_name5 = <br />
| contributor_email5 = <br />
| contributor_username5 = <br />
| contributor_name6 = <br />
| contributor_email6 = <br />
| contributor_username6 = <br />
| contributor_name7 = <br />
| contributor_email7 = <br />
| contributor_username7 = <br />
| contributor_name8 = <br />
| contributor_email8 = <br />
| contributor_username8 = <br />
| contributor_name9 = <br />
| contributor_email9 = <br />
| contributor_username9 = <br />
| contributor_name10 = <br />
| contributor_email10 = <br />
| contributor_username10 = <br />
| pamphlet_link = <br />
| presentation_link = <br />
| mailing_list_name = Owasp-topten<br />
| links_url1 = http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf<br />
| links_name1 = OWASP Top 10 - 2013<br />
| links_url2 = https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf<br />
| links_name2 = OWASP Top 10 - 2013 Release Candidate<br />
| links_url3 = http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf<br />
| links_name3 = OWASP Top 10 - 2010<br />
| links_url4 = http://owasptop10.googlecode.com/files/OWASP_Top_10_-_2010%20Presentation.pptx<br />
| links_name4 = OWASP Top 10 - 2010 presentation<br />
| links_url5 = http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf<br />
| links_name5 = OWASP Top 10 - 2010 Release Candidate<br />
| links_url6 = http://www.owasp.org/index.php/Top_10_2007 <br />
| links_name6 = OWASP Top 10 - 2007 Release - Wiki Version<br />
| links_url7 = http://www.owasp.org/index.php/Top_10_2004<br />
| links_name7 = OWASP Top 10 - 2004 Release - Wiki Version<br />
| project_road_map = <br />
| project_health_status = <br />
| current_release_name = OWASP Top 10 - 2013<br />
| current_release_date = June 2013<br />
| current_release_download_link = http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf<br />
| current_release_rating = 3<br />
| current_release_leader_name = Wichers<br />
| current_release_leader_email = dave.wichers@owasp.org<br />
| current_release_leader_username = Wichers<br />
| current_release_details = :Category:OWASP Top Ten Project - 2010 Release<br />
| last_reviewed_release_name = OWASP Top 10 - 2013<br />
| last_reviewed_release_date = June 2013<br />
| last_reviewed_release_download_link = http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf<br />
| last_reviewed_release_rating = 3<br />
| last_reviewed_release_leader_name = Andrew van der Stock<br />
| last_reviewed_release_leader_email = vanderaj@owasp.org<br />
| last_reviewed_release_leader_username = vanderaj<br />
| last_reviewed_release_details = <br />
| old_release_name1 = OWASP Top 10 2010<br />
| old_release_date1 = 2010<br />
| old_release_download_link1 = http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf<br />
| old_release_name2 = OWASP Top 10 2007<br />
| old_release_date2 = 2007<br />
| old_release_download_link2 = http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf<br />
| old_release_name3 = OWASP Top 10 2004<br />
| old_release_date3 = 2004<br />
| old_release_download_link3 = http://www.owasp.org/index.php/Top_10_2004<br />
| old_release_name4 = OWASP Top 10 2003<br />
| old_release_date4 = 2003<br />
| old_release_download_link4 = <br />
| old_release_name5 = <br />
| old_release_date5 = <br />
| old_release_download_link5 = <br />
| last_GPC_update = 29/11/2009 <br />
| GPC_Notes = Project leader indicates it has been reviewed.<br />
| project_home_page=Category:OWASP_Top_Ten_Project <br />
| project_details_wiki_page=GPC_Project_Details/OWASP_Top10<br />
}}</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=231126Category:OWASP Top Ten Project2017-06-30T17:55:49Z<p>Vanderaj: Updated project leadership</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Top 10 - 2017 Release Candidate ==<br />
<br />
The release candidate for public comment was published 10 April 2017 and can be [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf downloaded here]. OWASP plans to release the final OWASP Top 10 - 2017 in July or August 2017 after a public comment period ending June 30, 2017.<br />
<br />
Constructive comments on this [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 - 2017 Release Candidate] should be forwarded via email to the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP Top 10 Project Email List]. Private comments may be sent to [mailto:vanderaj@owasp.org Andrew van der Stock]. Anonymous comments are welcome. All non-private comments will be catalogued and published at the same time as the final public release. Comments recommending changes to the Top 10 should include a complete suggested list of changes, along with a rationale for each change. All comments should indicate the specific relevant page and section.<br />
<br />
==OWASP Top 10 Most Critical Web Application Security Risks==<br />
<br />
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.<br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
==Translation Efforts==<br />
<br />
The OWASP Top 10 has been translated to many different languages by numerous volunteers. These translations are available as follows:<br />
<br />
* [[Top10#OWASP_Top_10_for_2013 | All versions of the OWASP Top 10 - 2013]]<br />
* [[Top10#OWASP_Top_10_for_2010 | All versions of the OWASP Top 10 - 2010]]<br />
* [[Top10#Translation_Efforts | Information about the various translation teams]]<br />
<br />
==Licensing==<br />
The OWASP Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Top 10? ==<br />
<br />
The OWASP Top 10 provides:<br />
<br />
* '''A list of the 10 Most Critical Web Application Security Risks'''<br />
<br />
For each Risk it provides:<br />
* A description<br />
* Example vulnerabilities<br />
* Example attacks<br />
* Guidance on how to avoid<br />
* References to OWASP and other related resources<br />
<br />
== Project Leader ==<br />
<br />
* [[User:vanderaj | Andrew van der Stock]]<br />
* [[User:Neil_Smithline | Neil Smithline]]<br />
* [[User:T.Gigler | Torsten Gigler]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks | OWASP Mobile Top 10 Risks]]<br />
<br />
* [[OWASP_Top_Ten_Cheat_Sheet | OWASP Top 10 Cheat Sheet]]<br />
<br />
* [[OWASP_Proactive_Controls | Top 10 Proactive Controls]]<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/OWASP-Top-10<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
* [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 2017 Release Candidate - PDF]<br />
* [[Media:OWASP_Top_10_-_2013.pdf | OWASP Top 10 2013 - PDF]]<br />
* [[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Covering Each Item in the Top 10 (PPTX)].<br />
<br />
== Email List ==<br />
[https://lists.owasp.org/mailman/listinfo/Owasp-topten Project Email List]<br />
<br />
== News and Events ==<br />
* [10 Apr 2017] OWAP Top 20 - 2017 Release Candidate Published<br />
* [17 Dec 2016] OWASP Top 10 - 2017 Data Call Data Published<br />
* [20 May 2016] OWASP Top 10 - 2017 Data Call Announced<br />
* [12 Jun 2013] OWASP Top 10 - 2013 Final Released<br />
* [Feb 2013] OWASP Top 10 - 2013 - Release Candidate Published<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top 10 for 2017 Release Candidate =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
The release candidate for public comment was published 10 April 2017 and can be [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf downloaded here.]. OWASP plans to release the final OWASP Top 10 - 2017 in July or August 2017 after a public comment period ending June 30, 2017.<br />
<br />
Constructive comments on this [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 - 2017 Release Candidate] should be forwarded via email to the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP Top 10 Project Email List]. Private comments may be sent to [mailto:vanderaj@owasp.org Andrew van der Stock]. Anonymous comments are welcome. All non-private comments will be catalogued and published at the same time as the final public release. Comments recommending changes to the Top 10 should include a complete suggested list of changes, along with a rationale for each change. All comments should indicate the specific relevant page and section.<br />
<br />
This release of the OWASP Top 10 marks this project’s fourteenth year of raising awareness of the importance of application security risks. This release follows the 2013 update, whose main change was the addition of 2013-A9 Use of Known Vulnerable Components. We are pleased to see that since the 2013 Top 10 release, a whole ecosystem of both free and commercial tools have emerged to help combat this problem as the use of open source components has continued to rapidly expand across practically every programming language. The data also suggests the use of known vulnerable components is still prevalent, but not as widespread as before. We believe the awareness of this issue the Top 10 - 2013 generated has contributed to both of these changes.<br />
<br />
We also noticed that since CSRF was introduced to the Top 10 in 2007, it has dropped from a widespread vulnerability to an uncommon one. Many frameworks include automatic CSRF defenses which has significantly contributed to its decline in prevalence, along with much higher awareness with developers that they must protect against such attacks.<br />
<br />
For 2017, the OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management<br />
* A3 Cross-Site Scripting (XSS)<br />
* A4 Broken Access Control (As it was in 2004)<br />
* A5 Security Misconfiguration<br />
* A6 Sensitive Data Exposure<br />
* A7 Insufficient Attack Protection (NEW)<br />
* A8 Cross-Site Request Forgery (CSRF)<br />
* A9 Using Components with Known Vulnerabilities<br />
* A10 Underprotected APIs (NEW)<br />
<br />
== 2017 Update Data Call Data ==<br />
<br />
DATA CALL RESULTS ARE NOW PUBLIC: The [https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx?raw=true results of this data call have been made public here] as an Excel spreadsheet with 4 tabs. Three of the tabs have raw data as submitted, organized into three vulnerability data size categories: large, small, and none. A 4th tab includes some basic analysis of the large size submissions. The OWASP Top 10 project thanks all the submitters for their input to the OWASP Top 10 - 2017.<br />
<br />
On May 20, 2016, the Top 10 project made a public announcement of the data call for the 2017 update to the OWASP Top 10. Contributors filled out the Google form posted here: [https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/viewform?c=0&w=1&usp=mail_form_link OWASP Top 10 - 2017 Data Call], which had the questions listed below.<br />
<br />
Page 1 of 5: Submitter Info<br />
<br />
* Name of Company/Organization *<br />
* Company/Organization Web Site *<br />
* Point of Contact Name *<br />
* Point of Contact E-Mail *<br />
<br />
Page 2 of 5: Background on Applications<br />
<br />
* During what year(s) was this data collected? *<br />
** 2014<br />
** 2015<br />
** Both 2014 & 2015<br />
*** If the application vulnerability data you are submitting was extracted from a publicly available report, please provide a link to that report (or reports), and the relevant page number(s)<br />
<br />
* How many web applications do the submitted results cover? * We consider web apps, web services, and the server side of mobile apps to all be web apps.<br />
<br />
* What were the primary programming languages the applications you reviewed written in? Primary being 5% or more of the supplied results - Check all that apply<br />
** Java<br />
** .NET<br />
** Python<br />
** PHP<br />
** Ruby<br />
** Grails<br />
** Play<br />
** Node.js<br />
** Other:<br />
<br />
* Please supply the exact percentage of applications per language checked off above:<br />
<br />
* What were the primary industries these applications supported? Primary being 5% or more of the supplied results - Check all that apply<br />
** Financial<br />
** Healthcare<br />
** eCommerce<br />
** Internet/Social Media<br />
** Airline<br />
** Energy<br />
** Entertainment (Games/Music/Movies)<br />
** Government<br />
** Other:<br />
<br />
* Where in the world were the application owners primarily? Again - select those where 5% or more of your results came from<br />
** North America<br />
** Europe<br />
** AsiaPac<br />
** South America<br />
** Middle East<br />
** Africa<br />
** Other:<br />
<br />
Page 3 of 5: Assessment Team and Detection Approach<br />
<br />
* What type of team did the bulk of this work? *<br />
** Internal Assessment Team(s)<br />
** Consulting Organization<br />
** Product Vendor/Service Provider (e.g., SaaS)<br />
** Other:<br />
<br />
*What type of analysis tools do they use? * Check all that apply.<br />
** Free/Open Source Static Application Security Testing (SAST) Tools<br />
** Free/Open Source Dynamic Application Security Testing (DAST) Tools<br />
** Free/Open Source Interactive Application Security Testing (IAST) Tools<br />
** Commercial Static Application Security Testing (SAST) Tools<br />
** Commercial Dynamic Application Security Testing (DAST) Tools<br />
** Commercial Interactive Application Security Testing (IAST) Tools<br />
** Commercial DAST/IAST Hybrid Analysis Tools<br />
** Other:<br />
<br />
* Which analysis tools do you frequently use? This includes both free, commercial, and custom (in house) tools - List tools by name<br />
<br />
* What is your primary assessment methodology? * Primary being the majority of your assessments follow this approach<br />
** Raw (untriaged) output of automated analysis tool results using default rules<br />
** Automated analysis tool results - with manual false positive analysis/elimination<br />
** Output from manually tailored automated analysis tool(s)<br />
** Output from manually tailored automated analysis tool(s) - with manual false positive analysis/elimination<br />
** Manual expert penetration testing (Expected to be tool assisted w/ free DAST tool(s))<br />
** Manual expert penetration testing with commercial DAST tool(s)<br />
** Manual expert code review (Using IDE and other free code review aids)<br />
** Manual expert code review with commercial SAST tool(s)<br />
** Combined manual expert code review and penetration testing with only free tools<br />
** Combined manual expert code review and penetration testing with only commercial tools<br />
** Other:<br />
<br />
Page 4 of 5: Application Vulnerability Data<br />
<br />
Each question asks the number of vulnerabilities found for a particular type of vulnerability. At the end, is one catch all text question where you can add other types of vulnerabilities and their counts. If you prefer, just send your vulnerability data in a spreadsheet to brian.glas@owasp.org with these columns: CATEGORY NAME, CWE #, COUNT after you submit the rest of your input via this data call. ideally it would come from the email address you specified in the Point of Contact E-Mail question on Page 1 so its easy to correlate the two.<br />
<br />
* Number of SQL Injection Vulnerabilities Found (CWE-89)?<br />
* Number of Hibernate Injection Vulnerabilities Found (CW-564)?<br />
* Number of Command Injection Vulnerabilities Found (CWE-77)?<br />
* Number of Authentication Vulnerabilities Found (CWE-287)?<br />
* Number of Session Fixation Vulnerabilities Found (CWE-384)?<br />
* Number of Cross-Site Scripting (XSS) Vulnerabilities Found (CWE-79)?<br />
* Number of DOM-Based XSS Vulnerabilities Found (No CWE)?<br />
* Number of Insecure Direct Object Reference Vulnerabilities Found (CWE-639)?<br />
* Number of Path Traversal Vulnerabilities Found (CWE-22)?<br />
* Number of Missing Authorization Vulnerabilities Found (CWE-285)?<br />
* Number of Security Misconfiguration Vulnerabilities Found (CWE-2)?<br />
* Number of Cleartext Transmission of Sensitive Information Vulnerabilities Found (CWE-319)?<br />
* Number of Cleartext Storage of Sensitive Information Vulnerabilities Found (CWE-312)?<br />
* Number of Weak Encryption Vulnerabilities Found (CWE-326)?<br />
* Number of Cryptographic Vulnerabilities Found (CWEs-310/326/327/etc)?<br />
** You can report them all lumped together in 310 or in their individual categories. However you want.<br />
* Number of Improper (Function Level) Access Control Vulnerabilities Found (CWE-285)?<br />
* Number of Cross-Site Request Forgery (CSRF) Vulnerabilities Found (CWE-352)?<br />
* Number of Use of Known Libraries Found (No CWE)?<br />
* Number of Unchecked Redirect Vulnerabilities Found (CWE-601)?<br />
* Number of Unvalidated Forward Vulnerabilities Found (No CWE)?<br />
* Number of Clickjacking Vulnerabilities Found (No CWE)?<br />
* Number of XML eXternal Entity Injection (XXE) Vulnerabilities Found (CWE-611)?<br />
* Number of Server-Side Request Forgery (SSRF) Vulnerabilities Found (CWE-918)?<br />
* Number of Denial of Service (DOS) Vulnerabilities Found (CWE-400)?<br />
* Number of Expression Language Injection Vulnerabilities Found (CWE-917)?<br />
* Number of Error Handling Vulnerabilities Found (CWE-388)?<br />
* Number of Information Leakage/Disclosure Vulnerabilities Found (CWE-200)?<br />
* Number of Insufficient Anti-automation Vulnerabilities Found (CWE-799)?<br />
* Number of Insufficient Security Logging Vulnerabilities Found (CWE-778)?<br />
* Number of Insufficient Intrusion Detection and Response Vulnerabilities Found (No CWE)?<br />
* Number of Mass Assignment Vulnerabilities Found (CWE-915)?<br />
* What other vulnerabilities did you find?<br />
** Please provide in this format: CATEGORY NAME, CWE #, COUNT (one line per category). Say "No CWE" if there isn't a CWE # for that category. If you plan to send all your vulnerability data in via an email, please state so here so we know to expect it.<br />
<br />
Page 5 of 5: Suggestions for the next OWASP Top 10<br />
<br />
What do you think we should change?<br />
<br />
* Vulnerability types you think should be added to the T10? Because they are an unappreciated risk, widespread, becoming more prevalent, a new type of vulnerability, etc.<br />
* Vulnerability types you think should be removed from the T10?<br />
* Suggested changes to the Top 10 Document/Wiki?<br />
* Suggestions on how to improve this call for data?<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)].<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German (PDF)]] <br />
* [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf (PDF)]<br />
* [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian (PDF)]<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)]<br />
* [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian (PDF)]<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. The 2013 version was translated into even more languages.<br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== Other 2013 Top 10 Docs ==<br />
<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx Focusing on What Changed Since 2010 (PPTX)]<br />
<br />
[[File:OWASP_Web_Top_10_for_2013.png]]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the OWASP Top 10. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top 10 useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org. Thanks! <br />
<br />
To join the OWASP Top 10 mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[https://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[https://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[https://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [https://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[https://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
= Translation Efforts =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
Efforts are already underway to translate the OWASP Top 10 for 2017. NOTE: This is still a '''release candidate''' so will definitely change before it's final. To avoid rework, you might want to wait until the final is released.If you are interested in helping, please contact the members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language.<br />
<br />
Here is the original source document for the [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pptx OWASP Top 10 - 2017 '''Release Candidate''' which is in PowerPoint]. Please use this document as the basis for your translation efforts. <br />
<br />
2017 Release Candidate Translation Teams:<br />
<br />
* French: Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org. <br />
* Chinese: 王颉、包悦忠、Rip、顾凌志、王厚奎、王文君、吴楠、夏天泽、夏玉明、杨天识、袁明坤、张镇(排名不分先后,按姓氏拼音排列) [https://www.owasp.org/images/8/8f/OWASP_Top_10_2017(RC1)中文版(V1.0).pdf OWASP Top10 2017 RC1 - Chinese PDF]<br />
* Others to be listed.<br />
<br />
2013 Completed Translations:<br />
<br />
* Arabic: [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic PDF] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org<br />
* Chinese 2013:中文版2013 [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)]. 项目组长: Rip 王颉, 参与人员: 陈亮、 顾庆林、 胡晓斌、 李建蒙、 王文君、 杨天识、 张在峰<br />
* Czech 2013: [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)] [https://www.owasp.org/images/0/02/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pptx OWASP Top 10 2013 - Czech (PPTX)] CSIRT.CZ - CZ.NIC, z.s.p.o. (.cz domain registry): Petr Zavodsky: petr.zavodsky@owasp.org, Vaclav Klimes, Zuzana Duracinska, Michal Prokop, Edvard Rejthar, Pavel Basta<br />
*French 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
* German 2013: [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
* Hebrew 2013: [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf PDF] Translated by: Or Katz, Eyal Estrin, Oran Yitzhak, Dan Peled, Shay Sivan.<br />
* Italian 2013: [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian PDF] Translated by: Michele Saporito: m.saporito7@gmail.com, Paolo Perego: thesp0nge@owasp.org, Matteo Meucci: matteo.meucci@owasp.org, Sara Gallo: sara.gallo@gmail.com, Alessandro Guido: alex@securityaddicted.com, Mirko Guido Spezie: mirko@dayu.it, Giuseppe Di Cesare: giuseppe.dicesare@alice.it, Paco Schiaffella: schiaffella@gmail.com, Gianluca Grasso: giandou@gmail.com, Alessio D'Ospina: alessiodos@gmail.com, Loredana Mancini: loredana.mancini@business-e.it, Alessio Petracca: alessio.petracca@gmail.com, Giuseppe Trotta: giutrotta@gmail.com, Simone Onofri: simone.onofri@gmail.com, Francesco Cossu: hambucker@gmail.com, Marco Lancini: marco.lancini.ml@gmail.com, Stefano Zanero: zanero@elet.polimi.it, Giovanni Schmid: giovanni.schmid@na.icar.cnr.it, Igor Falcomata': koba@sikurezza.org<br />
*Japanese 2013: [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese PDF] Translated by: Chia-Lung Hsieh: ryusuke.tw(at)gmail.com, Reviewed by: Hiroshi Tokumaru, Takanori Nakanowatari<br />
* Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Brazilian Portuguese 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese PDF] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*Spanish 2013: [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish PDF] Gerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger: fabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley: johnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez: mateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez: rodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria: felipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil: rafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez jonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre: hector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon: johnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes: carlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez: manuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada: mpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel Bahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge Correa: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez Guerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar: edgar.salazar@owasp.org<br />
*Ukrainian 2013: [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian PDF] Kateryna Ovechenko, Yuriy Fedko, Gleb Paharenko, Yevgeniya Maskayeva, Sergiy Shabashkevich, Bohdan Serednytsky<br />
<br />
2010 Completed Translations:<br />
<br />
*Korean 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*French 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Chinese: [https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew: [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew Project]] -- [https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]. Lead by Or Katz, see translation page for list of contributors.<br />
<br />
= Project Details =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= Some Commercial & OWASP Uses of the Top 10 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (WAF) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[https://blogs.microsoft.com/microsoftsecure/2008/05/01/sdl-and-the-owasp-top-ten/ Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[[OWASP_Top_10/Mapping_to_WHID | OWASP]]<br />
:OWASP Top 10 Mapped to the Web Hacking Incident Database<br />
<br />
;[[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | OWASP]]<br />
:OWASP Mobile Top 10 Risks<br />
<br />
;[[OWASP_Top_Ten_Cheat_Sheet | OWASP]]<br />
:OWASP Top 10 Cheat Sheet<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]][[Category:Popular]][[Category:SAMM-EG-1]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=Category:OWASP_Top_Ten_Project&diff=231125Category:OWASP Top Ten Project2017-06-30T17:52:59Z<p>Vanderaj: Update project leadership</p>
<hr />
<div>=Main=<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Top 10 - 2017 Release Candidate ==<br />
<br />
The release candidate for public comment was published 10 April 2017 and can be [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf downloaded here]. OWASP plans to release the final OWASP Top 10 - 2017 in July or August 2017 after a public comment period ending June 30, 2017.<br />
<br />
Constructive comments on this [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 - 2017 Release Candidate] should be forwarded via email to the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP Top 10 Project Email List]. Private comments may be sent to [mailto:dave.wichers@owasp.org Dave Wichers]. Anonymous comments are welcome. All non-private comments will be catalogued and published at the same time as the final public release. Comments recommending changes to the Top 10 should include a complete suggested list of changes, along with a rationale for each change. All comments should indicate the specific relevant page and section.<br />
<br />
==OWASP Top 10 Most Critical Web Application Security Risks==<br />
<br />
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.<br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
==Translation Efforts==<br />
<br />
The OWASP Top 10 has been translated to many different languages by numerous volunteers. These translations are available as follows:<br />
<br />
* [[Top10#OWASP_Top_10_for_2013 | All versions of the OWASP Top 10 - 2013]]<br />
* [[Top10#OWASP_Top_10_for_2010 | All versions of the OWASP Top 10 - 2010]]<br />
* [[Top10#Translation_Efforts | Information about the various translation teams]]<br />
<br />
==Licensing==<br />
The OWASP Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Top 10? ==<br />
<br />
The OWASP Top 10 provides:<br />
<br />
* '''A list of the 10 Most Critical Web Application Security Risks'''<br />
<br />
For each Risk it provides:<br />
* A description<br />
* Example vulnerabilities<br />
* Example attacks<br />
* Guidance on how to avoid<br />
* References to OWASP and other related resources<br />
<br />
== Project Leader ==<br />
<br />
* [[User:vanderaj | Andrew van der Stock]]<br />
* [[User:Neil_Smithline | Neil Smithline]]<br />
* [[User:T.Gigler | Torsten Gigler]]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project#Top_Ten_Mobile_Risks | OWASP Mobile Top 10 Risks]]<br />
<br />
* [[OWASP_Top_Ten_Cheat_Sheet | OWASP Top 10 Cheat Sheet]]<br />
<br />
* [[OWASP_Proactive_Controls | Top 10 Proactive Controls]]<br />
<br />
* [[OWASP_Top_10/Mapping_to_WHID | OWASP Top 10 Mapped to the Web Hacking Incident Database]]<br />
<br />
== Ohloh ==<br />
<br />
*https://www.ohloh.net/p/OWASP-Top-10<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
* [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 2017 Release Candidate - PDF]<br />
* [[Media:OWASP_Top_10_-_2013.pdf | OWASP Top 10 2013 - PDF]]<br />
* [[Top_10_2013 | OWASP Top 10 2013 - wiki]]<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Covering Each Item in the Top 10 (PPTX)].<br />
<br />
== Email List ==<br />
[https://lists.owasp.org/mailman/listinfo/Owasp-topten Project Email List]<br />
<br />
== News and Events ==<br />
* [10 Apr 2017] OWAP Top 20 - 2017 Release Candidate Published<br />
* [17 Dec 2016] OWASP Top 10 - 2017 Data Call Data Published<br />
* [20 May 2016] OWASP Top 10 - 2017 Data Call Announced<br />
* [12 Jun 2013] OWASP Top 10 - 2013 Final Released<br />
* [Feb 2013] OWASP Top 10 - 2013 - Release Candidate Published<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-flagship-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= OWASP Top 10 for 2017 Release Candidate =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
The release candidate for public comment was published 10 April 2017 and can be [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf downloaded here.]. OWASP plans to release the final OWASP Top 10 - 2017 in July or August 2017 after a public comment period ending June 30, 2017.<br />
<br />
Constructive comments on this [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf OWASP Top 10 - 2017 Release Candidate] should be forwarded via email to the [https://lists.owasp.org/mailman/listinfo/Owasp-topten OWASP Top 10 Project Email List]. Private comments may be sent to [mailto:dave.wichers@owasp.org Dave Wichers]. Anonymous comments are welcome. All non-private comments will be catalogued and published at the same time as the final public release. Comments recommending changes to the Top 10 should include a complete suggested list of changes, along with a rationale for each change. All comments should indicate the specific relevant page and section.<br />
<br />
This release of the OWASP Top 10 marks this project’s fourteenth year of raising awareness of the importance of application security risks. This release follows the 2013 update, whose main change was the addition of 2013-A9 Use of Known Vulnerable Components. We are pleased to see that since the 2013 Top 10 release, a whole ecosystem of both free and commercial tools have emerged to help combat this problem as the use of open source components has continued to rapidly expand across practically every programming language. The data also suggests the use of known vulnerable components is still prevalent, but not as widespread as before. We believe the awareness of this issue the Top 10 - 2013 generated has contributed to both of these changes.<br />
<br />
We also noticed that since CSRF was introduced to the Top 10 in 2007, it has dropped from a widespread vulnerability to an uncommon one. Many frameworks include automatic CSRF defenses which has significantly contributed to its decline in prevalence, along with much higher awareness with developers that they must protect against such attacks.<br />
<br />
For 2017, the OWASP Top 10 Most Critical Web Application Security Risks (in the Release Candidate) are:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management<br />
* A3 Cross-Site Scripting (XSS)<br />
* A4 Broken Access Control (As it was in 2004)<br />
* A5 Security Misconfiguration<br />
* A6 Sensitive Data Exposure<br />
* A7 Insufficient Attack Protection (NEW)<br />
* A8 Cross-Site Request Forgery (CSRF)<br />
* A9 Using Components with Known Vulnerabilities<br />
* A10 Underprotected APIs (NEW)<br />
<br />
== 2017 Update Data Call Data ==<br />
<br />
DATA CALL RESULTS ARE NOW PUBLIC: The [https://github.com/OWASP/Top10/blob/master/2017/datacall/OWASP%20Top%2010%20-%202017%20Data%20Call-Public%20Release.xlsx?raw=true results of this data call have been made public here] as an Excel spreadsheet with 4 tabs. Three of the tabs have raw data as submitted, organized into three vulnerability data size categories: large, small, and none. A 4th tab includes some basic analysis of the large size submissions. The OWASP Top 10 project thanks all the submitters for their input to the OWASP Top 10 - 2017.<br />
<br />
On May 20, 2016, the Top 10 project made a public announcement of the data call for the 2017 update to the OWASP Top 10. Contributors filled out the Google form posted here: [https://docs.google.com/forms/d/1sBMHN5nBicjr5xSo04xkdP5JlCnXFcKFCgEHjwPGuLw/viewform?c=0&w=1&usp=mail_form_link OWASP Top 10 - 2017 Data Call], which had the questions listed below.<br />
<br />
Page 1 of 5: Submitter Info<br />
<br />
* Name of Company/Organization *<br />
* Company/Organization Web Site *<br />
* Point of Contact Name *<br />
* Point of Contact E-Mail *<br />
<br />
Page 2 of 5: Background on Applications<br />
<br />
* During what year(s) was this data collected? *<br />
** 2014<br />
** 2015<br />
** Both 2014 & 2015<br />
*** If the application vulnerability data you are submitting was extracted from a publicly available report, please provide a link to that report (or reports), and the relevant page number(s)<br />
<br />
* How many web applications do the submitted results cover? * We consider web apps, web services, and the server side of mobile apps to all be web apps.<br />
<br />
* What were the primary programming languages the applications you reviewed written in? Primary being 5% or more of the supplied results - Check all that apply<br />
** Java<br />
** .NET<br />
** Python<br />
** PHP<br />
** Ruby<br />
** Grails<br />
** Play<br />
** Node.js<br />
** Other:<br />
<br />
* Please supply the exact percentage of applications per language checked off above:<br />
<br />
* What were the primary industries these applications supported? Primary being 5% or more of the supplied results - Check all that apply<br />
** Financial<br />
** Healthcare<br />
** eCommerce<br />
** Internet/Social Media<br />
** Airline<br />
** Energy<br />
** Entertainment (Games/Music/Movies)<br />
** Government<br />
** Other:<br />
<br />
* Where in the world were the application owners primarily? Again - select those where 5% or more of your results came from<br />
** North America<br />
** Europe<br />
** AsiaPac<br />
** South America<br />
** Middle East<br />
** Africa<br />
** Other:<br />
<br />
Page 3 of 5: Assessment Team and Detection Approach<br />
<br />
* What type of team did the bulk of this work? *<br />
** Internal Assessment Team(s)<br />
** Consulting Organization<br />
** Product Vendor/Service Provider (e.g., SaaS)<br />
** Other:<br />
<br />
*What type of analysis tools do they use? * Check all that apply.<br />
** Free/Open Source Static Application Security Testing (SAST) Tools<br />
** Free/Open Source Dynamic Application Security Testing (DAST) Tools<br />
** Free/Open Source Interactive Application Security Testing (IAST) Tools<br />
** Commercial Static Application Security Testing (SAST) Tools<br />
** Commercial Dynamic Application Security Testing (DAST) Tools<br />
** Commercial Interactive Application Security Testing (IAST) Tools<br />
** Commercial DAST/IAST Hybrid Analysis Tools<br />
** Other:<br />
<br />
* Which analysis tools do you frequently use? This includes both free, commercial, and custom (in house) tools - List tools by name<br />
<br />
* What is your primary assessment methodology? * Primary being the majority of your assessments follow this approach<br />
** Raw (untriaged) output of automated analysis tool results using default rules<br />
** Automated analysis tool results - with manual false positive analysis/elimination<br />
** Output from manually tailored automated analysis tool(s)<br />
** Output from manually tailored automated analysis tool(s) - with manual false positive analysis/elimination<br />
** Manual expert penetration testing (Expected to be tool assisted w/ free DAST tool(s))<br />
** Manual expert penetration testing with commercial DAST tool(s)<br />
** Manual expert code review (Using IDE and other free code review aids)<br />
** Manual expert code review with commercial SAST tool(s)<br />
** Combined manual expert code review and penetration testing with only free tools<br />
** Combined manual expert code review and penetration testing with only commercial tools<br />
** Other:<br />
<br />
Page 4 of 5: Application Vulnerability Data<br />
<br />
Each question asks the number of vulnerabilities found for a particular type of vulnerability. At the end, is one catch all text question where you can add other types of vulnerabilities and their counts. If you prefer, just send your vulnerability data in a spreadsheet to dave.wichers@owasp.org with these columns: CATEGORY NAME, CWE #, COUNT after you submit the rest of your input via this data call. ideally it would come from the email address you specified in the Point of Contact E-Mail question on Page 1 so its easy to correlate the two.<br />
<br />
* Number of SQL Injection Vulnerabilities Found (CWE-89)?<br />
* Number of Hibernate Injection Vulnerabilities Found (CW-564)?<br />
* Number of Command Injection Vulnerabilities Found (CWE-77)?<br />
* Number of Authentication Vulnerabilities Found (CWE-287)?<br />
* Number of Session Fixation Vulnerabilities Found (CWE-384)?<br />
* Number of Cross-Site Scripting (XSS) Vulnerabilities Found (CWE-79)?<br />
* Number of DOM-Based XSS Vulnerabilities Found (No CWE)?<br />
* Number of Insecure Direct Object Reference Vulnerabilities Found (CWE-639)?<br />
* Number of Path Traversal Vulnerabilities Found (CWE-22)?<br />
* Number of Missing Authorization Vulnerabilities Found (CWE-285)?<br />
* Number of Security Misconfiguration Vulnerabilities Found (CWE-2)?<br />
* Number of Cleartext Transmission of Sensitive Information Vulnerabilities Found (CWE-319)?<br />
* Number of Cleartext Storage of Sensitive Information Vulnerabilities Found (CWE-312)?<br />
* Number of Weak Encryption Vulnerabilities Found (CWE-326)?<br />
* Number of Cryptographic Vulnerabilities Found (CWEs-310/326/327/etc)?<br />
** You can report them all lumped together in 310 or in their individual categories. However you want.<br />
* Number of Improper (Function Level) Access Control Vulnerabilities Found (CWE-285)?<br />
* Number of Cross-Site Request Forgery (CSRF) Vulnerabilities Found (CWE-352)?<br />
* Number of Use of Known Libraries Found (No CWE)?<br />
* Number of Unchecked Redirect Vulnerabilities Found (CWE-601)?<br />
* Number of Unvalidated Forward Vulnerabilities Found (No CWE)?<br />
* Number of Clickjacking Vulnerabilities Found (No CWE)?<br />
* Number of XML eXternal Entity Injection (XXE) Vulnerabilities Found (CWE-611)?<br />
* Number of Server-Side Request Forgery (SSRF) Vulnerabilities Found (CWE-918)?<br />
* Number of Denial of Service (DOS) Vulnerabilities Found (CWE-400)?<br />
* Number of Expression Language Injection Vulnerabilities Found (CWE-917)?<br />
* Number of Error Handling Vulnerabilities Found (CWE-388)?<br />
* Number of Information Leakage/Disclosure Vulnerabilities Found (CWE-200)?<br />
* Number of Insufficient Anti-automation Vulnerabilities Found (CWE-799)?<br />
* Number of Insufficient Security Logging Vulnerabilities Found (CWE-778)?<br />
* Number of Insufficient Intrusion Detection and Response Vulnerabilities Found (No CWE)?<br />
* Number of Mass Assignment Vulnerabilities Found (CWE-915)?<br />
* What other vulnerabilities did you find?<br />
** Please provide in this format: CATEGORY NAME, CWE #, COUNT (one line per category). Say "No CWE" if there isn't a CWE # for that category. If you plan to send all your vulnerability data in via an email, please state so here so we know to expect it.<br />
<br />
Page 5 of 5: Suggestions for the next OWASP Top 10<br />
<br />
What do you think we should change?<br />
<br />
* Vulnerability types you think should be added to the T10? Because they are an unappreciated risk, widespread, becoming more prevalent, a new type of vulnerability, etc.<br />
* Vulnerability types you think should be removed from the T10?<br />
* Suggested changes to the Top 10 Document/Wiki?<br />
* Suggestions on how to improve this call for data?<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
= OWASP Top 10 for 2013 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
On June 12, 2013 the OWASP Top 10 for 2013 was officially released. This version was updated based on numerous comments received during the comment period after the release candidate was released in Feb. 2013.<br />
<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf OWASP Top 10 2013 document (PDF)].<br />
* [[Top_10_2013 | OWASP Top 10 2013 - Wiki.]]<br />
* [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic (PDF)].<br />
* [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)].<br />
* [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)].<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French (PDF)].<br />
* [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German (PDF)]] <br />
* [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf (PDF)]<br />
* [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian (PDF)]<br />
* [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese (PDF)].<br />
* [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korea (PDF)].<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese (PDF)].<br />
* [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish (PDF)]<br />
* [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian (PDF)]<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Presentation.pptx OWASP Top 10 2013 Presentation - Presenting Each Item in the Top 10 (PPTX)].<br />
<br />
For 2013, the OWASP Top 10 Most Critical Web Application Security Risks are:<br />
<br />
* [[Top_10_2013-A1-Injection | A1 Injection]]<br />
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2 Broken Authentication and Session Management]]<br />
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3 Cross-Site Scripting (XSS)]]<br />
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4 Insecure Direct Object References]]<br />
* [[Top_10_2013-A5-Security_Misconfiguration | A5 Security Misconfiguration]]<br />
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6 Sensitive Data Exposure]]<br />
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7 Missing Function Level Access Control]]<br />
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8 Cross-Site Request Forgery (CSRF)]]<br />
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9 Using Components with Known Vulnerabilities]]<br />
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10 Unvalidated Redirects and Forwards]]<br />
<br />
If you are interested, the methodology for how the Top 10 is produced is now documented here: [[Top_10_2013/ProjectMethodology | OWASP Top 10 Development Methodology]]<br />
<br />
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!! <br />
<br />
As you help us spread the word, please emphasize: <br />
<br />
*OWASP is reaching out to developers, not just the application security community <br />
*The Top 10 is about managing risk, not just avoiding vulnerabilities <br />
*To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation<br />
<br />
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 and 2010 version were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. The 2013 version was translated into even more languages.<br />
<br />
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.<br />
<br />
== Changes between 2010 and 2013 Editions ==<br />
<br />
The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:<br />
<br />
* A1 Injection<br />
* A2 Broken Authentication and Session Management (was formerly 2010-A3)<br />
* A3 Cross-Site Scripting (XSS) (was formerly 2010-A2)<br />
* A4 Insecure Direct Object References<br />
* A5 Security Misconfiguration (was formerly 2010-A6)<br />
* A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)<br />
* A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)<br />
* A8 Cross-Site Request Forgery (CSRF) (was formerly 2010-A5)<br />
* A9 Using Components with Known Vulnerabilities (new but was part of 2010-A6 – Security Misconfiguration)<br />
* A10 Unvalidated Redirects and Forwards<br />
<br />
== Other 2013 Top 10 Docs ==<br />
<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20RC1.pdf OWASP Top 10 - 2013 - Release Candidate]<br />
*[https://www.owasp.org/images/3/3d/OWASP_Top_10_-_2013_Final_Release_-_Change_Log.docx OWASP Top 10 - 2013 - Final Release - Change Log (docx)]<br />
* [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top-10_2013%20-%20Changes-from-2010.pptx Focusing on What Changed Since 2010 (PPTX)]<br />
<br />
[[File:OWASP_Web_Top_10_for_2013.png]]<br />
<br />
== Feedback ==<br />
<br />
Please let us know how your organization is using the OWASP Top 10. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP! <br />
<br />
We hope you find the information in the OWASP Top 10 useful. Please contribute back to the project by sending your comments, questions, and suggestions to topten@lists.owasp.org. Thanks! <br />
<br />
To join the OWASP Top 10 mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-topten subscription page.] <br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
<!-- ==== Project Identification ====<br />
{{Template:OWASP OWASP_Top10 Project}} --><br />
<br />
= OWASP Top 10 for 2010 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
On April 19, 2010 the final version of the OWASP Top 10 for 2010 was released, and here is the associated [[OWASPTop10-2010-PressRelease|press release]]. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009. <br />
<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 - 2010 Document] <br />
*[[Top 10 2010|OWASP Top 10 - 2010 - wiki]] <br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2010%20Presentation.pptx OWASP Top 10 - 2010 Presentation]<br />
*[http://blip.tv/owasp-appsec-conference-in-europe/day2_track1_1430-1505-3936900 OWASP Top 10 Video of the Presentation above - this focused alot on the Top 10 for 2010 approach, rather than the details. (From OWASP AppSec EU 2010)]<br />
*[http://www.vimeo.com/9006276 OWASP Top 10 Video of this Presentation when the Top 10 for 2010 was 1st released for comment - this goes through each item in the Top 10. (From OWASP AppSec DC 2009)]<br />
<br />
For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are: <br />
<br />
*[[Top_10_2010-A1|A1: Injection]]<br />
*[[Top_10_2010-A2|A2: Cross-Site Scripting (XSS)]]<br />
*[[Top_10_2010-A3|A3: Broken Authentication and Session Management]]<br />
*[[Top_10_2010-A4|A4: Insecure Direct Object References]]<br />
*[[Top_10_2010-A5|A5: Cross-Site Request Forgery (CSRF)]]<br />
*[[Top_10_2010-A6|A6: Security Misconfiguration]]<br />
*[[Top_10_2010-A7|A7: Insecure Cryptographic Storage]]<br />
*[[Top_10_2010-A8|A8: Failure to Restrict URL Access]]<br />
*[[Top_10_2010-A9|A9: Insufficient Transport Layer Protection]]<br />
*[[Top_10_2010-A10|A10: Unvalidated Redirects and Forwards]]<br />
<br />
== Introduction ==<br />
<br />
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages and the 2010 version was translated into even more languages. See below for all the translated versions.<br />
<br />
== 2010 Versions ==<br />
<br />
2010 Edition: <br />
<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010.pdf OWASP Top 10 2010 - PDF] <br />
*[[Top 10 2010|OWASP Top 10 2010 - wiki]]<br />
<br />
2010 Translations: <br />
<br />
*[https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF / 这里下载PDF格式文档]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] <br />
*[[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]]<br />
*[https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF]<br />
*[https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF]<br />
*[https://www.owasp.org/images/8/86/OWASP_Top_10_-_2010_FINAL_%28spanish%29.pptx OWASP Top 10 2010 - Spanish PPT]<br />
*[https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF]<br />
<br />
2010 Release Candidate: <br />
<br />
*[https://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf OWASP Top 10 2010 Release Candidate] <br />
*[https://www.owasp.org/images/e/e1/OWASP_Top_10_RC-Public_Comments.docx OWASP Top 10 2010 Release Candidate Comments], except for one set of scanned comments [https://www.owasp.org/images/2/2e/OWASP_T10_-_2010_rc1_cmts_Kai_Jendrian.pdf which are here].<br />
<br />
Previous versions: <br />
<br />
*[https://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf OWASP Top 10 2007 - PDF] <br />
*[[Top 10 2007|OWASP Top 10 2007 - wiki]] <br />
*[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=Project_Details OWASP Top 10 2007 - PDF Translations are here] <br />
*[[Top 10 2004|OWASP Top 10 2004 - wiki]]<br />
<br />
== Project Sponsors ==<br />
<br />
The OWASP Top 10 project is sponsored by {{MemberLinks|link=https://www.aspectsecurity.com|logo=Aspect_logo_owasp.jpg}}<br />
<br />
= Translation Efforts =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
Efforts are already underway to translate the OWASP Top 10 for 2017. NOTE: This is still a '''release candidate''' so will definitely change before it's final. To avoid rework, you might want to wait until the final is released.If you are interested in helping, please contact the members of the team for the language you are interested in contributing to, or if you don't see your language listed, please let me know you want to help and we'll form a volunteer group for your language.<br />
<br />
Here is the original source document for the [https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pptx OWASP Top 10 - 2017 '''Release Candidate''' which is in PowerPoint]. Please use this document as the basis for your translation efforts. <br />
<br />
2017 Release Candidate Translation Teams:<br />
<br />
* French: Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org. <br />
* Chinese: 王颉、包悦忠、Rip、顾凌志、王厚奎、王文君、吴楠、夏天泽、夏玉明、杨天识、袁明坤、张镇(排名不分先后,按姓氏拼音排列) [https://www.owasp.org/images/8/8f/OWASP_Top_10_2017(RC1)中文版(V1.0).pdf OWASP Top10 2017 RC1 - Chinese PDF]<br />
* Others to be listed.<br />
<br />
2013 Completed Translations:<br />
<br />
* Arabic: [https://www.owasp.org/images/6/6a/OWASP_TOP_10_2013_Arabic.pdf OWASP Top 10 2013 - Arabic PDF] Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org<br />
* Chinese 2013:中文版2013 [https://www.owasp.org/images/5/51/OWASP_Top_10_2013-Chinese-V1.2.pdf OWASP Top 10 2013 - Chinese (PDF)]. 项目组长: Rip 王颉, 参与人员: 陈亮、 顾庆林、 胡晓斌、 李建蒙、 王文君、 杨天识、 张在峰<br />
* Czech 2013: [https://www.owasp.org/images/f/f3/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pdf OWASP Top 10 2013 - Czech (PDF)] [https://www.owasp.org/images/0/02/OWASP_Top_10_-_2013_Final_-_Czech_V1.1.pptx OWASP Top 10 2013 - Czech (PPTX)] CSIRT.CZ - CZ.NIC, z.s.p.o. (.cz domain registry): Petr Zavodsky: petr.zavodsky@owasp.org, Vaclav Klimes, Zuzana Duracinska, Michal Prokop, Edvard Rejthar, Pavel Basta<br />
*French 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013%20-%20French.pdf OWASP Top 10 2013 - French PDF] Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com<br />
* German 2013: [[media:OWASP_Top_10_2013_DE_Version_1_0.pdf | OWASP Top 10 2013 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
* Hebrew 2013: [[OWASP_Top10_Hebrew|OWASP Top 10 2013 - Hebrew]] [https://www.owasp.org/images/1/1b/OWASP_Top_10_2013-Hebrew.pdf PDF] Translated by: Or Katz, Eyal Estrin, Oran Yitzhak, Dan Peled, Shay Sivan.<br />
* Italian 2013: [https://www.owasp.org/images/c/c9/OWASP_Top_10_-_2013_-_Italiano.pdf OWASP Top 10 2013 - Italian PDF] Translated by: Michele Saporito: m.saporito7@gmail.com, Paolo Perego: thesp0nge@owasp.org, Matteo Meucci: matteo.meucci@owasp.org, Sara Gallo: sara.gallo@gmail.com, Alessandro Guido: alex@securityaddicted.com, Mirko Guido Spezie: mirko@dayu.it, Giuseppe Di Cesare: giuseppe.dicesare@alice.it, Paco Schiaffella: schiaffella@gmail.com, Gianluca Grasso: giandou@gmail.com, Alessio D'Ospina: alessiodos@gmail.com, Loredana Mancini: loredana.mancini@business-e.it, Alessio Petracca: alessio.petracca@gmail.com, Giuseppe Trotta: giutrotta@gmail.com, Simone Onofri: simone.onofri@gmail.com, Francesco Cossu: hambucker@gmail.com, Marco Lancini: marco.lancini.ml@gmail.com, Stefano Zanero: zanero@elet.polimi.it, Giovanni Schmid: giovanni.schmid@na.icar.cnr.it, Igor Falcomata': koba@sikurezza.org<br />
*Japanese 2013: [https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf OWASP Top 10 2013 - Japanese PDF] Translated by: Chia-Lung Hsieh: ryusuke.tw(at)gmail.com, Reviewed by: Hiroshi Tokumaru, Takanori Nakanowatari<br />
* Korean 2013: [https://www.owasp.org/images/2/2c/OWASP_Top_10_-_2013_Final_-_Korean.pdf OWASP Top 10 2013 - Korean PDF] (이름가나다순) 김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com<br />
*Brazilian Portuguese 2013: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP_Top_10_-_2013_Brazilian_Portuguese.pdf OWASP Top 10 2013 - Brazilian Portuguese PDF] Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte<br />
*Spanish 2013: [https://www.owasp.org/images/5/5f/OWASP_Top_10_-_2013_Final_-_Espa%C3%B1ol.pdf OWASP Top 10 2013 - Spanish PDF] Gerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger: fabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley: johnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez: mateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez: rodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria: felipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil: rafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez jonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre: hector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon: johnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes: carlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez: manuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada: mpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel Bahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge Correa: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez Guerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar: edgar.salazar@owasp.org<br />
*Ukrainian 2013: [https://www.owasp.org/images/e/e3/OWASP_Top_10_-_2013_Final_Ukrainian.pdf OWASP Top 10 2013 - Ukrainian PDF] Kateryna Ovechenko, Yuriy Fedko, Gleb Paharenko, Yevgeniya Maskayeva, Sergiy Shabashkevich, Bohdan Serednytsky<br />
<br />
2010 Completed Translations:<br />
<br />
*Korean 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Korean.pdf OWASP Top 10 2010 - Korean PDF] Hyungkeun Park, (mirrk1@gmail.com)<br />
*Spanish 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Spanish.pdf OWASP Top 10 2010 - Spanish PDF] *Daniel Cabezas Molina , Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado, Rodrigo Marcos, Vicente Aguilera<br />
*French 2010: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20French.pdf OWASP Top 10 2010 - French PDF] ludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org, benoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com, Guillaume.Huysmans@gemalto.com <br />
*German: [[media:OWASPTop10_2010_DE_Version_1_0.pdf | OWASP Top 10 2010 - German PDF]] top10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, [[User:Kai_Jendrian|Kai Jendrian]], [[User:Ralf_Reinhardt|Ralf Reinhardt]], Michael Schäfer<br />
*Indonesian: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Indonesian.pdf OWASP Top 10 2010 - Indonesian PDF] Tedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad<br />
*Italian: [https://www.owasp.org/images/f/f9/OWASP_Top_10_-_2010_ITA.pdf OWASP Top 10 2010 - Italian PDF] Simone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni, Loredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino Squilloni<br />
*Japanese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202010%20Japanese-A4.pdf OWASP Top 10 2010 - Japanese PDF] cecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin Umemoto, Takashi Arima<br />
*Chinese: [https://www.owasp.org/images/a/a9/OWASP_Top_10_2010_Chinese_V1.0_Released.pdf OWASP Top 10 2010 - Chinese PDF] 感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东<br />
*Vietnamese: [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASPTop%2010%20-%202010%20Vietnamese.pdf OWASP Top 10 2010 - Vietnamese PDF] Translation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung, Luong Dieu Phuong, Huynh Thien Tam<br />
*Hebrew: [[OWASP_Top10_Hebrew|OWASP Top 10 Hebrew Project]] -- [https://www.owasp.org/images/c/cd/OWASP_Top_10_Heb.pdf OWASP Top 10 2010 - Hebrew PDF]. Lead by Or Katz, see translation page for list of contributors.<br />
<br />
= Project Details =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{{:GPC_Project_Details/OWASP_Top10 | OWASP Project Identification Tab}}<br />
<br />
= Some Commercial & OWASP Uses of the Top 10 =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
'''Warning''': these articles have not been rated for accuracy by OWASP. Product companies should be extremely careful about claiming to "cover" or "ensure compliance" with the OWASP Top 10. The current state-of-the-art for automated detection (scanners and static analysis) and prevention (WAF) is nowhere near sufficient to claim adequate coverage of the issues in the Top 10. Nevertheless, using the Top 10 as a simple way to communicate security to end users is effective. <br />
<br />
;[https://blogs.microsoft.com/microsoftsecure/2008/05/01/sdl-and-the-owasp-top-ten/ Microsoft] <br />
:as a way to measure the coverage of their SDL and improve security<br />
<br />
;[https://www.pcisecuritystandards.org/index.shtml PCI Council] <br />
:as part of the Payment Card Industry Data Security Standard (PCI DSS)<br />
<br />
;[http://msdn.microsoft.com/en-us/library/dd129898.aspx Microsoft] <br />
:to show how "T10 threats are handled by the security design and test procedures of Microsoft"<br />
<br />
;[[OWASP_Top_10/Mapping_to_WHID | OWASP]]<br />
:OWASP Top 10 Mapped to the Web Hacking Incident Database<br />
<br />
;[[OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks | OWASP]]<br />
:OWASP Mobile Top 10 Risks<br />
<br />
;[[OWASP_Top_Ten_Cheat_Sheet | OWASP]]<br />
:OWASP Top 10 Cheat Sheet<br />
<br />
__NOTOC__ <headertabs /><br />
<br />
[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]][[Category:Popular]][[Category:SAMM-EG-1]]</div>Vanderajhttps://wiki.owasp.org/index.php?title=June_7,_2017&diff=230458June 7, 20172017-06-07T14:03:51Z<p>Vanderaj: Update as to whom is raising this new business, as it was not directly sponsored by a Board member.</p>
<hr />
<div>Meeting Location: <br />
<br />
'''VIRTUAL'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
'''AGENDA'''<br />
This is the VIRTUAL packet that is provided to everyone at the same time to review, make comments and be prepared for the meeting. There is no paper handout for the meeting.<br />
<br />
CALL TO ORDER<br />
<br />
CHANGES TO THE AGENDA<br />
<br />
APPROVAL OF MINUTES<br />
Approval of [https://docs.google.com/a/owasp.org/document/d/1Qa0o4R6DEz-WicQpcJlWnHuyVf3WRt5JwibalHTfzvc/edit?usp=sharing '''prior meeting minutes''']<br />
<br />
REPORTS<br />
[https://drive.google.com/file/d/0BxI4iTO_QojvamJONkljMzF5S0pkRi1ZRTZNWjNxYlRRMElJ/view?usp=sharing April 2017 Board Financial Summary]<br />
<br />
[https://drive.google.com/file/d/0BxI4iTO_QojvN2NHVlRhdWlqVzRhYUxwUFBJTGZDclRKYktv/view?usp=sharing April 2017 Summary Balance Sheet]<br />
<br />
The Foundation [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project staff] provide a monthly roll-up report in collaboration of all staff members, contractors and efforts being manged by the [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors back office team.] A link to the monthly operational report can be found here: [https://owasp.blogspot.com/2017/06/owasp-operations-update-for-june-2017.html REPORT]<br />
<br />
<br />
OLD BUSINESS<br />
* OWASP Executive Director update. (Josh Sokol)<br />
* [http://lists.owasp.org/pipermail/owasp-board/2017-May/018139.html Bylaw update to Section 3.02, if not approved via email.] (Josh Sokol)<br />
NEW BUSINESS<br />
* Sean Auriti Budget Requests<br />
** Owasp learning gateway $100k full time staff. - Hire full time staff member to build out the learning gateway. [https://docs.google.com/document/d/1fGDmxz7cuEkr_xMt_kp6Nb0uacQhvJ_9ymjYR77yqkk/edit]<br />
** Owasp grant initiative $100k full time staff - Hire full time grant writer to work on grants for OWASP. [https://docs.google.com/document/d/1szWjXG_grUHZJryD_45XeC3DJF1qOifQjQRZxEJ5znY/edit]<br />
** OWASP BLT development and marketing $5k, (12 monthly prizes of $100, $1200 + development) [https://docs.google.com/document/d/1aNyq43_gHq8cKMDGtlqTC6H-pv71lH7mNsMgg1WPpy4/edit]<br />
** Owasp project kickstart. $10k - $100 to 100 projects to use Coderbounty on 2-5 of their Github tasks to get coding done. [https://docs.google.com/document/d/1ogGUjtHiSimzrnnXnEeCsAHn0qtAJ56S6cD7q_swlK4/edit]<br />
** Owasp innovation lab $250k [https://docs.google.com/document/d/17joGv0qNb0ieFXReUmAKxgf2oUyQDlo6b74RUD556tk/edit]<br />
** Grant engine / Spurri $50k - development [https://docs.google.com/document/d/1payALh8RjuKAXi30m56hUiXgTzgYhuXm8B3QVqo1whU/edit]<br />
** OWASP Hackathon sponsor $5k sponsor a hackathon with prizes and food for 2017 focused on OWASP [https://docs.google.com/document/d/13wCZgLugpjJS-5WcH3zn-n9ADZRke3GhNEP7EvjNi6Q/edit]<br />
** Fundraiser events / membership drive $300 per month $3,600 - Have a monthly membership drive / fundraiser, $300 for food and drinks.[https://docs.google.com/document/d/1uW0EqvWLdxho9p_X0ZDWI5h_i0rLWlRLmj7suThIigU/edit]<br />
** Volunteer portal project $50k - development of website.[https://docs.google.com/document/d/1DdGdDjXU7O_v4EgfJGwAOjoI9OL7Zmp3ecJC_iSjtyk/edit]<br />
** $30k for APAC tour $10k stipend for leaders Send 3 people with $10k stipend each. [https://docs.google.com/document/d/1FRRtVFxXi1X6G4iGvyqZ2tsYhTrcpxMX3n8Ii3DUQpg/edit]<br />
** OWASP Mentor Initiative with HQ NY $6,000 [https://docs.google.com/document/d/1FS50Z9KUb-GKUG3GEMLfGT9SBxg6UfUuRiymO6ASqnQ/edit]<br />
** OWASP Organizational Development Initiative with HQ Brooklyn $50,000 [https://docs.google.com/document/d/15kDHJRMkXIep27oB9YKLV7k51ErbafY5y8JKuc5g_f0/edit]<br />
* Issue with the [[OWASP Strategic Goals|Strategic Training Goal]] - pay for training but only if you don't attend<br />
** Unable to find a vendor who can hold registration charges which means bulk refund<br />
** Bulk refunds at 400+ per-event will get OWASP flagged as a risky vendor by acquiring banks<br />
** Options instead of refunds<br />
*** Amex/Visa/MC gift card of the same value provided at registration (activation fees apply)<br />
*** Amazon cards (no activation fee)<br />
*** OWASP swag/merch valued at the ticket prices (logistical costs)<br />
*** Discounts or free OWASP membership<br />
*** Free parking for the event (if parking is hard/expensive by the venue)<br />
*** A combination of these<br />
<br />
COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS<br />
* Updates [http://www.crest-approved.org/usa/crest-usa-chapter-board/index.html CREST International]<br />
ADJOURNMENT</div>Vanderajhttps://wiki.owasp.org/index.php?title=User:Vanderaj&diff=225352User:Vanderaj2017-01-19T05:01:07Z<p>Vanderaj: </p>
<hr />
<div>== Bio ==<br />
<br />
Andrew van der Stock is a leading web application researcher active in the proactive web application community. Since 2015, he sits on the OWASP Global Board of Directors, and currently holds the Treasurer role since 2016. He is the Project Lead of the Application Security Verification Standard (https://github.com/OWASP/ASVS), and is involved heavily with the Education strategic goal. He is an in demand speaker and trainer. <br />
<br />
[[File:Vanderaj.png]]<br />
<br />
Andrew has been involved with OWASP since early 2003, and has helped in the following efforts:<br />
<br />
''Positions''<br />
* Global Board (2015-) <br />
* Treasurer (2016-)<br />
* Executive Director (2005-2007)<br />
* Global Chapters Committee (2011-2012)<br />
<br />
''Projects''<br />
* OWASP Application Security Verification Standard Project Lead (2013-)<br />
* OWASP Developer Guide. Project lead, lead author (2004-2009, 2012-2015)<br />
* OWASP Proactive Controls, Founder / Key contributor (2012-)<br />
* OWASP Top 10 2007 project lead and lead author (2006-2007) <br />
* Moderator of webappsec@securityfocus.com (2004-)<br />
* Helped start the Melbourne and Sydney OWASP chapters<br />
<br />
In previous lives, he has assisted with the following projects:<br />
<br />
* [http://www.gaiabb.com GaiaBB], forum software - fork of XMB<br />
* [http://www.xmbforum.com XMB], forum software<br />
* [http://forums.aussieveedubbers.com AussieVeeDubbers] Runs Australia's largest VW car forum<br />
* [http://www.sage-au.org.au SAGE-AU] President of SAGE AU in 2000-2001, General Committee member 1999-2000, and a long time member. <br />
* [http://pnm2ppa.sourceforge.net/ pnm2ppa] HP print drivers for Unix and work-alike systems<br />
* [http://www.xfree86.org/3.3.6/MGA.html XFree86] Device drivers for Matrox Millennium I/II/Mystique (mid 90's vintage stuff)<br />
<br />
== Speaking Engagements ==<br />
<br />
Andrew has presented at many conferences including OSCON, BlackHat USA, Ruxcon, linux.conf.au, and AusCERT. <br />
<br />
Forthcoming speaking engagements:<br />
<br />
* BlackHat USA 2017 - Trainer on Practical Threat Intelligence<br />
<br />
== Links ==<br />
<br />
This is where we do the OWASP Developer Guide meetings:<br />
* Google+: https://plus.google.com/112871258366241260172/posts<br />
<br />
Everything I do at OWASP is solely in a personal capacity. I do not speak for my employer, never have, never will. <br />
* Linked In: http://au.linkedin.com/pub/andrew-van-der-stock/1/1a1/88b</div>Vanderajhttps://wiki.owasp.org/index.php?title=File:Vanderaj.png&diff=225351File:Vanderaj.png2017-01-19T05:00:13Z<p>Vanderaj: Vanderaj uploaded a new version of &quot;File:Vanderaj.png&quot;</p>
<hr />
<div>Andrew van der Stock</div>Vanderajhttps://wiki.owasp.org/index.php?title=User:Vanderaj&diff=225350User:Vanderaj2017-01-19T04:48:29Z<p>Vanderaj: </p>
<hr />
<div>== Bio ==<br />
<br />
Andrew van der Stock is a leading web application researcher active in the proactive web application community. Since 2015, he sits on the OWASP Global Board of Directors, and currently holds the Treasurer role since 2016. He is the Project Lead of the Application Security Verification Standard (https://github.com/OWASP/ASVS), and is involved heavily with the Education strategic goal. He is an in demand speaker and trainer. <br />
<br />
[[File:https://greebo.net/images/vanderaj.png|frame|caption]]<br />
<br />
Andrew has been involved with OWASP since early 2003, and has helped in the following efforts:<br />
<br />
''Positions''<br />
* Global Board (2015-) <br />
* Treasurer (2016-)<br />
* Executive Director (2005-2007)<br />
* Global Chapters Committee (2011-2012)<br />
<br />
''Projects''<br />
* OWASP Application Security Verification Standard Project Lead (2013-)<br />
* OWASP Developer Guide. Project lead, lead author (2004-2009, 2012-2015)<br />
* OWASP Proactive Controls, Founder / Key contributor (2012-)<br />
* OWASP Top 10 2007 project lead and lead author (2006-2007) <br />
* Moderator of webappsec@securityfocus.com (2004-)<br />
* Helped start the Melbourne and Sydney OWASP chapters<br />
<br />
In previous lives, he has assisted with the following projects:<br />
<br />
* [http://www.gaiabb.com GaiaBB], forum software - fork of XMB<br />
* [http://www.xmbforum.com XMB], forum software<br />
* [http://forums.aussieveedubbers.com AussieVeeDubbers] Runs Australia's largest VW car forum<br />
* [http://www.sage-au.org.au SAGE-AU] President of SAGE AU in 2000-2001, General Committee member 1999-2000, and a long time member. <br />
* [http://pnm2ppa.sourceforge.net/ pnm2ppa] HP print drivers for Unix and work-alike systems<br />
* [http://www.xfree86.org/3.3.6/MGA.html XFree86] Device drivers for Matrox Millennium I/II/Mystique (mid 90's vintage stuff)<br />
<br />
== Speaking Engagements ==<br />
<br />
Andrew has presented at many conferences including OSCON, BlackHat USA, Ruxcon, linux.conf.au, and AusCERT. <br />
<br />
Forthcoming speaking engagements:<br />
<br />
* BlackHat USA 2017 - Trainer on Practical Threat Intelligence<br />
<br />
== Links ==<br />
<br />
This is where we do the OWASP Developer Guide meetings:<br />
* Google+: https://plus.google.com/112871258366241260172/posts<br />
<br />
Everything I do at OWASP is solely in a personal capacity. I do not speak for my employer, never have, never will. <br />
* Linked In: http://au.linkedin.com/pub/andrew-van-der-stock/1/1a1/88b</div>Vanderajhttps://wiki.owasp.org/index.php?title=File:Vanderaj.png&diff=225349File:Vanderaj.png2017-01-19T04:27:11Z<p>Vanderaj: Andrew van der Stock</p>
<hr />
<div>Andrew van der Stock</div>Vanderajhttps://wiki.owasp.org/index.php?title=User:Vanderaj&diff=225348User:Vanderaj2017-01-19T04:24:40Z<p>Vanderaj: </p>
<hr />
<div>== Bio ==<br />
<br />
Andrew van der Stock is a leading web application researcher active in the proactive web application community. Since 2015, he sits on the OWASP Global Board of Directors, and currently holds the Treasurer role since 2016. He is the Project Lead of the Application Security Verification Standard (https://github.com/OWASP/ASVS), and is involved heavily with the Education strategic goal. He is an in demand speaker and trainer. <br />
<br />
Andrew has been involved with OWASP since early 2003, and has helped in the following efforts:<br />
<br />
''Positions''<br />
* Global Board (2015-) <br />
* Treasurer (2016-)<br />
* Executive Director (2005-2007)<br />
* Global Chapters Committee (2011-2012)<br />
<br />
''Projects''<br />
* OWASP Application Security Verification Standard Project Lead (2013-)<br />
* OWASP Developer Guide. Project lead, lead author (2004-2009, 2012-2015)<br />
* OWASP Proactive Controls, Founder / Key contributor (2012-)<br />
* OWASP Top 10 2007 project lead and lead author (2006-2007) <br />
* Moderator of webappsec@securityfocus.com (2004-)<br />
* Helped start the Melbourne and Sydney OWASP chapters<br />
<br />
In previous lives, he has assisted with the following projects:<br />
<br />
* [http://www.gaiabb.com GaiaBB], forum software - fork of XMB<br />
* [http://www.xmbforum.com XMB], forum software<br />
* [http://forums.aussieveedubbers.com AussieVeeDubbers] Runs Australia's largest VW car forum<br />
* [http://www.sage-au.org.au SAGE-AU] President of SAGE AU in 2000-2001, General Committee member 1999-2000, and a long time member. <br />
* [http://pnm2ppa.sourceforge.net/ pnm2ppa] HP print drivers for Unix and work-alike systems<br />
* [http://www.xfree86.org/3.3.6/MGA.html XFree86] Device drivers for Matrox Millennium I/II/Mystique (mid 90's vintage stuff)<br />
<br />
== Speaking Engagements ==<br />
<br />
Andrew has presented at many conferences including OSCON, BlackHat USA, Ruxcon, linux.conf.au, and AusCERT. <br />
<br />
Forthcoming speaking engagements:<br />
<br />
* BlackHat USA 2017 - Trainer on Practical Threat Intelligence<br />
<br />
== Links ==<br />
<br />
This is where we do the OWASP Developer Guide meetings:<br />
* Google+: https://plus.google.com/112871258366241260172/posts<br />
<br />
Everything I do at OWASP is solely in a personal capacity. I do not speak for my employer, never have, never will. <br />
* Linked In: http://au.linkedin.com/pub/andrew-van-der-stock/1/1a1/88b</div>Vanderajhttps://wiki.owasp.org/index.php?title=December_14,_2016&diff=224164December 14, 20162016-12-15T00:02:01Z<p>Vanderaj: /* New Business */</p>
<hr />
<div>==Dial In Info==<br />
===Notice of Recording===<br />
* Notice to all attendees - board meetings are recorded and publicly available as of March, 2013<br />
* Joining the call acknowledges your awareness of recording and consent to be recorded and public dissemination of the recording.<br />
*[link:addme Meeting Recording]<br />
<br />
===Time===<br />
* Date/Time: December 14, 2016, 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=12&day=14&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]<br />
<br />
===Location=== <br />
<br />
'''Teleconference Information:'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
=== Attendance Tracker===<br />
'''[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracker]'''<br />
<br />
=== Meeting Minutes===<br />
[link:addme Meeting Minutes]<br />
<br />
= Reading Material =<br />
'''''It is a requirement as a board member to fully read all material prior to the start of the meeting'''''<br />
<br />
= Meeting Agenda =<br />
== Call to Order /OWASP Mission ==<br />
*Administrative (List of attendees and Agenda bashing (only if last-minute changes to the agenda are needed) (5 min)<br />
<br />
== Reports ==<br />
<br />
Board reports to be handled offline.<br />
<br />
==Reports==<br />
Staff reports to be handled offline. Details are here for informational purposes.<br />
* [http://owasp.blogspot.com/2016/12/owasp-operations-update-for-december.html December 2016 Operations Update] ''Note: This new report combines all staff reports in a single blog post.''<br />
* [https://docs.google.com/spreadsheets/d/1EusewtDJllet97lvYDOCNqrN_3_kETq0lLU-EGo8c1M/edit#gid=1399677892 Monthly & YTD Financials]<br />
<br />
==Old Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]<br />
* [https://github.com/OWASP/owasp-devseccon-summit/blob/master/Logistics/FundRequest.md 50K USD seed fund request for the owasp-devseccon-summit in 2017]<br />
* Marketing agreement with DevSecCon for the Summit in June (see email Kelly).<br />
<br />
==New Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]<br />
* 2017 Budget: [https://docs.google.com/spreadsheets/d/1hU0Zn0E4SjwEwjexIEfm95y16YgzQ0u0h3Xhgx74pjU/edit#gid=228125862 Working Spreadsheet] [Andrew]<br />
** Motion: All accounts belonging to active chapters and projects, as defined in the Chapter and Project Handbooks respectively, with balances less than $500, will be brought to $500 beginning January 1, 2017 as long as there are at least two active leaders at that time. [Josh]<br />
** Motion: Chapters and projects meeting minimum requirements (two leaders, flagship or lab projects) needing funds to host local chapter meetings, outreach, or run a local event, such as an OWASP Day, can apply for an operating grant of up to $2500 per year through the Community Manager, or for larger one off grants of up to $10k per year with Board approval. A pool of $100k will be allocated for this purpose on an annual basis, with quarterly reporting to the Board on its use. Chapter and project leaders will be informed of the funds presence every month, and will have to supply a written report of their use of funds (such as a blog post, meetup page update, or social media post) within 90 days of using the funds. Grant pool funds not allocated within each financial year are not accrued, but topped up to $100k at the start of each calendar year. [AJV] <br />
* 2017 Strategic Goals<br />
** [https://docs.google.com/document/d/1ZgZotdu3TglKCiyOxyQVwS16YDJj0qmEkdYz0LT7hf4/edit Konda Single Goal: Membership]<br />
** [https://docs.google.com/document/d/1DFkCDeKh8xDJHkDSqnjEcRaLT7UwewD6kZeDdOB5tG4/edit Staff Goal: Communication Plan]<br />
** [https://docs.google.com/document/d/1maFqH9NEdQB8ULDU03S_zsXI5k3NiCDKcy9xian63cE/edit Coates Goal: Worldwide Trainings]<br />
** AJV Goal - Education<br />
* 2017 Board Roles<br />
<br />
== Action Items==<br />
*<br />
<br />
==Announcements==<br />
<br />
<br />
==Adjournment==<br />
*Next meeting date/time: <br />
<br />
<br />
==Motion to close meeting==</div>Vanderajhttps://wiki.owasp.org/index.php?title=December_14,_2016&diff=224163December 14, 20162016-12-15T00:00:38Z<p>Vanderaj: /* New Business */</p>
<hr />
<div>==Dial In Info==<br />
===Notice of Recording===<br />
* Notice to all attendees - board meetings are recorded and publicly available as of March, 2013<br />
* Joining the call acknowledges your awareness of recording and consent to be recorded and public dissemination of the recording.<br />
*[link:addme Meeting Recording]<br />
<br />
===Time===<br />
* Date/Time: December 14, 2016, 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=12&day=14&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]<br />
<br />
===Location=== <br />
<br />
'''Teleconference Information:'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
=== Attendance Tracker===<br />
'''[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracker]'''<br />
<br />
=== Meeting Minutes===<br />
[link:addme Meeting Minutes]<br />
<br />
= Reading Material =<br />
'''''It is a requirement as a board member to fully read all material prior to the start of the meeting'''''<br />
<br />
= Meeting Agenda =<br />
== Call to Order /OWASP Mission ==<br />
*Administrative (List of attendees and Agenda bashing (only if last-minute changes to the agenda are needed) (5 min)<br />
<br />
== Reports ==<br />
<br />
Board reports to be handled offline.<br />
<br />
==Reports==<br />
Staff reports to be handled offline. Details are here for informational purposes.<br />
* [http://owasp.blogspot.com/2016/12/owasp-operations-update-for-december.html December 2016 Operations Update] ''Note: This new report combines all staff reports in a single blog post.''<br />
* [https://docs.google.com/spreadsheets/d/1EusewtDJllet97lvYDOCNqrN_3_kETq0lLU-EGo8c1M/edit#gid=1399677892 Monthly & YTD Financials]<br />
<br />
==Old Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]<br />
* [https://github.com/OWASP/owasp-devseccon-summit/blob/master/Logistics/FundRequest.md 50K USD seed fund request for the owasp-devseccon-summit in 2017]<br />
* Marketing agreement with DevSecCon for the Summit in June (see email Kelly).<br />
<br />
==New Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]<br />
* 2017 Budget: [https://docs.google.com/spreadsheets/d/1hU0Zn0E4SjwEwjexIEfm95y16YgzQ0u0h3Xhgx74pjU/edit#gid=228125862 Working Spreadsheet] [Andrew]<br />
** Motion: All accounts belonging to active chapters and projects, as defined in the Chapter and Project Handbooks respectively, with balances less than $500, will be brought to $500 beginning January 1, 2017 as long as there are at least two active leaders at that time. [Josh]<br />
** Motion: Chapters and projects needing funds to host local chapter meetings, outreach, or run a local event, such as an OWASP Day, can apply for an operating grant of up to $2500 per year through the Community Manager, or for larger one off grants of up to $10k per year with Board approval. A pool of $100k will be allocated for this purpose on an annual basis, with quarterly reporting to the Board on its use. Chapter and project leaders will be informed of the funds presence every month, and will have to supply a written report of their use of funds (such as a blog post, meetup page update, or social media post) within 90 days of using the funds. Grant pool funds not allocated within each financial year are not accrued, but topped up to $100k at the start of each calendar year. [AJV] <br />
* 2017 Strategic Goals<br />
** [https://docs.google.com/document/d/1ZgZotdu3TglKCiyOxyQVwS16YDJj0qmEkdYz0LT7hf4/edit Konda Single Goal: Membership]<br />
** [https://docs.google.com/document/d/1DFkCDeKh8xDJHkDSqnjEcRaLT7UwewD6kZeDdOB5tG4/edit Staff Goal: Communication Plan]<br />
** [https://docs.google.com/document/d/1maFqH9NEdQB8ULDU03S_zsXI5k3NiCDKcy9xian63cE/edit Coates Goal: Worldwide Trainings]<br />
** AJV Goal - Education<br />
* 2017 Board Roles<br />
<br />
== Action Items==<br />
*<br />
<br />
==Announcements==<br />
<br />
<br />
==Adjournment==<br />
*Next meeting date/time: <br />
<br />
<br />
==Motion to close meeting==</div>Vanderajhttps://wiki.owasp.org/index.php?title=December_14,_2016&diff=224162December 14, 20162016-12-14T23:16:25Z<p>Vanderaj: /* New Business */</p>
<hr />
<div>==Dial In Info==<br />
===Notice of Recording===<br />
* Notice to all attendees - board meetings are recorded and publicly available as of March, 2013<br />
* Joining the call acknowledges your awareness of recording and consent to be recorded and public dissemination of the recording.<br />
*[link:addme Meeting Recording]<br />
<br />
===Time===<br />
* Date/Time: December 14, 2016, 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=12&day=14&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]<br />
<br />
===Location=== <br />
<br />
'''Teleconference Information:'''<br />
<br />
https://www3.gotomeeting.com/join/861328838<br />
<br />
[[International Toll Free Calling Information]]<br />
<br />
=== Attendance Tracker===<br />
'''[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracker]'''<br />
<br />
=== Meeting Minutes===<br />
[link:addme Meeting Minutes]<br />
<br />
= Reading Material =<br />
'''''It is a requirement as a board member to fully read all material prior to the start of the meeting'''''<br />
<br />
= Meeting Agenda =<br />
== Call to Order /OWASP Mission ==<br />
*Administrative (List of attendees and Agenda bashing (only if last-minute changes to the agenda are needed) (5 min)<br />
<br />
== Reports ==<br />
<br />
Board reports to be handled offline.<br />
<br />
==Reports==<br />
Staff reports to be handled offline. Details are here for informational purposes.<br />
* [http://owasp.blogspot.com/2016/12/owasp-operations-update-for-december.html December 2016 Operations Update] ''Note: This new report combines all staff reports in a single blog post.''<br />
* [https://docs.google.com/spreadsheets/d/1EusewtDJllet97lvYDOCNqrN_3_kETq0lLU-EGo8c1M/edit#gid=1399677892 Monthly & YTD Financials]<br />
<br />
==Old Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]<br />
* [https://github.com/OWASP/owasp-devseccon-summit/blob/master/Logistics/FundRequest.md 50K USD seed fund request for the owasp-devseccon-summit in 2017]<br />
* Marketing agreement with DevSecCon for the Summit in June (see email Kelly).<br />
<br />
==New Business==<br />
All active board proposals are listed [https://drive.google.com/folderview?id=0BxSfMVkfLvslVXdvUFV3NkxucWc&usp=sharing here]<br />
* 2017 Budget: [https://docs.google.com/spreadsheets/d/1hU0Zn0E4SjwEwjexIEfm95y16YgzQ0u0h3Xhgx74pjU/edit#gid=228125862 Working Spreadsheet] [Andrew]<br />
** Motion: All accounts belonging to active chapters and projects, as defined in the Chapter and Project Handbooks respectively, with balances less than $500, will be brought to $500 beginning January 1, 2017 as long as there are at least two active leaders at that time. [Josh]<br />
** Motion: Chapters needing funds to host local chapter meetings, outreach, or run a local event, such as an OWASP Day, can apply for an operating grant of up to $2500 per year through the Community Manager, or for larger one off grants of up to $10k per year with Board approval. A pool of $100k will be allocated for this purpose on an annual basis, with quarterly reporting to the Board on its use. Chapter leaders will be informed of the funds presence every month, and will have to supply a written report of their use of funds (such as a blog post, meetup page update, or social media post) within 90 days of using the funds. Grant pool funds not allocated within each financial year are not accrued, but topped up to $100k at the start of each calendar year. [AJV] <br />
* 2017 Strategic Goals<br />
** [https://docs.google.com/document/d/1ZgZotdu3TglKCiyOxyQVwS16YDJj0qmEkdYz0LT7hf4/edit Konda Single Goal: Membership]<br />
** [https://docs.google.com/document/d/1DFkCDeKh8xDJHkDSqnjEcRaLT7UwewD6kZeDdOB5tG4/edit Staff Goal: Communication Plan]<br />
** [https://docs.google.com/document/d/1maFqH9NEdQB8ULDU03S_zsXI5k3NiCDKcy9xian63cE/edit Coates Goal: Worldwide Trainings]<br />
** AJV Goal - Education<br />
* 2017 Board Roles<br />
<br />
== Action Items==<br />
*<br />
<br />
==Announcements==<br />
<br />
<br />
==Adjournment==<br />
*Next meeting date/time: <br />
<br />
<br />
==Motion to close meeting==</div>Vanderaj