diff --git a/cres/.yaml b/cres/.yaml new file mode 100644 index 000000000..ff756cd77 --- /dev/null +++ b/cres/.yaml @@ -0,0 +1,11 @@ +doctype: CRE +links: +- document: + doctype: CRE + id: 764-507 + name: Restrict XML parsing (against XXE) + tags: + - Configuration + - Injection protection + ltype: Contains +name: XML Parser hardening diff --git a/cres/002-630.yaml b/cres/002-630.yaml index ed88f7a9b..53d84f924 100644 --- a/cres/002-630.yaml +++ b/cres/002-630.yaml @@ -10,8 +10,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.2.1 - sectionID: Verify the application generates a new session token on user authentication. + section: Verify the application generates a new session token on user authentication. + sectionID: V3.2.1 ltype: Linked To - document: doctype: Standard @@ -34,7 +34,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/03-Testing_for_Session_Fixation.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-03 ltype: Linked To diff --git a/cres/002-801.yaml b/cres/002-801.yaml index 55ab7241d..17af28c0b 100644 --- a/cres/002-801.yaml +++ b/cres/002-801.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.9.3 - sectionID: Verify that approved cryptographic algorithms are used in the generation, + section: Verify that approved cryptographic algorithms are used in the generation, seeding, and verification. + sectionID: V2.9.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/004-517.yaml b/cres/004-517.yaml index 2437a700e..bcfa2ca50 100644 --- a/cres/004-517.yaml +++ b/cres/004-517.yaml @@ -1,6 +1,11 @@ doctype: CRE id: 004-517 links: +- document: + doctype: CRE + id: 433-442 + name: Verification + ltype: Related - document: doctype: CRE id: 074-873 @@ -16,6 +21,11 @@ links: id: 782-234 name: Clear policy compliant I/O requirements ltype: Contains +- document: + doctype: CRE + id: 072-713 + name: Manage standard technologies and frameworks + ltype: Related - document: doctype: CRE id: 787-638 @@ -32,6 +42,12 @@ links: name: NIST 800-53 v5 section: SC-18 Mobile Code ltype: Linked To +- document: + doctype: Standard + name: ISO 27001 + section: Application security requirements + sectionID: '8.26' + ltype: Linked To - document: doctype: Standard hyperlink: https://owaspsamm.org/model/design/security-requirements/stream-a @@ -45,6 +61,12 @@ links: section: Application Security Baseline Requirements sectionID: AIS-02 ltype: Linked To +- document: + doctype: Standard + name: ISO 27001 + section: Information transfer + sectionID: '5.14' + ltype: Linked To - document: doctype: Standard hyperlink: https://owaspsamm.org/model/governance/policy-and-compliance/stream-a/ @@ -52,4 +74,11 @@ links: section: Policy & Standards sectionID: G-PC-A ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Identify and document all security requirements for organization-developed + software to meet, and maintain the requirements over time. + sectionID: PO.1.2 + ltype: Linked To name: Security requirements diff --git a/cres/010-308.yaml b/cres/010-308.yaml index f68f56efd..769123568 100644 --- a/cres/010-308.yaml +++ b/cres/010-308.yaml @@ -8,17 +8,17 @@ links: ltype: Contains - document: doctype: CRE - id: 760-764 - name: Injection protection + id: 760-765 + name: XSS protection tags: - - XSS protection + - Injection protection ltype: Related - document: doctype: CRE - id: 760-765 - name: XSS protection + id: 760-764 + name: Injection protection tags: - - Injection protection + - XSS protection ltype: Related - document: doctype: CRE @@ -66,5 +66,5 @@ links: ltype: Contains name: Input validation tags: -- Injection protection - XSS protection +- Injection protection diff --git a/cres/013-021.yaml b/cres/013-021.yaml index 382f2eb1f..f73318574 100644 --- a/cres/013-021.yaml +++ b/cres/013-021.yaml @@ -11,10 +11,41 @@ links: id: 247-250 name: Access control processes ltype: Related +- document: + doctype: CRE + id: 118-775 + name: Manage an internal secure software development community + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-13 + name: NIST 800-53 v5 + section: PM-13 Security and Privacy Workforce + ltype: Linked To - document: doctype: Standard name: ISO 27001 section: Information security roles and responsibilities sectionID: '5.2' ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Create new roles and alter responsibilities for existing roles as needed + to encompass all parts of the SDLC. Periodically review and maintain the defined + roles and responsibilities, updating them as needed. + sectionID: PO.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-2 + name: NIST 800-53 v5 + section: PM-2 Information Security Program Leadership Role + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-29 + name: NIST 800-53 v5 + section: PM-29 Risk Management Program Leadership Roles + ltype: Linked To name: Roles and responsibilities diff --git a/cres/015-063.yaml b/cres/015-063.yaml index 2f438e2cd..6c88e8a05 100644 --- a/cres/015-063.yaml +++ b/cres/015-063.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.5 - sectionID: Verify accessing sensitive data is audited (without logging the sensitive + section: Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required. + sectionID: V8.3.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/026-280.yaml b/cres/026-280.yaml index 2f8ea13dc..5315c9c69 100644 --- a/cres/026-280.yaml +++ b/cres/026-280.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.7.2 - sectionID: Verify that logs are securely transmitted to a preferably remote system + section: Verify that logs are securely transmitted to a preferably remote system for analysis, detection, alerting, and escalation. + sectionID: V1.7.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/027-210.yaml b/cres/027-210.yaml index ab5e30dac..0d0ef9637 100644 --- a/cres/027-210.yaml +++ b/cres/027-210.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.3.2 - sectionID: Verify that random GUIDs are created using the GUID v4 algorithm, and + section: Verify that random GUIDs are created using the GUID v4 algorithm, and a Cryptographically-secure Pseudo-random Number Generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable. + sectionID: V6.3.2 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/027-555.yaml b/cres/027-555.yaml index 78c9ed94a..a982b4f9e 100644 --- a/cres/027-555.yaml +++ b/cres/027-555.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.1 - sectionID: Verify that user set passwords are at least 12 characters in length - (after multiple spaces are combined). + section: Verify that user set passwords are at least 12 characters in length (after + multiple spaces are combined). + sectionID: V2.1.1 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/028-254.yaml b/cres/028-254.yaml index ce93b993c..1a9dfaa59 100644 --- a/cres/028-254.yaml +++ b/cres/028-254.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.3.1 - sectionID: Verify that if the application has a client or server auto-update feature, + section: Verify that if the application has a client or server auto-update feature, updates should be obtained over secure channels and digitally signed. The update code must validate the digital signature of the update before installing or executing the update. + sectionID: V10.3.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/031-447.yaml b/cres/031-447.yaml index d79ef0e09..5bb281815 100644 --- a/cres/031-447.yaml +++ b/cres/031-447.yaml @@ -6,17 +6,17 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.1.3 - sectionID: Verify that all input (HTML form fields, REST requests, URL parameters, + section: Verify that all input (HTML form fields, REST requests, URL parameters, HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive validation (allow lists). + sectionID: V5.1.3 ltype: Linked To - document: doctype: Standard @@ -33,7 +33,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-00 ltype: Linked To diff --git a/cres/032-213.yaml b/cres/032-213.yaml index 76124003e..9d4792d16 100644 --- a/cres/032-213.yaml +++ b/cres/032-213.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.4.2 - sectionID: Verify that key material is not exposed to the application but instead + section: Verify that key material is not exposed to the application but instead uses an isolated security module like a vault for cryptographic operations. + sectionID: V6.4.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/036-147.yaml b/cres/036-147.yaml index 20489e6b7..532cbb132 100644 --- a/cres/036-147.yaml +++ b/cres/036-147.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.4.5 - sectionID: 'Verify that a Strict-Transport-Security header is included on all - responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800; + section: 'Verify that a Strict-Transport-Security header is included on all responses + and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains.' + sectionID: V14.4.5 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/07-Test_HTTP_Strict_Transport_Security.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-07 ltype: Linked To diff --git a/cres/036-275.yaml b/cres/036-275.yaml index 10de5fded..85209481b 100644 --- a/cres/036-275.yaml +++ b/cres/036-275.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.1.7 - sectionID: Verify availability of a secure coding checklist, security requirements, + section: Verify availability of a secure coding checklist, security requirements, guideline, or policy to all developers and testers. + sectionID: V1.1.7 ltype: Linked To - document: doctype: Standard diff --git a/cres/036-725.yaml b/cres/036-725.yaml index 5a86dd7c5..57586b372 100644 --- a/cres/036-725.yaml +++ b/cres/036-725.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.4.1 - sectionID: Verify that every HTTP response contains a Content-Type header. Also + section: Verify that every HTTP response contains a Content-Type header. Also specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content types are text/*, /+xml and application/xml. Content must match with the provided Content-Type header. + sectionID: V14.4.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/036-810.yaml b/cres/036-810.yaml index 515e337c5..da56a3ede 100644 --- a/cres/036-810.yaml +++ b/cres/036-810.yaml @@ -17,9 +17,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.1 - sectionID: Verify that all cryptographic modules fail securely, and errors are - handled in a way that does not enable Padding Oracle attacks. + section: Verify that all cryptographic modules fail securely, and errors are handled + in a way that does not enable Padding Oracle attacks. + sectionID: V6.2.1 ltype: Linked To - document: doctype: Standard @@ -30,7 +30,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/02-Testing_for_Padding_Oracle.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-02 ltype: Linked To diff --git a/cres/042-550.yaml b/cres/042-550.yaml index f57ec8f01..bcb3d1a3e 100644 --- a/cres/042-550.yaml +++ b/cres/042-550.yaml @@ -6,17 +6,17 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.1.2 - sectionID: Verify that frameworks protect against mass parameter assignment attacks, + section: Verify that frameworks protect against mass parameter assignment attacks, or that the application has countermeasures to protect against unsafe parameter assignment, such as marking fields private or similar. + sectionID: V5.1.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/046-257.yaml b/cres/046-257.yaml index b2c99e64f..b6199dd68 100644 --- a/cres/046-257.yaml +++ b/cres/046-257.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.2.3 - sectionID: Verify that authenticated data is cleared from client storage, such - as the browser DOM, after the client or session is terminated. + section: Verify that authenticated data is cleared from client storage, such as + the browser DOM, after the client or session is terminated. + sectionID: V8.2.3 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-12 ltype: Linked To diff --git a/cres/048-612.yaml b/cres/048-612.yaml index d7afc76d0..ce54ffbf6 100644 --- a/cres/048-612.yaml +++ b/cres/048-612.yaml @@ -17,9 +17,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.3.1 - sectionID: Verify that all logging components appropriately encode data to prevent + section: Verify that all logging components appropriately encode data to prevent log injection. + sectionID: V7.3.1 ltype: Linked To - document: doctype: Standard @@ -36,7 +36,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/03-Test_Integrity_Checks.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-03 ltype: Linked To diff --git a/cres/052-821.yaml b/cres/052-821.yaml index 1eb7101cc..3aabddf7c 100644 --- a/cres/052-821.yaml +++ b/cres/052-821.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.6.2 - sectionID: Verify that Credential Service Providers (CSPs) inform Relying Parties + section: Verify that Credential Service Providers (CSPs) inform Relying Parties (RPs) of the last authentication event, to allow RPs to determine if they need to re-authenticate the user. + sectionID: V3.6.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/053-751.yaml b/cres/053-751.yaml index c0baa174b..bccb6d781 100644 --- a/cres/053-751.yaml +++ b/cres/053-751.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.14.3 - sectionID: Verify that the build pipeline warns of out-of-date or insecure components + section: Verify that the build pipeline warns of out-of-date or insecure components and takes appropriate actions. + sectionID: V1.14.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/060-472.yaml b/cres/060-472.yaml index 3a812d4eb..075480f7d 100644 --- a/cres/060-472.yaml +++ b/cres/060-472.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.2.2 - sectionID: Verify that the application or framework enforces a strong anti-CSRF + section: Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality. + sectionID: V4.2.2 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-05 ltype: Linked To diff --git a/cres/061-186.yaml b/cres/061-186.yaml index 7637dfadb..3b916c691 100644 --- a/cres/061-186.yaml +++ b/cres/061-186.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.1.1 - sectionID: Verify that all application components use the same encodings and parsers + section: Verify that all application components use the same encodings and parsers to avoid parsing attacks that exploit different URI or file parsing behavior that could be used in SSRF and RFI attacks. + sectionID: V13.1.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/064-808.yaml b/cres/064-808.yaml index 1b467d611..71e8f8e61 100644 --- a/cres/064-808.yaml +++ b/cres/064-808.yaml @@ -6,17 +6,17 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.5 - sectionID: Verify that where parameterized or safer mechanisms are not present, + section: Verify that where parameterized or safer mechanisms are not present, context-specific output encoding is used to protect against injection attacks, such as the use of SQL escaping to protect against SQL injection. + sectionID: V5.3.5 ltype: Linked To - document: doctype: Standard @@ -27,7 +27,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-05 ltype: Linked To diff --git a/cres/065-183.yaml b/cres/065-183.yaml index a4f8b7062..233985b3a 100644 --- a/cres/065-183.yaml +++ b/cres/065-183.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.10.2 - sectionID: Verify that if passwords are required for service authentication, the + section: Verify that if passwords are required for service authentication, the service account used is not a default credential. (e.g. root/root or admin/admin are default in some services during installation). + sectionID: V2.10.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/065-388.yaml b/cres/065-388.yaml index fd0434963..49190da7d 100644 --- a/cres/065-388.yaml +++ b/cres/065-388.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.4.4 - sectionID: 'Verify that all responses contain a X-Content-Type-Options: nosniff + section: 'Verify that all responses contain a X-Content-Type-Options: nosniff header.' + sectionID: V14.4.4 ltype: Linked To - document: doctype: Standard @@ -23,9 +23,9 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01 ltype: Linked To diff --git a/cres/065-782.yaml b/cres/065-782.yaml index 1e562b55b..7e4118136 100644 --- a/cres/065-782.yaml +++ b/cres/065-782.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.3.2 - sectionID: If authenticators permit users to remain logged in, verify that re-authentication + section: If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period. + sectionID: V3.3.2 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/07-Testing_Session_Timeout.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-07 ltype: Linked To diff --git a/cres/067-050.yaml b/cres/067-050.yaml index de5195b6c..8d4f44a8a 100644 --- a/cres/067-050.yaml +++ b/cres/067-050.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.1.1 - sectionID: Verify that the application does not log credentials or payment details. + section: Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. + sectionID: V7.1.1 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-02 ltype: Linked To diff --git a/cres/068-102.yaml b/cres/068-102.yaml index 58685b954..93944a65c 100644 --- a/cres/068-102.yaml +++ b/cres/068-102.yaml @@ -3,25 +3,23 @@ id: 068-102 links: - document: doctype: CRE - id: 068-102 + id: 326-704 name: Architecture/design processes tags: - Architecture ltype: Contains - document: doctype: CRE - id: 340-754 - name: Threat model every design change or sprint - tags: - - Define High-level architecture and perform security analysis on it + id: 307-242 + name: Security risk assessment ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.1.5 - sectionID: Verify definition and security analysis of the application's high-level + section: Verify definition and security analysis of the application's high-level architecture and all connected remote services. + sectionID: V1.1.5 ltype: Linked To - document: doctype: Standard @@ -36,6 +34,12 @@ links: section: '' sectionID: '1059' ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-31 + name: NIST 800-53 v5 + section: SC-31 Covert Channel Analysis + ltype: Linked To - document: doctype: Standard hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html @@ -61,4 +65,13 @@ links: section: Threat modeling sectionID: D-TA-B ltype: Linked To -name: Define High-level architecture and perform security analysis on it +- document: + doctype: Standard + name: NIST SSDF + section: "Use forms of risk modeling \u2013 such as threat modeling, attack modeling,\ + \ or attack surface mapping \u2013 to help assess the security risk for the\ + \ software." + sectionID: PW.1.1 + ltype: Linked To +name: Describe high-level system architecture and perform threat modeling on it every + critical change and regularly diff --git a/cres/072-713.yaml b/cres/072-713.yaml index 74ca3dcbf..88ecbfc3a 100644 --- a/cres/072-713.yaml +++ b/cres/072-713.yaml @@ -3,11 +3,16 @@ id: 072-713 links: - document: doctype: CRE - id: 068-102 + id: 326-704 name: Architecture/design processes tags: - Architecture ltype: Contains +- document: + doctype: CRE + id: 004-517 + name: Security requirements + ltype: Related - document: doctype: Standard hyperlink: https://owaspsamm.org/model/design/security-architecture/stream-b diff --git a/cres/074-873.yaml b/cres/074-873.yaml index a0cd49a98..c40adcb54 100644 --- a/cres/074-873.yaml +++ b/cres/074-873.yaml @@ -37,6 +37,12 @@ links: id: 227-045 name: Identify sensitive data and subject it to a policy ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-17 + name: NIST 800-53 v5 + section: PM-17 Protecting Controlled Unclassified Information on External Systems + ltype: Linked To - document: doctype: Standard name: ISO 27001 @@ -50,4 +56,10 @@ links: section: Data Protection sectionID: O-OM-A ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-23 + name: NIST 800-53 v5 + section: PM-23 Data Governance Body + ltype: Linked To name: Data classification and handling diff --git a/cres/076-470.yaml b/cres/076-470.yaml index c0f9b0bec..da21ff5b9 100644 --- a/cres/076-470.yaml +++ b/cres/076-470.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.8.7 - sectionID: Verify that biometric authenticators are limited to use only as secondary + section: Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know. + sectionID: V2.8.7 ltype: Linked To - document: doctype: Standard diff --git a/cres/077-781.yaml b/cres/077-781.yaml index 887eec079..c8852a2fa 100644 --- a/cres/077-781.yaml +++ b/cres/077-781.yaml @@ -12,13 +12,13 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.4.5 - sectionID: Verify that an additional iteration of a key derivation function is - performed, using a salt value that is secret and known only to the verifier. - Generate the salt value using an approved random bit generator [SP 800-90Ar1] - and provide at least the minimum security strength specified in the latest revision - of SP 800-131A. The secret salt value SHALL be stored separately from the hashed - passwords (e.g., in a specialized device like a hardware security module). + section: Verify that an additional iteration of a key derivation function is performed, + using a salt value that is secret and known only to the verifier. Generate the + salt value using an approved random bit generator [SP 800-90Ar1] and provide + at least the minimum security strength specified in the latest revision of SP + 800-131A. The secret salt value SHALL be stored separately from the hashed passwords + (e.g., in a specialized device like a hardware security module). + sectionID: V2.4.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/078-427.yaml b/cres/078-427.yaml index 4e76c441d..dfed08862 100644 --- a/cres/078-427.yaml +++ b/cres/078-427.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.4.4 - sectionID: Verify that if bcrypt is used, the work factor SHOULD be as large as + section: Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, with a minimum of 10. + sectionID: V2.4.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/080-466.yaml b/cres/080-466.yaml index ac7219594..107d1524b 100644 --- a/cres/080-466.yaml +++ b/cres/080-466.yaml @@ -25,4 +25,10 @@ links: section: Access to source code sectionID: '8.4' ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: "Store all forms of code \u2013 including source" + sectionID: PS.1.1 + ltype: Linked To name: Developer Configuration Management diff --git a/cres/082-327.yaml b/cres/082-327.yaml index 4dd222b5a..17a8b0ce0 100644 --- a/cres/082-327.yaml +++ b/cres/082-327.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.3 - sectionID: Verify that users are provided clear language regarding collection - and use of supplied personal information and that users have provided opt-in - consent for the use of that data before it is used in any way. + section: Verify that users are provided clear language regarding collection and + use of supplied personal information and that users have provided opt-in consent + for the use of that data before it is used in any way. + sectionID: V8.3.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/082-530.yaml b/cres/082-530.yaml index 8dea7a6b0..c94697d8f 100644 --- a/cres/082-530.yaml +++ b/cres/082-530.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.4.2 - sectionID: Verify that the salt is at least 32 bits in length and be chosen arbitrarily + section: Verify that the salt is at least 32 bits in length and be chosen arbitrarily to minimize salt value collisions among stored hashes. For each credential, a unique salt value and the resulting hash SHALL be stored. + sectionID: V2.4.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/088-377.yaml b/cres/088-377.yaml new file mode 100644 index 000000000..00450ba44 --- /dev/null +++ b/cres/088-377.yaml @@ -0,0 +1,17 @@ +doctype: CRE +id: 088-377 +links: +- document: + doctype: CRE + id: 207-435 + name: Dynamic security testing + ltype: Contains +- document: + doctype: Standard + name: NIST SSDF + section: "Scope the testing, design the tests, perform the testing, and document\ + \ the results, including recording and triaging all discovered issues and recommended\ + \ remediations in the development team\u2019s workflow or issue tracking system." + sectionID: PW.8.2 + ltype: Linked To +name: Automated dynamic security testing diff --git a/cres/101-217.yaml b/cres/101-217.yaml index a314477ee..61e2c3cdc 100644 --- a/cres/101-217.yaml +++ b/cres/101-217.yaml @@ -12,8 +12,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.6.1 - sectionID: Verify that lookup secrets can be used only once. + section: Verify that lookup secrets can be used only once. + sectionID: V2.6.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/102-811.yaml b/cres/102-811.yaml index 28c8553f0..c4bd40743 100644 --- a/cres/102-811.yaml +++ b/cres/102-811.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.7.4 - sectionID: Verify that the out of band authenticator and verifier communicates - over a secure independent channel. + section: Verify that the out of band authenticator and verifier communicates over + a secure independent channel. + sectionID: V2.7.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/103-707.yaml b/cres/103-707.yaml index 480b4bc48..3ebb85219 100644 --- a/cres/103-707.yaml +++ b/cres/103-707.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.4 - sectionID: Verify that any printable Unicode character, including language neutral + section: Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are permitted in passwords. + sectionID: V2.1.4 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/112-273.yaml b/cres/112-273.yaml index 6a5b47bc4..4e8e4e81c 100644 --- a/cres/112-273.yaml +++ b/cres/112-273.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.4.2 - sectionID: Verify that files obtained from untrusted sources are scanned by antivirus + section: Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent upload and serving of known malicious content. + sectionID: V12.4.2 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-09 ltype: Linked To diff --git a/cres/113-133.yaml b/cres/113-133.yaml index 85dfee85d..5b45bccb8 100644 --- a/cres/113-133.yaml +++ b/cres/113-133.yaml @@ -20,10 +20,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.2.3 - sectionID: Verify that the application uses a single vetted authentication mechanism + section: Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches. + sectionID: V1.2.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/117-371.yaml b/cres/117-371.yaml index d06f0a0fc..b9cf808d0 100644 --- a/cres/117-371.yaml +++ b/cres/117-371.yaml @@ -15,11 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.4.4 - sectionID: Verify the application uses a single and well-vetted access control - mechanism for accessing protected data and resources. All requests must pass - through this single mechanism to avoid copy and paste or insecure alternative - paths. + section: Verify the application uses a single and well-vetted access control mechanism + for accessing protected data and resources. All requests must pass through this + single mechanism to avoid copy and paste or insecure alternative paths. + sectionID: V1.4.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/118-602.yaml b/cres/118-602.yaml index a2688b3e2..6201750c3 100644 --- a/cres/118-602.yaml +++ b/cres/118-602.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.4.3 - sectionID: Verify that a "last resort" error handler is defined which will catch + section: Verify that a "last resort" error handler is defined which will catch all unhandled exceptions. + sectionID: V7.4.3 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ERRH-02 ltype: Linked To diff --git a/cres/118-775.yaml b/cres/118-775.yaml new file mode 100644 index 000000000..940499a62 --- /dev/null +++ b/cres/118-775.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 118-775 +links: +- document: + doctype: CRE + id: 261-010 + name: Program management for secure software development + ltype: Contains +- document: + doctype: CRE + id: 013-021 + name: Roles and responsibilities + ltype: Related +- document: + doctype: Standard + hyperlink: https://owaspsamm.org/model/governance/education-and-guidance/stream-b + name: SAMM + section: Organization and Culture + sectionID: G-EG-B + ltype: Linked To +name: Manage an internal secure software development community diff --git a/cres/122-287.yaml b/cres/122-287.yaml index 5d475540f..a927f79c5 100644 --- a/cres/122-287.yaml +++ b/cres/122-287.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.4 - sectionID: Verify that random number, encryption or hashing algorithms, key lengths, + section: Verify that random number, encryption or hashing algorithms, key lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped at any time, to protect against cryptographic breaks. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering)) + sectionID: V6.2.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/134-207.yaml b/cres/134-207.yaml index e84895061..1268bb276 100644 --- a/cres/134-207.yaml +++ b/cres/134-207.yaml @@ -6,16 +6,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.10 - sectionID: Verify that the application protects against XPath injection or XML - injection attacks. + section: Verify that the application protects against XPath injection or XML injection + attacks. + sectionID: V5.3.10 ltype: Linked To - document: doctype: Standard @@ -32,8 +32,8 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html; - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html; + https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-07; WSTG-INPV-09 ltype: Linked To diff --git a/cres/134-412.yaml b/cres/134-412.yaml index 1fec9a64e..4c71f1fa3 100644 --- a/cres/134-412.yaml +++ b/cres/134-412.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.6 - sectionID: Verify that the application does not suffer from "Time Of Check to - Time Of Use" (TOCTOU) issues or other race conditions for sensitive operations. + section: Verify that the application does not suffer from "Time Of Check to Time + Of Use" (TOCTOU) issues or other race conditions for sensitive operations. + sectionID: V11.1.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/138-448.yaml b/cres/138-448.yaml index 3c8f4e12b..eaa9f8e75 100644 --- a/cres/138-448.yaml +++ b/cres/138-448.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.3.3 - sectionID: Verify that renewal instructions are sent with sufficient time to renew + section: Verify that renewal instructions are sent with sufficient time to renew time bound authenticators. + sectionID: V2.3.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/145-310.yaml b/cres/145-310.yaml index c16e989d7..7e6b90c8e 100644 --- a/cres/145-310.yaml +++ b/cres/145-310.yaml @@ -6,17 +6,17 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.7 - sectionID: Verify that the application sanitizes, disables, or sandboxes user-supplied + section: Verify that the application sanitizes, disables, or sandboxes user-supplied Scalable Vector Graphics (SVG) scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject. + sectionID: V5.2.7 ltype: Linked To - document: doctype: Standard diff --git a/cres/146-706.yaml b/cres/146-706.yaml index d492ddc0e..40e4a339b 100644 --- a/cres/146-706.yaml +++ b/cres/146-706.yaml @@ -6,16 +6,16 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.2.2 - sectionID: Verify that JSON schema validation is in place and verified before - accepting input. + section: Verify that JSON schema validation is in place and verified before accepting + input. + sectionID: V13.2.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/148-227.yaml b/cres/148-227.yaml index d4ddc0e25..b1cb4dcb5 100644 --- a/cres/148-227.yaml +++ b/cres/148-227.yaml @@ -13,13 +13,13 @@ links: ltype: Contains - document: doctype: CRE - id: 872-574 - name: Virus/malware protection + id: 007-274 + name: Patching and updating system components ltype: Contains - document: doctype: CRE - id: 007-274 - name: Patching and updating system components + id: 872-574 + name: Virus/malware protection ltype: Contains - document: doctype: Standard diff --git a/cres/148-853.yaml b/cres/148-853.yaml new file mode 100644 index 000000000..78c3e233b --- /dev/null +++ b/cres/148-853.yaml @@ -0,0 +1,56 @@ +doctype: CRE +id: 148-853 +links: +- document: + doctype: CRE + id: 261-010 + name: Program management for secure software development + ltype: Contains +- document: + doctype: CRE + id: 862-452 + name: Operating processes for security + ltype: Related +- document: + doctype: CRE + id: 616-305 + name: Development processes for security + ltype: Related +- document: + doctype: Standard + name: NIST SSDF + section: "Identify and document all security requirements for the organization\u2019\ + s software development infrastructures and processes, and maintain the requirements\ + \ over time." + sectionID: PO.1.1 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Specify which tools or tool types must or should be included in each + toolchain to mitigate identified risks, as well as how the toolchain components + are to be integrated with each other. + sectionID: PO.3.1 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Follow recommended security practices to deploy, operate, and maintain + tools and toolchains. + sectionID: PO.3.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Separate and protect each environment involved in software development. + sectionID: PO.5.1 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Secure and harden development endpoints (i.e., endpoints for software + designers, developers, testers, builders, etc.) to perform development-related + tasks using a risk-based approach. + sectionID: PO.5.2 + ltype: Linked To +name: Setup and maintain a secure software development process diff --git a/cres/152-725.yaml b/cres/152-725.yaml index 235b4cb03..3901db0cb 100644 --- a/cres/152-725.yaml +++ b/cres/152-725.yaml @@ -15,7 +15,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-02 ltype: Linked To diff --git a/cres/154-031.yaml b/cres/154-031.yaml index 3b4320860..73487f9ee 100644 --- a/cres/154-031.yaml +++ b/cres/154-031.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.2.6 - sectionID: Verify that the application source code and third party libraries do + section: Verify that the application source code and third party libraries do not contain Easter eggs or any other potentially unwanted functionality. + sectionID: V10.2.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/155-155.yaml b/cres/155-155.yaml index afc84c461..dc04c5d06 100644 --- a/cres/155-155.yaml +++ b/cres/155-155.yaml @@ -8,11 +8,18 @@ links: ltype: Contains - document: doctype: CRE - id: 068-102 + id: 326-704 name: Architecture/design processes tags: - Architecture ltype: Related +- document: + doctype: CRE + id: 708-355 + name: Secure implemented architecture + tags: + - Architecture + ltype: Related - document: doctype: CRE id: 820-878 @@ -20,6 +27,13 @@ links: tags: - Architecture ltype: Related +- document: + doctype: CRE + id: 344-611 + name: Use centralized reusable security controls + tags: + - Architecture + ltype: Related - document: doctype: CRE id: 515-021 @@ -62,13 +76,6 @@ links: tags: - Architecture ltype: Related -- document: - doctype: CRE - id: 344-611 - name: Centralize security controls - tags: - - Architecture - ltype: Related - document: doctype: CRE id: 640-364 diff --git a/cres/157-430.yaml b/cres/157-430.yaml index ba7ee58e6..100a1caf9 100644 --- a/cres/157-430.yaml +++ b/cres/157-430.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.1.2 - sectionID: Verify that all cached or temporary copies of sensitive data stored - on the server are protected from unauthorized access or purged/invalidated after + section: Verify that all cached or temporary copies of sensitive data stored on + the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data. + sectionID: V8.1.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/157-587.yaml b/cres/157-587.yaml index ed1d834b1..9973c2d13 100644 --- a/cres/157-587.yaml +++ b/cres/157-587.yaml @@ -3,8 +3,8 @@ id: 157-587 links: - document: doctype: CRE - id: 114-853 - name: Maintenance + id: 850-376 + name: Facilities management ltype: Contains - document: doctype: CRE @@ -13,8 +13,8 @@ links: ltype: Related - document: doctype: CRE - id: 850-376 - name: Facilities management + id: 114-853 + name: Maintenance ltype: Contains - document: doctype: Standard @@ -28,6 +28,12 @@ links: section: Security of assets off-premises sectionID: '7.9' ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-15 + name: NIST 800-53 v5 + section: SC-15 Collaborative Computing Devices and Applications + ltype: Linked To - document: doctype: Standard name: ISO 27001 diff --git a/cres/158-874.yaml b/cres/158-874.yaml index 84feb6e29..526c58f1f 100644 --- a/cres/158-874.yaml +++ b/cres/158-874.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.2 - sectionID: Verify that passwords of at least 64 characters are permitted, and - that passwords of more than 128 characters are denied. + section: Verify that passwords of at least 64 characters are permitted, and that + passwords of more than 128 characters are denied. + sectionID: V2.1.2 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/161-451.yaml b/cres/161-451.yaml index f6762b1cd..8fd557d97 100644 --- a/cres/161-451.yaml +++ b/cres/161-451.yaml @@ -8,17 +8,17 @@ links: ltype: Contains - document: doctype: CRE - id: 760-764 - name: Injection protection + id: 760-765 + name: XSS protection tags: - - XSS protection + - Injection protection ltype: Related - document: doctype: CRE - id: 760-765 - name: XSS protection + id: 760-764 + name: Injection protection tags: - - Injection protection + - XSS protection ltype: Related - document: doctype: CRE @@ -83,5 +83,5 @@ links: ltype: Linked To name: Output encoding and injection prevention tags: -- Injection protection - XSS protection +- Injection protection diff --git a/cres/162-655.yaml b/cres/162-655.yaml index c1eed8a11..cbedff06b 100644 --- a/cres/162-655.yaml +++ b/cres/162-655.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.11.1 - sectionID: Verify the definition and documentation of all application components + section: Verify the definition and documentation of all application components in terms of the business or security functions they provide. + sectionID: V1.11.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/163-518.yaml b/cres/163-518.yaml index 6a3290483..d7792042c 100644 --- a/cres/163-518.yaml +++ b/cres/163-518.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.1.2 - sectionID: Verify that the application checks compressed files (e.g. zip, gz, - docx, odt) against maximum allowed uncompressed size and against maximum number - of files before uncompressing the file. + section: Verify that the application checks compressed files (e.g. zip, gz, docx, + odt) against maximum allowed uncompressed size and against maximum number of + files before uncompressing the file. + sectionID: V12.1.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/166-151.yaml b/cres/166-151.yaml index d03769c48..83f432a9c 100644 --- a/cres/166-151.yaml +++ b/cres/166-151.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.1.5 - sectionID: Verify that access controls fail securely including when an exception + section: Verify that access controls fail securely including when an exception occurs. + sectionID: V4.1.5 ltype: Linked To - document: doctype: Standard @@ -34,7 +34,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/01-Testing_for_Error_Code.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ERRH-01 ltype: Linked To diff --git a/cres/168-186.yaml b/cres/168-186.yaml index 155922df3..bce0b9783 100644 --- a/cres/168-186.yaml +++ b/cres/168-186.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.7.3 - sectionID: Verify that the out of band verifier authentication requests, codes, + section: Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request. + sectionID: V2.7.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/171-222.yaml b/cres/171-222.yaml index edc17f6d8..d15a537ff 100644 --- a/cres/171-222.yaml +++ b/cres/171-222.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.14.2 - sectionID: Verify that binary signatures, trusted connections, and verified endpoints + section: Verify that binary signatures, trusted connections, and verified endpoints are used to deploy binaries to remote devices. + sectionID: V1.14.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/175-235.yaml b/cres/175-235.yaml index e3269317e..65636210f 100644 --- a/cres/175-235.yaml +++ b/cres/175-235.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.2.1 - sectionID: Verify that files obtained from untrusted sources are validated to - be of expected type based on the file's content. + section: Verify that files obtained from untrusted sources are validated to be + of expected type based on the file's content. + sectionID: V12.2.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/176-154.yaml b/cres/176-154.yaml index cd3ac0a5e..a3babe5af 100644 --- a/cres/176-154.yaml +++ b/cres/176-154.yaml @@ -6,8 +6,8 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE @@ -23,10 +23,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.1.4 - sectionID: Verify the application can detect and alert on abnormal numbers of - requests, such as by IP, user, total per hour or day, or whatever makes sense - for the application. + section: Verify the application can detect and alert on abnormal numbers of requests, + such as by IP, user, total per hour or day, or whatever makes sense for the + application. + sectionID: V8.1.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/180-488.yaml b/cres/180-488.yaml index 366858f24..11f71b9f6 100644 --- a/cres/180-488.yaml +++ b/cres/180-488.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.1.3 - sectionID: Verify that server configuration is hardened as per the recommendations + section: Verify that server configuration is hardened as per the recommendations of the application server and frameworks in use. + sectionID: V14.1.3 ltype: Linked To - document: doctype: Standard @@ -29,4 +29,20 @@ links: name: OWASP Cheat Sheets section: Docker Security Cheat Sheet ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Define a secure baseline by determining how to configure each setting + that has an effect on security or a security-related setting so that the default + settings are secure and do not weaken the security functions provided by the + platform, network infrastructure, or services. + sectionID: PW.9.1 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Implement the default settings (or groups of default settings, if applicable), + and document each setting for software administrators. + sectionID: PW.9.2 + ltype: Linked To name: Proper Configuration for all applications and frameworks diff --git a/cres/184-284.yaml b/cres/184-284.yaml index cc10175f6..19b68c75c 100644 --- a/cres/184-284.yaml +++ b/cres/184-284.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.1.3 - sectionID: Verify that the application logs security relevant events including - successful and failed authentication events, access control failures, deserialization - failures and input validation failures. + section: Verify that the application logs security relevant events including successful + and failed authentication events, access control failures, deserialization failures + and input validation failures. + sectionID: V7.1.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/186-540.yaml b/cres/186-540.yaml index b488c6c79..4e84bfb07 100644 --- a/cres/186-540.yaml +++ b/cres/186-540.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.1 - sectionID: Verify that sensitive data is sent to the server in the HTTP message + section: Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data. + sectionID: V8.3.1 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/03-Testing_for_Sensitive_Information_Sent_via_Unencrypted_Channels.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-03 ltype: Linked To diff --git a/cres/201-246.yaml b/cres/201-246.yaml index a3624d6f7..56e180371 100644 --- a/cres/201-246.yaml +++ b/cres/201-246.yaml @@ -17,9 +17,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.3.1 - sectionID: Verify administrative interfaces use appropriate multi-factor authentication + section: Verify administrative interfaces use appropriate multi-factor authentication to prevent unauthorized use. + sectionID: V4.3.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/206-254.yaml b/cres/206-254.yaml index 99cf30e8f..3931a444d 100644 --- a/cres/206-254.yaml +++ b/cres/206-254.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.7.6 - sectionID: Verify that the initial authentication code is generated by a secure + section: Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient). + sectionID: V2.7.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/207-435.yaml b/cres/207-435.yaml new file mode 100644 index 000000000..b144b8bac --- /dev/null +++ b/cres/207-435.yaml @@ -0,0 +1,19 @@ +doctype: CRE +id: 207-435 +links: +- document: + doctype: CRE + id: 433-442 + name: Verification + ltype: Contains +- document: + doctype: CRE + id: 088-377 + name: Automated dynamic security testing + ltype: Contains +- document: + doctype: CRE + id: 570-487 + name: Manual penetration testing + ltype: Contains +name: Dynamic security testing diff --git a/cres/208-355.yaml b/cres/208-355.yaml index c5042c361..76b364be5 100644 --- a/cres/208-355.yaml +++ b/cres/208-355.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.1.4 - sectionID: Verify that the application, configuration, and all dependencies can + section: Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion. + sectionID: V14.1.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/208-805.yaml b/cres/208-805.yaml index d156c9d6d..8f053562e 100644 --- a/cres/208-805.yaml +++ b/cres/208-805.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.3.2 - sectionID: Verify that web or application server and application framework debug + section: Verify that web or application server and application framework debug modes are disabled in production to eliminate debug features, developer consoles, and unintended security disclosures. + sectionID: V14.3.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/217-112.yaml b/cres/217-112.yaml index 22c7aa270..65e7de928 100644 --- a/cres/217-112.yaml +++ b/cres/217-112.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.1.3 - sectionID: Verify the application minimizes the number of parameters in a request, + section: Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values. + sectionID: V8.1.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/224-321.yaml b/cres/224-321.yaml index 7868fb150..baa2e2829 100644 --- a/cres/224-321.yaml +++ b/cres/224-321.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.1.2 - sectionID: Verify that regulated health data is stored encrypted while at rest, + section: Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records. + sectionID: V6.1.2 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/227-045.yaml b/cres/227-045.yaml index 658c466ff..c8bd3c467 100644 --- a/cres/227-045.yaml +++ b/cres/227-045.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.4 - sectionID: Verify that all sensitive data created and processed by the application + section: Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data. + sectionID: V8.3.4 ltype: Linked To - document: doctype: Standard @@ -28,6 +28,12 @@ links: section: '' sectionID: '200' ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-12 + name: NIST 800-53 v5 + section: SI-12 Information Management and Retention + ltype: Linked To - document: doctype: Standard name: ISO 27001 diff --git a/cres/232-034.yaml b/cres/232-034.yaml index e8b7c5957..10374f1cb 100644 --- a/cres/232-034.yaml +++ b/cres/232-034.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.4.4 - sectionID: Verify that cookie-based session tokens use the "__Host-" prefix so - cookies are only sent to the host that initially set the cookie. + section: Verify that cookie-based session tokens use the "__Host-" prefix so cookies + are only sent to the host that initially set the cookie. + sectionID: V3.4.4 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-02 ltype: Linked To diff --git a/cres/232-217.yaml b/cres/232-217.yaml index d82adb375..78fdb5360 100644 --- a/cres/232-217.yaml +++ b/cres/232-217.yaml @@ -6,17 +6,17 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.1.5 - sectionID: Verify that URL redirects and forwards only allow destinations which + section: Verify that URL redirects and forwards only allow destinations which appear on an allow list, or show a warning when redirecting to potentially untrusted content. + sectionID: V5.1.5 ltype: Linked To - document: doctype: Standard @@ -27,7 +27,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-04 ltype: Linked To diff --git a/cres/232-325.yaml b/cres/232-325.yaml index a36fd9eb2..16b0a91ab 100644 --- a/cres/232-325.yaml +++ b/cres/232-325.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.6.4 - sectionID: Verify that the architecture treats client-side secrets--such as symmetric + section: Verify that the architecture treats client-side secrets--such as symmetric keys, passwords, or API tokens--as insecure and never uses them to protect or access sensitive data. + sectionID: V1.6.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/233-748.yaml b/cres/233-748.yaml index 504c27627..fddfba386 100644 --- a/cres/233-748.yaml +++ b/cres/233-748.yaml @@ -11,6 +11,11 @@ links: id: 850-376 name: Facilities management ltype: Related +- document: + doctype: CRE + id: 473-177 + name: Deploy/build + ltype: Related - document: doctype: CRE id: 486-813 diff --git a/cres/235-658.yaml b/cres/235-658.yaml index a61444d85..18eda8818 100644 --- a/cres/235-658.yaml +++ b/cres/235-658.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.5.5 - sectionID: Verify that if an authentication factor is changed or replaced, that + section: Verify that if an authentication factor is changed or replaced, that the user is notified of this event. + sectionID: V2.5.5 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-02 ltype: Linked To diff --git a/cres/238-346.yaml b/cres/238-346.yaml index cf61d889e..d025e7033 100644 --- a/cres/238-346.yaml +++ b/cres/238-346.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.3.3 - sectionID: Verify that the application gives the option to terminate all other - active sessions after a successful password change (including change via password - reset/recovery), and that this is effective across the application, federated - login (if present), and any relying parties. + section: Verify that the application gives the option to terminate all other active + sessions after a successful password change (including change via password reset/recovery), + and that this is effective across the application, federated login (if present), + and any relying parties. + sectionID: V3.3.3 ltype: Linked To - document: doctype: Standard @@ -25,7 +25,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-06 ltype: Linked To diff --git a/cres/240-274.yaml b/cres/240-274.yaml index c6c51f2fe..415759e9d 100644 --- a/cres/240-274.yaml +++ b/cres/240-274.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.1.2 - sectionID: Verify that the application does not log other sensitive data as defined + section: Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. + sectionID: V7.1.2 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-02 ltype: Linked To diff --git a/cres/244-750.yaml b/cres/244-750.yaml index 15f5cac82..635acec91 100644 --- a/cres/244-750.yaml +++ b/cres/244-750.yaml @@ -24,4 +24,12 @@ links: section: Training and Awareness sectionID: G-EG-A ltype: Linked To -name: Technical training +- document: + doctype: Standard + name: NIST SSDF + section: Provide role-based training for all personnel with responsibilities that + contribute to secure development. Periodically review personnel proficiency + and role-based training, and update the training as needed. + sectionID: PO.2.2 + ltype: Linked To +name: Technical application security training diff --git a/cres/247-250.yaml b/cres/247-250.yaml index dd2d3bca5..ab9404322 100644 --- a/cres/247-250.yaml +++ b/cres/247-250.yaml @@ -3,13 +3,13 @@ id: 247-250 links: - document: doctype: CRE - id: 724-770 - name: Technical application access control + id: 013-021 + name: Roles and responsibilities ltype: Related - document: doctype: CRE - id: 013-021 - name: Roles and responsibilities + id: 724-770 + name: Technical application access control ltype: Related - document: doctype: CRE @@ -33,6 +33,12 @@ links: section: Access control sectionID: '5.15' ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-10 + name: NIST 800-53 v5 + section: PM-10 Authorization Process + ltype: Linked To - document: doctype: Standard name: Cloud Controls Matrix diff --git a/cres/248-646.yaml b/cres/248-646.yaml index ce9847c89..02ff7a67b 100644 --- a/cres/248-646.yaml +++ b/cres/248-646.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.1.3 - sectionID: Verify that only the latest recommended versions of the TLS protocol + section: Verify that only the latest recommended versions of the TLS protocol are enabled, such as TLS 1.2 and TLS 1.3. The latest version of the TLS protocol should be the preferred option. + sectionID: V9.1.3 ltype: Linked To - document: doctype: Standard @@ -31,7 +31,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-01 ltype: Linked To diff --git a/cres/251-446.yaml b/cres/251-446.yaml new file mode 100644 index 000000000..ed9050da3 --- /dev/null +++ b/cres/251-446.yaml @@ -0,0 +1,17 @@ +doctype: CRE +id: 251-446 +links: +- document: + doctype: CRE + id: 261-010 + name: Program management for secure software development + ltype: Contains +- document: + doctype: Standard + name: NIST SSDF + section: Obtain upper management or authorizing official commitment to secure + development, and convey that commitment to all with development-related roles + and responsibilities. + sectionID: PO.2.3 + ltype: Linked To +name: Organize stakeholder commitment for secure software development diff --git a/cres/253-452.yaml b/cres/253-452.yaml index f56253213..726c6d8cf 100644 --- a/cres/253-452.yaml +++ b/cres/253-452.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.1.1 - sectionID: Verify that the application build and deployment processes are performed + section: Verify that the application build and deployment processes are performed in a secure and repeatable way, such as CI / CD automation, automated configuration management, and automated deployment scripts. + sectionID: V14.1.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/257-117.yaml b/cres/257-117.yaml index fb04ba131..248b51769 100644 --- a/cres/257-117.yaml +++ b/cres/257-117.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.1.5 - sectionID: Verify that regular backups of important data are performed and that + section: Verify that regular backups of important data are performed and that test restoration of data is performed. + sectionID: V8.1.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/257-668.yaml b/cres/257-668.yaml index 356498ed4..c5bcf3c87 100644 --- a/cres/257-668.yaml +++ b/cres/257-668.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.4.3 - sectionID: Verify that a Content Security Policy (CSP) response header is in place + section: Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities. + sectionID: V14.4.3 ltype: Linked To - document: doctype: Standard @@ -31,9 +31,9 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html; + https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-01; WSTG-INPV-02; WSTG-CLNT-01 ltype: Linked To diff --git a/cres/260-200.yaml b/cres/260-200.yaml index 79f7928da..884422ef6 100644 --- a/cres/260-200.yaml +++ b/cres/260-200.yaml @@ -10,9 +10,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.7.1 - sectionID: Verify that a common logging format and approach is used across the - system. + section: Verify that a common logging format and approach is used across the system. + sectionID: V1.7.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/261-010.yaml b/cres/261-010.yaml new file mode 100644 index 000000000..ed6ca84fb --- /dev/null +++ b/cres/261-010.yaml @@ -0,0 +1,45 @@ +doctype: CRE +id: 261-010 +links: +- document: + doctype: CRE + id: 571-271 + name: Program management + ltype: Contains +- document: + doctype: CRE + id: 616-305 + name: Development processes for security + ltype: Related +- document: + doctype: CRE + id: 118-775 + name: Manage an internal secure software development community + ltype: Contains +- document: + doctype: CRE + id: 251-446 + name: Organize stakeholder commitment for secure software development + ltype: Contains +- document: + doctype: CRE + id: 417-342 + name: Provide reusable application security controls + ltype: Contains +- document: + doctype: CRE + id: 635-851 + name: Steer the secure software development program + ltype: Contains +- document: + doctype: CRE + id: 148-853 + name: Setup and maintain a secure software development process + ltype: Contains +- document: + doctype: Standard + name: Cloud Controls Matrix + section: Application and Interface Security Policy and Procedures + sectionID: AIS-01 + ltype: Linked To +name: Program management for secure software development diff --git a/cres/263-184.yaml b/cres/263-184.yaml index 6da7edf12..a691bc5e4 100644 --- a/cres/263-184.yaml +++ b/cres/263-184.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.14.4 - sectionID: Verify that the build pipeline contains a build step to automatically + section: Verify that the build pipeline contains a build step to automatically build and verify the secure deployment of the application, particularly if the application infrastructure is software defined, such as cloud environment build scripts. + sectionID: V1.14.4 ltype: Linked To name: Automate secure build and deployment, especially with SDI diff --git a/cres/265-800.yaml b/cres/265-800.yaml index 86ed1575d..7fc614770 100644 --- a/cres/265-800.yaml +++ b/cres/265-800.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.2.5 - sectionID: Verify that the application source code and third party libraries do + section: Verify that the application source code and third party libraries do not contain malicious code, such as salami attacks, logic bypasses, or logic bombs. + sectionID: V10.2.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/267-031.yaml b/cres/267-031.yaml new file mode 100644 index 000000000..4e47491b6 --- /dev/null +++ b/cres/267-031.yaml @@ -0,0 +1,22 @@ +doctype: CRE +id: 267-031 +links: +- document: + doctype: CRE + id: 601-182 + name: Parallel execution robustness + ltype: Contains +- document: + doctype: CRE + id: 623-550 + name: Denial Of Service protection + ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-6 + name: NIST 800-53 v5 + section: SC-6 Resource Availability + ltype: Linked To +name: Protect the availability of resources by providing more to higher-priority processes +tags: +- Denial Of Service protection diff --git a/cres/267-468.yaml b/cres/267-468.yaml index 756fed83e..3b40c2c09 100644 --- a/cres/267-468.yaml +++ b/cres/267-468.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.1.3 - sectionID: Verify that regulated financial data is stored encrypted while at rest, + section: Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records. + sectionID: V6.1.3 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/268-088.yaml b/cres/268-088.yaml index 1f70019c4..fea46e8ca 100644 --- a/cres/268-088.yaml +++ b/cres/268-088.yaml @@ -6,8 +6,8 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE @@ -18,11 +18,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.4.1 - sectionID: Verify that a query allow list or a combination of depth limiting and + section: Verify that a query allow list or a combination of depth limiting and amount limiting is used to prevent GraphQL or data layer expression Denial of Service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used. + sectionID: V13.4.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/268-100.yaml b/cres/268-100.yaml index 000b1f1e4..b9211673b 100644 --- a/cres/268-100.yaml +++ b/cres/268-100.yaml @@ -10,10 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.4.6 - sectionID: Verify that a suitable Referrer-Policy header is included to avoid - exposing sensitive information in the URL through the Referer header to untrusted - parties. + section: Verify that a suitable Referrer-Policy header is included to avoid exposing + sensitive information in the URL through the Referer header to untrusted parties. + sectionID: V14.4.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/268-272.yaml b/cres/268-272.yaml index 72f1cc7d1..23c41014a 100644 --- a/cres/268-272.yaml +++ b/cres/268-272.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.8 - sectionID: Verify that sensitive personal information is subject to data retention + section: Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires. + sectionID: V8.3.8 ltype: Linked To - document: doctype: Standard diff --git a/cres/270-634.yaml b/cres/270-634.yaml index 9867677c4..4be215d28 100644 --- a/cres/270-634.yaml +++ b/cres/270-634.yaml @@ -6,11 +6,6 @@ links: id: 520-617 name: Credential recovery ltype: Contains -- document: - doctype: CRE - id: 278-646 - name: Secure communication - ltype: Related - document: doctype: CRE id: 062-850 @@ -18,13 +13,18 @@ links: tags: - Cryptography ltype: Related +- document: + doctype: CRE + id: 278-646 + name: Secure communication + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.5.1 - sectionID: Verify that a system generated initial activation or recovery secret + section: Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. + sectionID: V2.5.1 ltype: Linked To - document: doctype: Standard @@ -41,7 +41,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-01 ltype: Linked To diff --git a/cres/273-600.yaml b/cres/273-600.yaml index d16c9dd36..1d5e5d49a 100644 --- a/cres/273-600.yaml +++ b/cres/273-600.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.14.1 - sectionID: Verify the segregation of components of differing trust levels through + section: Verify the segregation of components of differing trust levels through well-defined security controls, firewall rules, API gateways, reverse proxies, cloud-based security groups, or similar mechanisms. + sectionID: V1.14.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/278-413.yaml b/cres/278-413.yaml index d7cb61f49..ab0048054 100644 --- a/cres/278-413.yaml +++ b/cres/278-413.yaml @@ -20,10 +20,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.2.2 - sectionID: Verify that communications between application components, including + section: Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed. + sectionID: V1.2.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/284-521.yaml b/cres/284-521.yaml index c12ea872a..ba5ab2dbd 100644 --- a/cres/284-521.yaml +++ b/cres/284-521.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.3.3 - sectionID: Verify the application has additional authorization (such as step up + section: Verify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud. + sectionID: V4.3.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/287-251.yaml b/cres/287-251.yaml index 37c60bcf2..0be991903 100644 --- a/cres/287-251.yaml +++ b/cres/287-251.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.9.2 - sectionID: Verify that the challenge nonce is at least 64 bits in length, and - statistically unique or unique over the lifetime of the cryptographic device. + section: Verify that the challenge nonce is at least 64 bits in length, and statistically + unique or unique over the lifetime of the cryptographic device. + sectionID: V2.9.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/287-305.yaml b/cres/287-305.yaml index d8d430caf..256c90963 100644 --- a/cres/287-305.yaml +++ b/cres/287-305.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.6.1 - sectionID: Verify that there is an explicit policy for management of cryptographic + section: Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57. + sectionID: V1.6.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/287-823.yaml b/cres/287-823.yaml index 5a65ba4ea..7a078d33d 100644 --- a/cres/287-823.yaml +++ b/cres/287-823.yaml @@ -1,11 +1,6 @@ doctype: CRE id: 287-823 links: -- document: - doctype: CRE - id: 157-587 - name: Equipment management - ltype: Related - document: doctype: CRE id: 766-162 @@ -21,11 +16,22 @@ links: id: 571-640 name: Personal data handling management ltype: Contains +- document: + doctype: CRE + id: 157-587 + name: Equipment management + ltype: Related - document: doctype: CRE id: 522-616 name: Media protection ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-5 + name: NIST 800-53 v5 + section: PM-5 System Inventory + ltype: Linked To - document: doctype: Standard name: ISO 27001 diff --git a/cres/304-667.yaml b/cres/304-667.yaml index 9c756b230..b74f162f9 100644 --- a/cres/304-667.yaml +++ b/cres/304-667.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.2.1 - sectionID: Verify that sensitive data and APIs are protected against Insecure - Direct Object Reference (IDOR) attacks targeting creation, reading, updating - and deletion of records, such as creating or updating someone else's record, - viewing everyone's records, or deleting all records. + section: Verify that sensitive data and APIs are protected against Insecure Direct + Object Reference (IDOR) attacks targeting creation, reading, updating and deletion + of records, such as creating or updating someone else's record, viewing everyone's + records, or deleting all records. + sectionID: V4.2.1 ltype: Linked To - document: doctype: Standard @@ -25,7 +25,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-04 ltype: Linked To diff --git a/cres/307-111.yaml b/cres/307-111.yaml index 6c998526b..7a0699c23 100644 --- a/cres/307-111.yaml +++ b/cres/307-111.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.4.1 - sectionID: Verify that files obtained from untrusted sources are stored outside + section: Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions. + sectionID: V12.4.1 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-09 ltype: Linked To diff --git a/cres/307-242.yaml b/cres/307-242.yaml index c9f6754a3..4bd680191 100644 --- a/cres/307-242.yaml +++ b/cres/307-242.yaml @@ -1,13 +1,6 @@ doctype: CRE id: 307-242 links: -- document: - doctype: CRE - id: 068-102 - name: Architecture/design processes - tags: - - Architecture - ltype: Related - document: doctype: CRE id: 613-285 @@ -15,11 +8,15 @@ links: ltype: Related - document: doctype: CRE - id: 340-754 - name: Threat model every design change or sprint - tags: - - Define High-level architecture and perform security analysis on it + id: 888-770 + name: Threat intelligence - stay up to date with new threats and consider them ltype: Contains +- document: + doctype: CRE + id: 068-102 + name: Describe high-level system architecture and perform threat modeling on it + every critical change and regularly + ltype: Related - document: doctype: CRE id: 766-162 @@ -43,18 +40,6 @@ links: section: Application risk profile sectionID: D-TA-A ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-10 - name: NIST 800-53 v5 - section: RA-10 Threat Hunting - ltype: Linked To -- document: - doctype: Standard - name: ISO 27001 - section: Threat intelligence - sectionID: '5.7' - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-2 @@ -97,4 +82,28 @@ links: name: NIST 800-53 v5 section: RA-9 Criticality Analysis ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-11 + name: NIST 800-53 v5 + section: PM-11 Mission and Business Process Definition + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-28 + name: NIST 800-53 v5 + section: PM-28 Risk Framing + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-8 + name: NIST 800-53 v5 + section: PM-8 Critical Infrastructure Plan + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-9 + name: NIST 800-53 v5 + section: PM-9 Risk Management Strategy + ltype: Linked To name: Security risk assessment diff --git a/cres/307-507.yaml b/cres/307-507.yaml index 4ce2954a0..94b2fac1f 100644 --- a/cres/307-507.yaml +++ b/cres/307-507.yaml @@ -15,11 +15,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.3.2 - sectionID: Verify that the application employs integrity protections, such as - code signing or subresource integrity. The application must not load or execute - code from untrusted sources, such as loading includes, modules, plugins, code, - or libraries from untrusted sources or the Internet. + section: Verify that the application employs integrity protections, such as code + signing or subresource integrity. The application must not load or execute code + from untrusted sources, such as loading includes, modules, plugins, code, or + libraries from untrusted sources or the Internet. + sectionID: V10.3.2 ltype: Linked To - document: doctype: Standard @@ -34,5 +34,12 @@ links: name: OWASP Cheat Sheets section: Docker Security Cheat Sheet ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Make software integrity verification information available to software + acquirers. + sectionID: PS.2.1 + ltype: Linked To name: Allow only trusted sources both build time and runtime; therefore perform integrity checks on all resources and code diff --git a/cres/314-131.yaml b/cres/314-131.yaml index 7b404a1c1..86ba99ee1 100644 --- a/cres/314-131.yaml +++ b/cres/314-131.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.1.2 - sectionID: Verify that compiler flags are configured to enable all available buffer + section: Verify that compiler flags are configured to enable all available buffer overflow protections and warnings, including stack randomization, data execution prevention, and to break the build if an unsafe pointer, memory, format string, integer, or string operations are found. + sectionID: V14.1.2 ltype: Linked To - document: doctype: Standard @@ -29,4 +29,19 @@ links: name: OWASP Cheat Sheets section: Docker Security Cheat Sheet ltype: Linked To -name: Set proper (C) compiler flags +- document: + doctype: Standard + name: NIST SSDF + section: Use compiler, interpreter, and build tools that offer features to improve + executable security. + sectionID: PW.6.1 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Determine which compiler, interpreter, and build tool features should + be used and how each should be configured, then implement and use the approved + configurations. + sectionID: PW.6.2 + ltype: Linked To +name: Use features in compile and build tools for executable security diff --git a/cres/314-701.yaml b/cres/314-701.yaml index 8b6dd343d..bd9d26656 100644 --- a/cres/314-701.yaml +++ b/cres/314-701.yaml @@ -10,12 +10,12 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.5.1 - sectionID: Verify that the web tier is configured to serve only files with specific + section: Verify that the web tier is configured to serve only files with specific file extensions to prevent unintentional information and source code leakage. For example, backup files (e.g. .bak), temporary working files (e.g. .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly used by editors should be blocked unless required. + sectionID: V12.5.1 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-08 ltype: Linked To diff --git a/cres/316-272.yaml b/cres/316-272.yaml index 0ca8cbb55..d64d5c2cc 100644 --- a/cres/316-272.yaml +++ b/cres/316-272.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.5.3 - sectionID: Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin + section: Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the "null" origin. + sectionID: V14.5.3 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_Cross_Origin_Resource_Sharing.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/07-Testing_Cross_Origin_Resource_Sharing.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-07 ltype: Linked To diff --git a/cres/317-743.yaml b/cres/317-743.yaml index 84e466bcf..eaabf0fd8 100644 --- a/cres/317-743.yaml +++ b/cres/317-743.yaml @@ -6,17 +6,17 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.4 - sectionID: Verify that the application avoids the use of eval() or other dynamic + section: Verify that the application avoids the use of eval() or other dynamic code execution features. Where there is no alternative, any user input being included must be sanitized or sandboxed before being executed. + sectionID: V5.2.4 ltype: Linked To - document: doctype: Standard @@ -27,7 +27,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-02 ltype: Linked To diff --git a/cres/326-704.yaml b/cres/326-704.yaml new file mode 100644 index 000000000..d078556e4 --- /dev/null +++ b/cres/326-704.yaml @@ -0,0 +1,83 @@ +doctype: CRE +id: 326-704 +links: +- document: + doctype: CRE + id: 616-305 + name: Development processes for security + ltype: Contains +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related +- document: + doctype: CRE + id: 708-355 + name: Secure implemented architecture + tags: + - Architecture + ltype: Related +- document: + doctype: CRE + id: 068-102 + name: Describe high-level system architecture and perform threat modeling on it + every critical change and regularly + ltype: Contains +- document: + doctype: CRE + id: 072-713 + name: Manage standard technologies and frameworks + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-8 + name: NIST 800-53 v5 + section: PL-8 SECURITY AND PRIVACY ARCHITECTURES + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owaspsamm.org/model/design/security-architecture/stream-a + name: SAMM + section: Architecture Design + sectionID: D-SA-A + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-17 + name: NIST 800-53 v5 + section: SA-17 Developer Security and Privacy Architecture and Design + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-20 + name: NIST 800-53 v5 + section: SA-20 Customized Development of Critical Components + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-27 + name: NIST 800-53 v5 + section: SC-27 Platform-independent Applications + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-29 + name: NIST 800-53 v5 + section: SC-29 Heterogeneity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-23 + name: NIST 800-53 v5 + section: SA-23 Specialization + ltype: Linked To +- document: + doctype: Standard + name: ISO 27001 + section: Secure system architecture and engineering principles + sectionID: '8.27' + ltype: Linked To +name: Architecture/design processes +tags: +- Architecture diff --git a/cres/327-505.yaml b/cres/327-505.yaml index 4e5d36570..f178af40e 100644 --- a/cres/327-505.yaml +++ b/cres/327-505.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.6 - sectionID: Verify that password change functionality requires the user's current + section: Verify that password change functionality requires the user's current and new password. + sectionID: V2.1.6 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/330-281.yaml b/cres/330-281.yaml index a1d8cc39e..df4196043 100644 --- a/cres/330-281.yaml +++ b/cres/330-281.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.2.1 - sectionID: Verify the use of unique or special low-privilege operating system - accounts for all application components, services, and servers. + section: Verify the use of unique or special low-privilege operating system accounts + for all application components, services, and servers. + sectionID: V1.2.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/333-858.yaml b/cres/333-858.yaml index ed740be1e..d3e5c89da 100644 --- a/cres/333-858.yaml +++ b/cres/333-858.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.2.4 - sectionID: Verify impersonation resistance against phishing, such as the use of + section: Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates. + sectionID: V2.2.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/333-888.yaml b/cres/333-888.yaml index 76033895d..95ca9594a 100644 --- a/cres/333-888.yaml +++ b/cres/333-888.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.1.3 - sectionID: Verify API URLs do not expose sensitive information, such as the API + section: Verify API URLs do not expose sensitive information, such as the API key, session tokens etc. + sectionID: V13.1.3 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-04 ltype: Linked To diff --git a/cres/336-512.yaml b/cres/336-512.yaml index d0e96aa7e..f2f748fc1 100644 --- a/cres/336-512.yaml +++ b/cres/336-512.yaml @@ -15,14 +15,14 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.3.3 - sectionID: Verify that the application has protection from subdomain takeovers - if the application relies upon DNS entries or DNS subdomains, such as expired - domain names, out of date DNS pointers or CNAMEs, expired projects at public - source code repos, or transient cloud APIs, serverless functions, or storage - buckets (*autogen-bucket-id*.cloud.example.com) or similar. Protections can - include ensuring that DNS names used by applications are regularly checked for - expiry or change. + section: Verify that the application has protection from subdomain takeovers if + the application relies upon DNS entries or DNS subdomains, such as expired domain + names, out of date DNS pointers or CNAMEs, expired projects at public source + code repos, or transient cloud APIs, serverless functions, or storage buckets + (*autogen-bucket-id*.cloud.example.com) or similar. Protections can include + ensuring that DNS names used by applications are regularly checked for expiry + or change. + sectionID: V10.3.3 ltype: Linked To - document: doctype: Standard @@ -33,7 +33,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-10 ltype: Linked To diff --git a/cres/338-370.yaml b/cres/338-370.yaml index 700a5c8c2..3d489bfdf 100644 --- a/cres/338-370.yaml +++ b/cres/338-370.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.10 - sectionID: Verify that there are no periodic credential rotation or password history + section: Verify that there are no periodic credential rotation or password history requirements. + sectionID: V2.1.10 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/340-375.yaml b/cres/340-375.yaml index 11e5f8968..1b94c99e9 100644 --- a/cres/340-375.yaml +++ b/cres/340-375.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.4.1 - sectionID: Verify that a secrets management solution such as a key vault is used + section: Verify that a secrets management solution such as a key vault is used to securely create, store, control access to and destroy secrets. + sectionID: V6.4.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/340-754.yaml b/cres/340-754.yaml index 33b349143..a61f1c54a 100644 --- a/cres/340-754.yaml +++ b/cres/340-754.yaml @@ -8,17 +8,16 @@ links: ltype: Contains - document: doctype: CRE - id: 068-102 name: Define High-level architecture and perform security analysis on it ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.1.2 - sectionID: Verify the use of threat modeling for every design change or sprint - planning to identify threats, plan for countermeasures, facilitate appropriate - risk responses, and guide security testing. + section: Verify the use of threat modeling for every design change or sprint planning + to identify threats, plan for countermeasures, facilitate appropriate risk responses, + and guide security testing. + sectionID: V1.1.2 ltype: Linked To - document: doctype: Standard @@ -45,6 +44,14 @@ links: name: OWASP Cheat Sheets section: Attack Surface Analysis Cheat Sheet ltype: Linked To -name: Threat model every design change or sprint +- document: + doctype: Standard + name: NIST SSDF + section: "Use forms of risk modeling \u2013 such as threat modeling, attack modeling,\ + \ or attack surface mapping \u2013 to help assess the security risk for the\ + \ software." + sectionID: PW.1.1 + ltype: Linked To +name: Threat model every critical design change and repeat regularly tags: - Define High-level architecture and perform security analysis on it diff --git a/cres/342-055.yaml b/cres/342-055.yaml index c646405ab..9bb4b59ef 100644 --- a/cres/342-055.yaml +++ b/cres/342-055.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.4.3 - sectionID: Verify that cookie-based session tokens utilize the 'SameSite' attribute + section: Verify that cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks. + sectionID: V3.4.3 ltype: Linked To - document: doctype: Standard @@ -34,7 +34,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-02 ltype: Linked To diff --git a/cres/342-764.yaml b/cres/342-764.yaml index ab1d9780d..fa428558e 100644 --- a/cres/342-764.yaml +++ b/cres/342-764.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.7.5 - sectionID: Verify that the out of band verifier retains only a hashed version - of the authentication code. + section: Verify that the out of band verifier retains only a hashed version of + the authentication code. + sectionID: V2.7.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/344-611.yaml b/cres/344-611.yaml index 985b7ab30..2b004bab8 100644 --- a/cres/344-611.yaml +++ b/cres/344-611.yaml @@ -5,20 +5,27 @@ links: doctype: CRE id: 708-355 name: Secure implemented architecture + tags: + - Architecture ltype: Contains - document: doctype: CRE id: 155-155 name: Architecture ltype: Related +- document: + doctype: CRE + id: 417-342 + name: Provide reusable application security controls + ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.1.6 - sectionID: Verify implementation of centralized, simple (economy of design), vetted, + section: Verify implementation of centralized, simple (economy of design), vetted, secure, and reusable security controls to avoid duplicate, missing, ineffective, or insecure controls. + sectionID: V1.1.6 ltype: Linked To - document: doctype: Standard @@ -51,6 +58,15 @@ links: name: OWASP Cheat Sheets section: Attack Surface Analysis Cheat Sheet ltype: Linked To -name: Centralize security controls +- document: + doctype: Standard + name: NIST SSDF + section: Where appropriate, build in support for using standardized security features + and services (e.g., enabling software to integrate with existing log management, + identity management, access control, and vulnerability management systems) instead + of creating proprietary implementations of security features and services. + sectionID: PW.1.3 + ltype: Linked To +name: Use centralized reusable security controls tags: - Architecture diff --git a/cres/346-640.yaml b/cres/346-640.yaml index 35764639e..d8a13c230 100644 --- a/cres/346-640.yaml +++ b/cres/346-640.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.6.2 - sectionID: Verify that lookup secrets have sufficient randomness (112 bits of - entropy), or if less than 112 bits of entropy, salted with a unique and random - 32-bit salt and hashed with an approved one-way hash. + section: Verify that lookup secrets have sufficient randomness (112 bits of entropy), + or if less than 112 bits of entropy, salted with a unique and random 32-bit + salt and hashed with an approved one-way hash. + sectionID: V2.6.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/347-352.yaml b/cres/347-352.yaml index 42671b6e7..ad29239ef 100644 --- a/cres/347-352.yaml +++ b/cres/347-352.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.1.5 - sectionID: Verify that authorized administrators can verify the integrity of all + section: Verify that authorized administrators can verify the integrity of all security-relevant configurations to detect tampering. + sectionID: V14.1.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/354-752.yaml b/cres/354-752.yaml index a417efbf5..9713c36c3 100644 --- a/cres/354-752.yaml +++ b/cres/354-752.yaml @@ -12,12 +12,12 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.2.2 - sectionID: Verify that the use of weak authenticators (such as SMS and email) - is limited to secondary verification and transaction approval and not as a replacement + section: Verify that the use of weak authenticators (such as SMS and email) is + limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper measures are in place to limit the risks of account compromise. + sectionID: V2.2.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/358-860.yaml b/cres/358-860.yaml index d1888a7bf..372fed0cc 100644 --- a/cres/358-860.yaml +++ b/cres/358-860.yaml @@ -10,10 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.5.7 - sectionID: Verify that if OTP or multi-factor authentication factors are lost, - that evidence of identity proofing is performed at the same level as during - enrollment. + section: Verify that if OTP or multi-factor authentication factors are lost, that + evidence of identity proofing is performed at the same level as during enrollment. + sectionID: V2.5.7 ltype: Linked To - document: doctype: Standard diff --git a/cres/366-835.yaml b/cres/366-835.yaml index aefb523a3..d72b9309a 100644 --- a/cres/366-835.yaml +++ b/cres/366-835.yaml @@ -6,16 +6,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.3 - sectionID: Verify that context-aware, preferably automated - or at worst, manual + section: Verify that context-aware, preferably automated - or at worst, manual - output escaping protects against reflected, stored, and DOM based XSS. + sectionID: V5.3.3 ltype: Linked To - document: doctype: Standard @@ -32,7 +32,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-01 ltype: Linked To diff --git a/cres/368-633.yaml b/cres/368-633.yaml index ca623c767..c989cf410 100644 --- a/cres/368-633.yaml +++ b/cres/368-633.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.1.3 - sectionID: Verify that the principle of least privilege exists - users should - only be able to access functions, data files, URLs, controllers, services, and - other resources, for which they possess specific authorization. This implies - protection against spoofing and elevation of privilege. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) + section: Verify that the principle of least privilege exists - users should only + be able to access functions, data files, URLs, controllers, services, and other + resources, for which they possess specific authorization. This implies protection + against spoofing and elevation of privilege. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering)) + sectionID: V4.1.3 ltype: Linked To - document: doctype: Standard @@ -31,7 +31,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-IDNT-01 ltype: Linked To diff --git a/cres/377-680.yaml b/cres/377-680.yaml index 482eb4601..fcdbf5c4e 100644 --- a/cres/377-680.yaml +++ b/cres/377-680.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.1.5 - sectionID: Verify that requests containing unexpected or missing content types - are rejected with appropriate headers (HTTP response status 406 Unacceptable - or 415 Unsupported Media Type). + section: Verify that requests containing unexpected or missing content types are + rejected with appropriate headers (HTTP response status 406 Unacceptable or + 415 Unsupported Media Type). + sectionID: V13.1.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/380-540.yaml b/cres/380-540.yaml index cab8921c1..bd9e13d23 100644 --- a/cres/380-540.yaml +++ b/cres/380-540.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.11.3 - sectionID: Verify that all high-value business logic flows, including authentication, + section: Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions. + sectionID: V1.11.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/384-344.yaml b/cres/384-344.yaml index 638ac6348..f6fa9d9eb 100644 --- a/cres/384-344.yaml +++ b/cres/384-344.yaml @@ -8,28 +8,28 @@ links: ltype: Contains - document: doctype: CRE - id: 760-764 - name: Injection protection + id: 760-765 + name: XSS protection tags: - - XSS protection + - Injection protection ltype: Related - document: doctype: CRE - id: 760-765 - name: XSS protection + id: 760-764 + name: Injection protection tags: - - Injection protection + - XSS protection ltype: Related - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.12.2 - sectionID: Verify that user-uploaded files - if required to be displayed or downloaded + section: Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable Content Security Policy (CSP) to reduce the risk from XSS vectors or other attacks from the uploaded file. + sectionID: V1.12.2 ltype: Linked To - document: doctype: Standard @@ -41,5 +41,5 @@ links: name: Store and serve user-uploaded files such that they cannot execute/damage server or client tags: -- Injection protection - XSS protection +- Injection protection diff --git a/cres/387-848.yaml b/cres/387-848.yaml index 1cd40d0fb..9b3fc5161 100644 --- a/cres/387-848.yaml +++ b/cres/387-848.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.5.4 - sectionID: Verify that when parsing JSON in browsers or JavaScript-based backends, + section: Verify that when parsing JSON in browsers or JavaScript-based backends, JSON.parse is used to parse the JSON document. Do not use eval() to parse JSON. + sectionID: V5.5.4 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/02-Testing_for_JavaScript_Execution.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-02 ltype: Linked To diff --git a/cres/402-133.yaml b/cres/402-133.yaml index 9296f1024..431e7bf41 100644 --- a/cres/402-133.yaml +++ b/cres/402-133.yaml @@ -10,8 +10,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.1.1 - sectionID: Verify the application never reveals session tokens in URL parameters. + section: Verify the application never reveals session tokens in URL parameters. + sectionID: V3.1.1 ltype: Linked To - document: doctype: Standard @@ -22,7 +22,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-04 ltype: Linked To diff --git a/cres/404-126.yaml b/cres/404-126.yaml index 1742c97c3..f4e1a6118 100644 --- a/cres/404-126.yaml +++ b/cres/404-126.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.8.4 - sectionID: Verify that time-based OTP can be used only once within the validity + section: Verify that time-based OTP can be used only once within the validity period. + sectionID: V2.8.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/405-411.yaml b/cres/405-411.yaml index 9c46a9cb0..9c9c4b6e0 100644 --- a/cres/405-411.yaml +++ b/cres/405-411.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.5.2 - sectionID: Verify that the supplied Origin header is not used for authentication + section: Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker. + sectionID: V14.5.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/411-684.yaml b/cres/411-684.yaml new file mode 100644 index 000000000..6fd185213 --- /dev/null +++ b/cres/411-684.yaml @@ -0,0 +1,26 @@ +doctype: CRE +id: 411-684 +links: +- document: + doctype: CRE + id: 433-442 + name: Verification + ltype: Contains +- document: + doctype: Standard + name: NIST SSDF + section: "Perform the code review and/or code analysis based on the organization\u2019\ + s secure coding standards, and record and triage all discovered issues and recommended\ + \ remediations in the development team\u2019s workflow or issue tracking system." + sectionID: PW.7.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Determine whether code review (a person looks directly at the code to + find issues) and/or code analysis (tools are used to find issues in code, either + in a fully automated way or in conjunction with a person) should be used, as + defined by the organization. + sectionID: PW.7.1 + ltype: Linked To +name: Manual code review diff --git a/cres/417-342.yaml b/cres/417-342.yaml new file mode 100644 index 000000000..d509eb60f --- /dev/null +++ b/cres/417-342.yaml @@ -0,0 +1,24 @@ +doctype: CRE +id: 417-342 +links: +- document: + doctype: CRE + id: 261-010 + name: Program management for secure software development + ltype: Contains +- document: + doctype: CRE + id: 344-611 + name: Use centralized reusable security controls + tags: + - Architecture + ltype: Related +- document: + doctype: Standard + name: NIST SSDF + section: Create and maintain well-secured software components in-house following + SDLC processes to meet common internal software development needs that cannot + be better met by third-party software components. + sectionID: PW.4.2 + ltype: Linked To +name: Provide reusable application security controls diff --git a/cres/418-525.yaml b/cres/418-525.yaml index 29a754025..c8ebc7421 100644 --- a/cres/418-525.yaml +++ b/cres/418-525.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.2.4 - sectionID: Verify that the application source code and third party libraries do + section: Verify that the application source code and third party libraries do not contain time bombs by searching for date and time related functions. + sectionID: V10.2.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/418-853.yaml b/cres/418-853.yaml index 382b20321..ab652fd6a 100644 --- a/cres/418-853.yaml +++ b/cres/418-853.yaml @@ -20,10 +20,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.7 - sectionID: Verify that the application monitors for unusual events or activity - from a business logic perspective. For example, attempts to perform actions - out of order or actions which a normal user would never attempt. + section: Verify that the application monitors for unusual events or activity from + a business logic perspective. For example, attempts to perform actions out of + order or actions which a normal user would never attempt. + sectionID: V11.1.7 ltype: Linked To - document: doctype: Standard diff --git a/cres/421-513.yaml b/cres/421-513.yaml index e00d59fcf..cd76d97a1 100644 --- a/cres/421-513.yaml +++ b/cres/421-513.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.3.4 - sectionID: Verify that the application protects against Reflective File Download + section: Verify that the application protects against Reflective File Download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename. + sectionID: V12.3.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/422-005.yaml b/cres/422-005.yaml index 1678b5e73..c24e17667 100644 --- a/cres/422-005.yaml +++ b/cres/422-005.yaml @@ -6,16 +6,16 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.5 - sectionID: Verify that the application protects against template injection attacks + section: Verify that the application protects against template injection attacks by ensuring that any user input being included is sanitized or sandboxed. + sectionID: V5.2.5 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-18 ltype: Linked To diff --git a/cres/426-842.yaml b/cres/426-842.yaml index 306132dc6..f3316c9ad 100644 --- a/cres/426-842.yaml +++ b/cres/426-842.yaml @@ -17,13 +17,13 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.2.6 - sectionID: Verify that the message headers and payload are trustworthy and not - modified in transit. Requiring strong encryption for transport (TLS only) may - be sufficient in many cases as it provides both confidentiality and integrity - protection. Per-message digital signatures can provide additional assurance - on top of the transport protections for high-security applications but bring - with them additional complexity and risks to weigh against the benefits. + section: Verify that the message headers and payload are trustworthy and not modified + in transit. Requiring strong encryption for transport (TLS only) may be sufficient + in many cases as it provides both confidentiality and integrity protection. + Per-message digital signatures can provide additional assurance on top of the + transport protections for high-security applications but bring with them additional + complexity and risks to weigh against the benefits. + sectionID: V13.2.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/428-544.yaml b/cres/428-544.yaml index 3c56559a1..a251a75a6 100644 --- a/cres/428-544.yaml +++ b/cres/428-544.yaml @@ -4,7 +4,7 @@ links: - document: doctype: CRE id: 244-750 - name: Technical training + name: Technical application security training ltype: Related - document: doctype: CRE diff --git a/cres/430-636.yaml b/cres/430-636.yaml index f7779f275..22b04f9a9 100644 --- a/cres/430-636.yaml +++ b/cres/430-636.yaml @@ -17,11 +17,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.2.1 - sectionID: Verify that connections to and from the server use trusted TLS certificates. + section: Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected. + sectionID: V9.2.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/433-122.yaml b/cres/433-122.yaml index ea2e3a526..9e9143cb6 100644 --- a/cres/433-122.yaml +++ b/cres/433-122.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.6 - sectionID: Verify that nonces, initialization vectors, and other single use numbers + section: Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used. + sectionID: V6.2.6 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/433-442.yaml b/cres/433-442.yaml index 99b2a049d..6ec31cb6c 100644 --- a/cres/433-442.yaml +++ b/cres/433-442.yaml @@ -6,6 +6,16 @@ links: id: 616-305 name: Development processes for security ltype: Contains +- document: + doctype: CRE + id: 004-517 + name: Security requirements + ltype: Related +- document: + doctype: CRE + id: 464-513 + name: Assurance processes + ltype: Related - document: doctype: CRE id: 732-148 @@ -18,14 +28,24 @@ links: ltype: Related - document: doctype: CRE - id: 611-158 - name: Use SAST for malicious content + id: 832-555 + name: Automated static security analysis of code and configuration ltype: Contains - document: doctype: CRE - id: 464-513 - name: Assurance processes - ltype: Related + id: 626-250 + name: Design review + ltype: Contains +- document: + doctype: CRE + id: 207-435 + name: Dynamic security testing + ltype: Contains +- document: + doctype: CRE + id: 411-684 + name: Manual code review + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-11 @@ -51,6 +71,13 @@ links: section: Scalable Baseline sectionID: V-ST-A ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Define criteria for software security checks and track throughout the + SDLC. + sectionID: PO.4.1 + ltype: Linked To - document: doctype: Standard name: Cloud Controls Matrix @@ -72,29 +99,17 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-6 - name: NIST 800-53 v5 - section: SI-6 Security and Privacy Function Verification + name: NIST SSDF + section: Implement processes, mechanisms, etc. to gather and safeguard the necessary + information in support of the criteria. + sectionID: PO.4.2 ltype: Linked To - document: doctype: Standard - hyperlink: https://owaspsamm.org/model/verification/architecture-assessment/stream-a - name: SAMM - section: Achitecture validation - sectionID: V-AA-A - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-7 - name: NIST 800-53 v5 - section: SI-7 Software, Firmware, and Information Integrity - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://owaspsamm.org/model/verification/architecture-assessment/stream-b - name: SAMM - section: Achitecture mitigation - sectionID: V-AA-B + name: NIST SSDF + section: "Review, analyze, and/or test the software\u2019s code to identify or\ + \ confirm the presence of previously undetected vulnerabilities." + sectionID: RV.1.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/440-361.yaml b/cres/440-361.yaml index 273418054..3a723f173 100644 --- a/cres/440-361.yaml +++ b/cres/440-361.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.8.6 - sectionID: Verify physical single-factor OTP generator can be revoked in case - of theft or other loss. Ensure that revocation is immediately effective across + section: Verify physical single-factor OTP generator can be revoked in case of + theft or other loss. Ensure that revocation is immediately effective across logged in sessions, regardless of location. + sectionID: V2.8.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/441-132.yaml b/cres/441-132.yaml index 105dcfa50..cda3dd8aa 100644 --- a/cres/441-132.yaml +++ b/cres/441-132.yaml @@ -12,11 +12,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.5 - sectionID: Verify that known insecure block modes (i.e. ECB, etc.), padding modes + section: Verify that known insecure block modes (i.e. ECB, etc.), padding modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES, Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not used unless required for backwards compatibility. + sectionID: V6.2.5 ltype: Linked To - document: doctype: Standard @@ -27,7 +27,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/443-447.yaml b/cres/443-447.yaml index d00f81e3d..4d8909041 100644 --- a/cres/443-447.yaml +++ b/cres/443-447.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.2.2 - sectionID: Verify that all access control decisions can be logged and all failed + section: Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations. + sectionID: V7.2.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/455-358.yaml b/cres/455-358.yaml index 9ad07dd2b..37dfaba0f 100644 --- a/cres/455-358.yaml +++ b/cres/455-358.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.2.3 - sectionID: Verify the application only stores session tokens in the browser using + section: Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage. + sectionID: V3.2.3 ltype: Linked To - document: doctype: Standard @@ -24,8 +24,8 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html; - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html; + https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-02; WSTG-CLNT-12 ltype: Linked To diff --git a/cres/456-535.yaml b/cres/456-535.yaml index 1c6027dd6..6f0c6849f 100644 --- a/cres/456-535.yaml +++ b/cres/456-535.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.2 - sectionID: Verify that the application will only process business logic flows - with all steps being processed in realistic human time, i.e. transactions are - not submitted too quickly. + section: Verify that the application will only process business logic flows with + all steps being processed in realistic human time, i.e. transactions are not + submitted too quickly. + sectionID: V11.1.2 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-$$ ltype: Linked To diff --git a/cres/456-636.yaml b/cres/456-636.yaml index c75603eb8..be1a32a11 100644 --- a/cres/456-636.yaml +++ b/cres/456-636.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.3.2 - sectionID: Verify that the message payload is signed using WS-Security to ensure + section: Verify that the message payload is signed using WS-Security to ensure reliable transport between client and service. + sectionID: V13.3.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/457-165.yaml b/cres/457-165.yaml index 330d30e9b..9d8fa68b5 100644 --- a/cres/457-165.yaml +++ b/cres/457-165.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.3.1 - sectionID: Verify that logout and expiration invalidate the session token, such + section: Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. + sectionID: V3.3.1 ltype: Linked To - document: doctype: Standard @@ -36,7 +36,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-06 ltype: Linked To diff --git a/cres/461-680.yaml b/cres/461-680.yaml new file mode 100644 index 000000000..a1d472fa8 --- /dev/null +++ b/cres/461-680.yaml @@ -0,0 +1,17 @@ +doctype: CRE +id: 461-680 +links: +- document: + doctype: CRE + id: 473-177 + name: Deploy/build + ltype: Contains +- document: + doctype: Standard + name: NIST SSDF + section: Securely archive the necessary files and supporting data (e.g., integrity + verification information, provenance data) to be retained for each software + release. + sectionID: PS.3.1 + ltype: Linked To +name: Securely archive builds and build information diff --git a/cres/462-245.yaml b/cres/462-245.yaml index 6b23b7f3b..7bf513084 100644 --- a/cres/462-245.yaml +++ b/cres/462-245.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.2.2 - sectionID: Verify that all unneeded features, documentation, sample applications + section: Verify that all unneeded features, documentation, sample applications and configurations are removed. + sectionID: V14.2.2 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-04 ltype: Linked To diff --git a/cres/463-577.yaml b/cres/463-577.yaml index 0f62d6538..8bd3d61c9 100644 --- a/cres/463-577.yaml +++ b/cres/463-577.yaml @@ -1,6 +1,11 @@ doctype: CRE id: 463-577 links: +- document: + doctype: CRE + id: 732-148 + name: Vulnerability management + ltype: Related - document: doctype: CRE id: 887-750 @@ -37,6 +42,14 @@ links: section: Incident Response sectionID: O-IM-B ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Have a policy that addresses vulnerability disclosure and remediation, + and implement the roles, responsibilities, and processes needed to support that + policy. + sectionID: RV.1.3 + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IR-2 diff --git a/cres/463-820.yaml b/cres/463-820.yaml index 4c09dd560..b99894665 100644 --- a/cres/463-820.yaml +++ b/cres/463-820.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.1.3 - sectionID: Verify that a file size quota and maximum number of files per user - is enforced to ensure that a single user cannot fill up the storage with too - many files, or excessively large files. + section: Verify that a file size quota and maximum number of files per user is + enforced to ensure that a single user cannot fill up the storage with too many + files, or excessively large files. + sectionID: V12.1.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/464-084.yaml b/cres/464-084.yaml index b7001e927..82646fc6b 100644 --- a/cres/464-084.yaml +++ b/cres/464-084.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.2.3 - sectionID: 'Verify that RESTful web services that utilize cookies are protected + section: 'Verify that RESTful web services that utilize cookies are protected from Cross-Site Request Forgery via the use of at least one or more of the following: double submit cookie pattern, CSRF nonces, or Origin request header checks.' + sectionID: V13.2.3 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-05 ltype: Linked To diff --git a/cres/464-513.yaml b/cres/464-513.yaml index 1a901a8d6..a04b72272 100644 --- a/cres/464-513.yaml +++ b/cres/464-513.yaml @@ -1,11 +1,6 @@ doctype: CRE id: 464-513 links: -- document: - doctype: CRE - id: 567-755 - name: Governance processes for security - ltype: Contains - document: doctype: CRE id: 433-442 @@ -17,12 +12,15 @@ links: name: Audit & accountability ltype: Contains - document: - doctype: Standard - hyperlink: https://owaspsamm.org/model/governance/strategy-and-metrics/stream-b/ - name: SAMM - section: Measure and Improve - sectionID: G-SM-B - ltype: Linked To + doctype: CRE + id: 745-356 + name: Development process audit trail + ltype: Related +- document: + doctype: CRE + id: 567-755 + name: Governance processes for security + ltype: Contains - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-1 @@ -65,10 +63,35 @@ links: name: NIST 800-53 v5 section: SI-20 Tainting ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Configure tools to generate artifacts of their support of secure software + development practices as defined by the organization. + sectionID: PO.3.3 + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-5 name: NIST 800-53 v5 section: SI-5 Security Alerts, Advisories, and Directives ltype: Linked To +- document: + doctype: Standard + name: Cloud Controls Matrix + section: Application Security Metrics + sectionID: AIS-03 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-6 + name: NIST 800-53 v5 + section: PM-6 Measures of Performance + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-31 + name: NIST 800-53 v5 + section: PM-31 Continuous Monitoring Strategy + ltype: Linked To name: Assurance processes diff --git a/cres/467-784.yaml b/cres/467-784.yaml index 627144791..869e234a7 100644 --- a/cres/467-784.yaml +++ b/cres/467-784.yaml @@ -38,6 +38,12 @@ links: id: 278-646 name: Secure communication ltype: Related +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-22 + name: NIST 800-53 v5 + section: SC-22 Architecture and Provisioning for Name/address Resolution Service + ltype: Linked To - document: doctype: Standard name: ISO 27001 diff --git a/cres/473-177.yaml b/cres/473-177.yaml index ae12d6f02..08ff4f02c 100644 --- a/cres/473-177.yaml +++ b/cres/473-177.yaml @@ -44,6 +44,11 @@ links: id: 028-254 name: Secure auto-updates over full stack ltype: Contains +- document: + doctype: CRE + id: 461-680 + name: Securely archive builds and build information + ltype: Contains - document: doctype: CRE id: 253-452 @@ -52,13 +57,20 @@ links: - document: doctype: CRE id: 314-131 - name: Set proper (C) compiler flags + name: Use features in compile and build tools for executable security ltype: Contains - document: doctype: CRE id: 862-452 name: Operating processes for security ltype: Related +- document: + doctype: CRE + id: 233-748 + name: Configuration hardening + tags: + - Configuration + ltype: Related - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-34 diff --git a/cres/473-758.yaml b/cres/473-758.yaml index 64d328426..a8ae9fc4f 100644 --- a/cres/473-758.yaml +++ b/cres/473-758.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.2.1 - sectionID: Verify the application sets sufficient anti-caching headers so that - sensitive data is not cached in modern browsers. + section: Verify the application sets sufficient anti-caching headers so that sensitive + data is not cached in modern browsers. + sectionID: V8.2.1 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-06 ltype: Linked To diff --git a/cres/480-071.yaml b/cres/480-071.yaml index 5fc5a35b8..b3d463692 100644 --- a/cres/480-071.yaml +++ b/cres/480-071.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.4.7 - sectionID: 'Verify that the content of a web application cannot be embedded in - a third-party site by default and that embedding of the exact resources is only + section: 'Verify that the content of a web application cannot be embedded in a + third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers.' + sectionID: V14.4.7 ltype: Linked To - document: doctype: Standard @@ -25,7 +25,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-09 ltype: Linked To diff --git a/cres/482-771.yaml b/cres/482-771.yaml index 328bfb0c6..eb176b546 100644 --- a/cres/482-771.yaml +++ b/cres/482-771.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.4.3 - sectionID: Verify that sign, range, and input validation techniques are used to + section: Verify that sign, range, and input validation techniques are used to prevent integer overflows. + sectionID: V5.4.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/482-866.yaml b/cres/482-866.yaml index 18802d13a..5657fb466 100644 --- a/cres/482-866.yaml +++ b/cres/482-866.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.1.1 - sectionID: Verify that regulated private data is stored encrypted while at rest, + section: Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR. + sectionID: V6.1.1 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/483-715.yaml b/cres/483-715.yaml index c90b96bf2..4dab24e88 100644 --- a/cres/483-715.yaml +++ b/cres/483-715.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.5.1 - sectionID: Verify that the application server only accepts the HTTP methods in - use by the application/API, including pre-flight OPTIONS, and logs/alerts on - any requests that are not valid for the application context. + section: Verify that the application server only accepts the HTTP methods in use + by the application/API, including pre-flight OPTIONS, and logs/alerts on any + requests that are not valid for the application context. + sectionID: V14.5.1 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-06 ltype: Linked To diff --git a/cres/483-883.yaml b/cres/483-883.yaml index 1781011c5..fe2ed258c 100644 --- a/cres/483-883.yaml +++ b/cres/483-883.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.5.3 - sectionID: Verify that stateless session tokens use digital signatures, encryption, + section: Verify that stateless session tokens use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks. + sectionID: V3.5.3 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/487-305.yaml b/cres/487-305.yaml index c9990d7f4..acd38b1ed 100644 --- a/cres/487-305.yaml +++ b/cres/487-305.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.12 - sectionID: Verify that the user can choose to either temporarily view the entire + section: Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as built-in functionality. + sectionID: V2.1.12 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/503-455.yaml b/cres/503-455.yaml index d5b66c69a..280bdf387 100644 --- a/cres/503-455.yaml +++ b/cres/503-455.yaml @@ -21,8 +21,8 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE @@ -36,8 +36,8 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE @@ -51,8 +51,8 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE @@ -63,8 +63,11 @@ links: ltype: Contains - document: doctype: CRE - id: 764-508 - name: XML Parser hardening + id: 764-507 + name: Restrict XML parsing (against XXE) + tags: + - Injection protection + - Configuration ltype: Contains - document: doctype: CRE diff --git a/cres/504-340.yaml b/cres/504-340.yaml index 1ed4a7889..e1579dcea 100644 --- a/cres/504-340.yaml +++ b/cres/504-340.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.7 - sectionID: Verify that sensitive or private information that is required to be - encrypted, is encrypted using approved algorithms that provide both confidentiality - and integrity. + section: Verify that sensitive or private information that is required to be encrypted, + is encrypted using approved algorithms that provide both confidentiality and + integrity. + sectionID: V8.3.7 ltype: Linked To - document: doctype: Standard diff --git a/cres/508-702.yaml b/cres/508-702.yaml index dd338d5ec..4aacc0e66 100644 --- a/cres/508-702.yaml +++ b/cres/508-702.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.6.2 - sectionID: Verify that consumers of cryptographic services protect key material + section: Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives. + sectionID: V1.6.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/510-324.yaml b/cres/510-324.yaml index e61ed7c59..2ed4c626f 100644 --- a/cres/510-324.yaml +++ b/cres/510-324.yaml @@ -11,6 +11,12 @@ links: id: 217-168 name: Audit & accountability ltype: Contains +- document: + doctype: Standard + name: ISO 27001 + section: Independent review of information security + sectionID: '5.35' + ltype: Linked To - document: doctype: Standard name: ISO 27001 @@ -24,12 +30,6 @@ links: section: Compliance Management sectionID: G-PC-B ltype: Linked To -- document: - doctype: Standard - name: ISO 27001 - section: Independent review of information security - sectionID: '5.35' - ltype: Linked To - document: doctype: Standard name: ISO 27001 diff --git a/cres/513-845.yaml b/cres/513-845.yaml index c4eecaa28..af16f5de0 100644 --- a/cres/513-845.yaml +++ b/cres/513-845.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.6.3 - sectionID: Verify that lookup secrets are resistant to offline attacks, such as + section: Verify that lookup secrets are resistant to offline attacks, such as predictable values. + sectionID: V2.6.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/515-021.yaml b/cres/515-021.yaml index db0eb3696..757fa3c45 100644 --- a/cres/515-021.yaml +++ b/cres/515-021.yaml @@ -20,11 +20,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.14.5 - sectionID: Verify that application deployments adequately sandbox, containerize + section: Verify that application deployments adequately sandbox, containerize and/or isolate at the network level to delay and deter attackers from attacking other applications, especially when they are performing sensitive or dangerous actions such as deserialization. + sectionID: V1.14.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/524-446.yaml b/cres/524-446.yaml index 6a3a07af3..7ead8b50e 100644 --- a/cres/524-446.yaml +++ b/cres/524-446.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.2.6 - sectionID: Verify replay resistance through the mandated use of One-time Passwords + section: Verify replay resistance through the mandated use of One-time Passwords (OTP) devices, cryptographic authenticators, or lookup codes. + sectionID: V2.2.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/524-603.yaml b/cres/524-603.yaml index 8efb6c4f9..d133f114c 100644 --- a/cres/524-603.yaml +++ b/cres/524-603.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.1.2 - sectionID: Verify that all user and data attributes and policy information used + section: Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized. + sectionID: V4.1.2 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-02 ltype: Linked To diff --git a/cres/525-361.yaml b/cres/525-361.yaml index 9c4843e43..5bdf71359 100644 --- a/cres/525-361.yaml +++ b/cres/525-361.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.2.7 - sectionID: Verify intent to authenticate by requiring the entry of an OTP token + section: Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key. + sectionID: V2.2.7 ltype: Linked To - document: doctype: Standard diff --git a/cres/527-034.yaml b/cres/527-034.yaml index c0508b8e0..8974e30f7 100644 --- a/cres/527-034.yaml +++ b/cres/527-034.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.9.1 - sectionID: Verify the application encrypts communications between components, - particularly when these components are in different containers, systems, sites, - or cloud providers. + section: Verify the application encrypts communications between components, particularly + when these components are in different containers, systems, sites, or cloud + providers. + sectionID: V1.9.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/530-671.yaml b/cres/530-671.yaml index 51afbcd91..749ce3d9f 100644 --- a/cres/530-671.yaml +++ b/cres/530-671.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.9.2 - sectionID: Verify that application components verify the authenticity of each - side in a communication link to prevent person-in-the-middle attacks. For example, + section: Verify that application components verify the authenticity of each side + in a communication link to prevent person-in-the-middle attacks. For example, application components should validate TLS certificates and chains. + sectionID: V1.9.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/531-558.yaml b/cres/531-558.yaml index 718a0b956..cc092a2c2 100644 --- a/cres/531-558.yaml +++ b/cres/531-558.yaml @@ -6,16 +6,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.7 - sectionID: Verify that the application protects against LDAP injection vulnerabilities, + section: Verify that the application protects against LDAP injection vulnerabilities, or that specific security controls to prevent LDAP injection have been implemented. + sectionID: V5.3.7 ltype: Linked To - document: doctype: Standard @@ -32,7 +32,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/06-Testing_for_LDAP_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-06 ltype: Linked To diff --git a/cres/532-878.yaml b/cres/532-878.yaml index 359baf063..c901be109 100644 --- a/cres/532-878.yaml +++ b/cres/532-878.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.2.1 - sectionID: Verify that enabled RESTful HTTP methods are a valid choice for the - user or action, such as preventing normal users using DELETE or PUT on protected + section: Verify that enabled RESTful HTTP methods are a valid choice for the user + or action, such as preventing normal users using DELETE or PUT on protected API or resources. + sectionID: V13.2.1 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-03 ltype: Linked To diff --git a/cres/533-516.yaml b/cres/533-516.yaml index 8f237d969..a707dad98 100644 --- a/cres/533-516.yaml +++ b/cres/533-516.yaml @@ -6,16 +6,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.2 - sectionID: Verify that output encoding preserves the user's chosen character set + section: Verify that output encoding preserves the user's chosen character set and locale, such that any Unicode character point is valid and safely handled. + sectionID: V5.3.2 ltype: Linked To - document: doctype: Standard @@ -32,7 +32,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/6-Appendix/D-Encoded_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/D-Encoded_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-APPE-D ltype: Linked To diff --git a/cres/534-605.yaml b/cres/534-605.yaml index b847edde2..f90ea1625 100644 --- a/cres/534-605.yaml +++ b/cres/534-605.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.1 - sectionID: Verify that the application will only process business logic flows - for the same user in sequential step order and without skipping steps. + section: Verify that the application will only process business logic flows for + the same user in sequential step order and without skipping steps. + sectionID: V11.1.1 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-$$ ltype: Linked To diff --git a/cres/537-367.yaml b/cres/537-367.yaml index 88f551899..664244f2c 100644 --- a/cres/537-367.yaml +++ b/cres/537-367.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.2.4 - sectionID: Verify that proper certification revocation, such as Online Certificate + section: Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured. + sectionID: V9.2.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/538-446.yaml b/cres/538-446.yaml index cdf6fed40..bc2963f81 100644 --- a/cres/538-446.yaml +++ b/cres/538-446.yaml @@ -6,16 +6,16 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.2 - sectionID: Verify that unstructured data is sanitized to enforce safety measures + section: Verify that unstructured data is sanitized to enforce safety measures such as allowed characters and length. + sectionID: V5.2.2 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-00 ltype: Linked To diff --git a/cres/540-566.yaml b/cres/540-566.yaml index 3674c0488..522143822 100644 --- a/cres/540-566.yaml +++ b/cres/540-566.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.2.2 - sectionID: Verify that the application does not ask for unnecessary or excessive + section: Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location. + sectionID: V10.2.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/542-445.yaml b/cres/542-445.yaml index 7ce097c0a..9ae45b283 100644 --- a/cres/542-445.yaml +++ b/cres/542-445.yaml @@ -6,16 +6,16 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.1 - sectionID: Verify that all untrusted HTML input from WYSIWYG editors or similar + section: Verify that all untrusted HTML input from WYSIWYG editors or similar is properly sanitized with an HTML sanitizer library or framework feature. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) + sectionID: V5.2.1 ltype: Linked To - document: doctype: Standard @@ -32,7 +32,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/03-Testing_for_HTML_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/03-Testing_for_HTML_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-03 ltype: Linked To diff --git a/cres/542-488.yaml b/cres/542-488.yaml index e653a1d94..6b80ab3dd 100644 --- a/cres/542-488.yaml +++ b/cres/542-488.yaml @@ -12,11 +12,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.3.1 - sectionID: Verify that all random numbers, random file names, random GUIDs, and + section: Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module's approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker. + sectionID: V6.3.1 ltype: Linked To - document: doctype: Standard @@ -27,7 +27,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/543-428.yaml b/cres/543-428.yaml index 977333863..b17a603d4 100644 --- a/cres/543-428.yaml +++ b/cres/543-428.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.8.2 - sectionID: Verify that symmetric keys used to verify submitted OTPs are highly - protected, such as by using a hardware security module or secure operating system - based key storage. + section: Verify that symmetric keys used to verify submitted OTPs are highly protected, + such as by using a hardware security module or secure operating system based + key storage. + sectionID: V2.8.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/543-512.yaml b/cres/543-512.yaml index 2636d1a8d..c5e9422e3 100644 --- a/cres/543-512.yaml +++ b/cres/543-512.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.2.5 - sectionID: Verify that REST services explicitly check the incoming Content-Type + section: Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json. + sectionID: V13.2.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/543-621.yaml b/cres/543-621.yaml index 652d71704..112843267 100644 --- a/cres/543-621.yaml +++ b/cres/543-621.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.5.3 - sectionID: Verify password credential recovery does not reveal the current password + section: Verify password credential recovery does not reveal the current password in any way. + sectionID: V2.5.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/545-243.yaml b/cres/545-243.yaml index 4fa1bebc7..5b9aa0a1c 100644 --- a/cres/545-243.yaml +++ b/cres/545-243.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.5.2 - sectionID: Verify that direct requests to uploaded files will never be executed + section: Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content. + sectionID: V12.5.2 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-09 ltype: Linked To diff --git a/cres/547-283.yaml b/cres/547-283.yaml index 98df5f3a7..7cb84d35e 100644 --- a/cres/547-283.yaml +++ b/cres/547-283.yaml @@ -6,16 +6,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.9 - sectionID: Verify that the application protects against Local File Inclusion (LFI) + section: Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks. + sectionID: V5.3.9 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-11 ltype: Linked To diff --git a/cres/551-054.yaml b/cres/551-054.yaml index 91cbdc0ee..42653c0df 100644 --- a/cres/551-054.yaml +++ b/cres/551-054.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.5.2 - sectionID: Verify the application uses session tokens rather than static API secrets + section: Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations. + sectionID: V3.5.2 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-01 ltype: Linked To diff --git a/cres/551-400.yaml b/cres/551-400.yaml index eda8a5c91..25aa9d64a 100644 --- a/cres/551-400.yaml +++ b/cres/551-400.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.5.1 - sectionID: Verify the application allows users to revoke OAuth tokens that form + section: Verify the application allows users to revoke OAuth tokens that form trust relationships with linked applications. + sectionID: V3.5.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/553-413.yaml b/cres/553-413.yaml index 7023dc5c4..cf1eb2554 100644 --- a/cres/553-413.yaml +++ b/cres/553-413.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.3.2 - sectionID: Verify that enrollment and use of user-provided authentication devices + section: Verify that enrollment and use of user-provided authentication devices are supported, such as a U2F or FIDO tokens. + sectionID: V2.3.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/555-048.yaml b/cres/555-048.yaml index dedd715d4..601023234 100644 --- a/cres/555-048.yaml +++ b/cres/555-048.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.1.4 - sectionID: Verify that each log event includes necessary information that would + section: Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. + sectionID: V7.1.4 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration.html#log-review name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-02 ltype: Linked To diff --git a/cres/558-807.yaml b/cres/558-807.yaml index 676b84b5e..b817a9fa2 100644 --- a/cres/558-807.yaml +++ b/cres/558-807.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.2.5 - sectionID: Verify that where a Credential Service Provider (CSP) and the application + section: Verify that where a Credential Service Provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints. + sectionID: V2.2.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/560-224.yaml b/cres/560-224.yaml index e9b178601..8ca3f9618 100644 --- a/cres/560-224.yaml +++ b/cres/560-224.yaml @@ -18,6 +18,12 @@ links: section: Capacity management sectionID: '8.6' ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-3 + name: NIST 800-53 v5 + section: PM-3 Information Security and Privacy Resources + ltype: Linked To - document: doctype: Standard name: Cloud Controls Matrix diff --git a/cres/570-487.yaml b/cres/570-487.yaml new file mode 100644 index 000000000..f97bdc5a5 --- /dev/null +++ b/cres/570-487.yaml @@ -0,0 +1,15 @@ +doctype: CRE +id: 570-487 +links: +- document: + doctype: CRE + id: 207-435 + name: Dynamic security testing + ltype: Contains +- document: + doctype: Standard + name: NIST SSDF + section: Determine whether executable code testing + sectionID: PW.8.1 + ltype: Linked To +name: Manual penetration testing diff --git a/cres/571-271.yaml b/cres/571-271.yaml index ff05c3634..3276635e5 100644 --- a/cres/571-271.yaml +++ b/cres/571-271.yaml @@ -7,24 +7,21 @@ links: name: Security organizing processes ltype: Contains - document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-7 - name: NIST 800-53 v5 - section: PL-7 CONCEPT OF OPERATIONS - ltype: Linked To + doctype: CRE + id: 833-030 + name: Connect with the community + ltype: Contains +- document: + doctype: CRE + id: 261-010 + name: Program management for secure software development + ltype: Contains - document: doctype: Standard name: ISO 27001 section: Policies for information security sectionID: '5.1' ltype: Linked To -- document: - doctype: Standard - hyperlink: https://owaspsamm.org/model/governance/education-and-guidance/stream-b - name: SAMM - section: Organization and Culture - sectionID: G-EG-B - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-9 @@ -37,25 +34,6 @@ links: section: Acceptable use of information and other associated assets sectionID: '5.1' ltype: Linked To -- document: - doctype: Standard - hyperlink: https://owaspsamm.org/model/governance/strategy-and-metrics/stream-a - name: SAMM - section: Create and Promote - sectionID: G-SM-A - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL - name: NIST 800-53 v5 - section: PL Planning - ltype: Linked To -- document: - doctype: Standard - name: ISO 27001 - section: Information transfer - sectionID: '5.14' - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-1 @@ -68,120 +46,24 @@ links: section: Information security in project management sectionID: '5.8' ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-10 - name: NIST 800-53 v5 - section: PM-10 Authorization Process - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-11 - name: NIST 800-53 v5 - section: PM-11 Mission and Business Process Definition - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-12 name: NIST 800-53 v5 section: PM-12 Insider Threat Program ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-13 - name: NIST 800-53 v5 - section: PM-13 Security and Privacy Workforce - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-14 name: NIST 800-53 v5 section: PM-14 Testing, Training, and Monitoring ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-15 - name: NIST 800-53 v5 - section: PM-15 Security and Privacy Groups and Associations - ltype: Linked To -- document: - doctype: Standard - name: ISO 27001 - section: Contact with special interest groups - sectionID: '5.6' - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-16 - name: NIST 800-53 v5 - section: PM-16 Threat Awareness Program - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-17 - name: NIST 800-53 v5 - section: PM-17 Protecting Controlled Unclassified Information on External Systems - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-2 - name: NIST 800-53 v5 - section: PM-2 Information Security Program Leadership Role - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-21 - name: NIST 800-53 v5 - section: PM-21 Accounting of Disclosures - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-23 - name: NIST 800-53 v5 - section: PM-23 Data Governance Body - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-24 - name: NIST 800-53 v5 - section: PM-24 Data Integrity Board - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-26 name: NIST 800-53 v5 section: PM-26 Complaint Management ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-28 - name: NIST 800-53 v5 - section: PM-28 Risk Framing - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-29 - name: NIST 800-53 v5 - section: PM-29 Risk Management Program Leadership Roles - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-3 - name: NIST 800-53 v5 - section: PM-3 Information Security and Privacy Resources - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-30 - name: NIST 800-53 v5 - section: PM-30 Supply Chain Risk Management Strategy - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-31 - name: NIST 800-53 v5 - section: PM-31 Continuous Monitoring Strategy - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-32 @@ -194,88 +76,16 @@ links: name: NIST 800-53 v5 section: PM-4 Plan of Action and Milestones Process ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-5 - name: NIST 800-53 v5 - section: PM-5 System Inventory - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-6 - name: NIST 800-53 v5 - section: PM-6 Measures of Performance - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-7 - name: NIST 800-53 v5 - section: PM-7 Enterprise Architecture - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-8 - name: NIST 800-53 v5 - section: PM-8 Critical Infrastructure Plan - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-9 - name: NIST 800-53 v5 - section: PM-9 Risk Management Strategy - ltype: Linked To -- document: - doctype: Standard - name: Cloud Controls Matrix - section: Application and Interface Security Policy and Procedures - sectionID: AIS-01 - ltype: Linked To -- document: - doctype: Standard - name: Cloud Controls Matrix - section: Application Security Metrics - sectionID: AIS-03 - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-1 name: NIST 800-53 v5 section: SC-1 Policy and Procedures ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-15 - name: NIST 800-53 v5 - section: SC-15 Collaborative Computing Devices and Applications - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-22 - name: NIST 800-53 v5 - section: SC-22 Architecture and Provisioning for Name/address Resolution Service - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-31 - name: NIST 800-53 v5 - section: SC-31 Covert Channel Analysis - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-6 - name: NIST 800-53 v5 - section: SC-6 Resource Availability - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-1 name: NIST 800-53 v5 section: SI-1 Policy and Procedures ltype: Linked To -- document: - doctype: Standard - hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-12 - name: NIST 800-53 v5 - section: SI-12 Information Management and Retention - ltype: Linked To name: Program management diff --git a/cres/571-640.yaml b/cres/571-640.yaml index e4385397c..d79c375be 100644 --- a/cres/571-640.yaml +++ b/cres/571-640.yaml @@ -48,6 +48,12 @@ links: name: NIST 800-53 v5 section: PM-27 Privacy Reporting ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-24 + name: NIST 800-53 v5 + section: PM-24 Data Integrity Board + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PT-1 @@ -96,6 +102,12 @@ links: name: NIST 800-53 v5 section: PT-8 Computer Matching Requirements ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-21 + name: NIST 800-53 v5 + section: PM-21 Accounting of Disclosures + ltype: Linked To - document: doctype: Standard name: Cloud Controls Matrix diff --git a/cres/576-042.yaml b/cres/576-042.yaml index 1670c6718..f132bf1cf 100644 --- a/cres/576-042.yaml +++ b/cres/576-042.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.2.4 - sectionID: Verify that all authentication pathways and identity management APIs + section: Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application. + sectionID: V1.2.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/576-651.yaml b/cres/576-651.yaml index b9484a529..588d79c3e 100644 --- a/cres/576-651.yaml +++ b/cres/576-651.yaml @@ -10,15 +10,15 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.7 - sectionID: Verify that passwords submitted during account registration, login, - and password change are checked against a set of breached passwords either locally + section: Verify that passwords submitted during account registration, login, and + password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering)) + sectionID: V2.1.7 ltype: Linked To - document: doctype: Standard @@ -35,7 +35,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/577-260.yaml b/cres/577-260.yaml index 39c91721b..74cf995e5 100644 --- a/cres/577-260.yaml +++ b/cres/577-260.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.2.3 - sectionID: Verify that if application assets, such as JavaScript libraries, CSS + section: Verify that if application assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset. + sectionID: V14.2.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/581-525.yaml b/cres/581-525.yaml index 4a7c021d1..94dae9007 100644 --- a/cres/581-525.yaml +++ b/cres/581-525.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.5.6 - sectionID: Verify forgotten password, and other recovery paths use a secure recovery + section: Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as time-based OTP (TOTP) or other soft token, mobile push, or another offline recovery mechanism. + sectionID: V2.5.6 ltype: Linked To - document: doctype: Standard @@ -30,7 +30,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-09 ltype: Linked To diff --git a/cres/582-541.yaml b/cres/582-541.yaml index 362cae133..d6926788a 100644 --- a/cres/582-541.yaml +++ b/cres/582-541.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.7.1 - sectionID: Verify the application ensures a full, valid login session or requires + section: Verify the application ensures a full, valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications. + sectionID: V3.7.1 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-01 ltype: Linked To diff --git a/cres/601-182.yaml b/cres/601-182.yaml index 18edea091..6dac6db51 100644 --- a/cres/601-182.yaml +++ b/cres/601-182.yaml @@ -23,4 +23,12 @@ links: id: 134-412 name: Protect sensitive functionalities against race conditions ltype: Contains +- document: + doctype: CRE + id: 267-031 + name: Protect the availability of resources by providing more to higher-priority + processes + tags: + - Denial Of Service protection + ltype: Contains name: Parallel execution robustness diff --git a/cres/604-025.yaml b/cres/604-025.yaml index ce4293238..2c9bde35c 100644 --- a/cres/604-025.yaml +++ b/cres/604-025.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.8 - sectionID: Verify that a password strength meter is provided to help users set - a stronger password. + section: Verify that a password strength meter is provided to help users set a + stronger password. + sectionID: V2.1.8 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/605-735.yaml b/cres/605-735.yaml index db43a754c..c82fbf425 100644 --- a/cres/605-735.yaml +++ b/cres/605-735.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.2.3 - sectionID: Verify that all encrypted connections to external systems that involve + section: Verify that all encrypted connections to external systems that involve sensitive information or functions are authenticated. + sectionID: V9.2.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/607-671.yaml b/cres/607-671.yaml index 592d2eb9f..55016864c 100644 --- a/cres/607-671.yaml +++ b/cres/607-671.yaml @@ -6,16 +6,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.6 - sectionID: Verify that the application protects against JSON injection attacks, + section: Verify that the application protects against JSON injection attacks, JSON eval attacks, and JavaScript expression evaluation. + sectionID: V5.3.6 ltype: Linked To - document: doctype: Standard @@ -32,7 +32,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/01-Testing_for_DOM-based_Cross_Site_Scripting.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-01 ltype: Linked To diff --git a/cres/611-051.yaml b/cres/611-051.yaml index e87d023e8..73c95c0b0 100644 --- a/cres/611-051.yaml +++ b/cres/611-051.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.3.1 - sectionID: Verify that XSD schema validation takes place to ensure a properly - formed XML document, followed by validation of each input field before any processing + section: Verify that XSD schema validation takes place to ensure a properly formed + XML document, followed by validation of each input field before any processing of that data takes place. + sectionID: V13.3.1 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-07 ltype: Linked To diff --git a/cres/611-158.yaml b/cres/611-158.yaml index 5d8f1c70a..2d8c077ff 100644 --- a/cres/611-158.yaml +++ b/cres/611-158.yaml @@ -3,16 +3,16 @@ id: 611-158 links: - document: doctype: CRE - id: 433-442 - name: Verification + id: 832-555 + name: Automated static security analysis of code and configuration ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.1.1 - sectionID: Verify that a code analysis tool is in use that can detect potentially + section: Verify that a code analysis tool is in use that can detect potentially malicious code, such as time functions, unsafe file operations and network connections. + sectionID: V10.1.1 ltype: Linked To - document: doctype: Standard @@ -27,4 +27,4 @@ links: name: OWASP Cheat Sheets section: Third Party Javascript Management Cheat Sheet ltype: Linked To -name: Use SAST for malicious content +name: Use static analysis tooling to detect potentially malicious actions diff --git a/cres/612-252.yaml b/cres/612-252.yaml index 0d46e78ea..1ba36045c 100644 --- a/cres/612-252.yaml +++ b/cres/612-252.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.4.2 - sectionID: Verify that GraphQL or other data layer authorization logic should - be implemented at the business logic layer instead of the GraphQL layer. + section: Verify that GraphQL or other data layer authorization logic should be + implemented at the business logic layer instead of the GraphQL layer. + sectionID: V13.4.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/612-435.yaml b/cres/612-435.yaml index 974b24fa6..c5259257d 100644 --- a/cres/612-435.yaml +++ b/cres/612-435.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.4.1 - sectionID: Verify that a generic message is shown when an unexpected or security + section: Verify that a generic message is shown when an unexpected or security sensitive error occurs, potentially with a unique ID which support personnel can use to investigate. + sectionID: V7.4.1 ltype: Linked To - document: doctype: Standard @@ -30,7 +30,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ERRH-02 ltype: Linked To diff --git a/cres/613-285.yaml b/cres/613-285.yaml index c0f59725c..3d98f42d4 100644 --- a/cres/613-285.yaml +++ b/cres/613-285.yaml @@ -63,12 +63,28 @@ links: name: NIST 800-53 v5 section: SA-22 Unsupported System Components ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: "Communicate requirements to all third parties who will provide commercial\ + \ software components to the organization for reuse by the organization\u2019\ + s own software. [Formerly PW.3.1]" + sectionID: PO.1.3 + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-4 name: NIST 800-53 v5 section: SA-4 Acquisition Process ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: "Acquire and maintain well-secured software components (e.g., software\ + \ libraries, modules, middleware, frameworks) from commercial, open- source,\ + \ and other third-party developers for use by the organization\u2019s software." + sectionID: PW.4.1 + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-1 @@ -81,6 +97,14 @@ links: section: Outsourced development sectionID: '8.3' ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Verify that acquired commercial, open-source, and all other third-party + software components comply with the requirements, as defined by the organization, + throughout their life cycles + sectionID: PW.4.4 + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SR-10 @@ -172,6 +196,12 @@ links: name: NIST 800-53 v5 section: SR-9 Tamper Resistance and Detection ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-30 + name: NIST 800-53 v5 + section: PM-30 Supply Chain Risk Management Strategy + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-1 diff --git a/cres/613-286.yaml b/cres/613-286.yaml index 23d6cc805..70daa2700 100644 --- a/cres/613-286.yaml +++ b/cres/613-286.yaml @@ -6,6 +6,11 @@ links: id: 613-285 name: Supply chain management ltype: Contains +- document: + doctype: CRE + id: 732-148 + name: Vulnerability management + ltype: Related - document: doctype: CRE id: 053-751 @@ -14,7 +19,7 @@ links: - document: doctype: CRE id: 863-521 - name: Maintain/manage inventory of third party repositories + name: Maintain/manage inventory of third party components ltype: Contains - document: doctype: CRE @@ -40,4 +45,12 @@ links: section: Software Dependencies sectionID: I-SB-B ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Gather information from software acquirers, users, and public sources + on potential vulnerabilities in the software and third-party components that + the software uses, and investigate all credible reports. + sectionID: RV.1.1 + ltype: Linked To name: Dependency management diff --git a/cres/614-353.yaml b/cres/614-353.yaml index 98b2bb292..5cc40efc8 100644 --- a/cres/614-353.yaml +++ b/cres/614-353.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.1.6 - sectionID: Verify that backups are stored securely to prevent data from being - stolen or corrupted. + section: Verify that backups are stored securely to prevent data from being stolen + or corrupted. + sectionID: V8.1.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/615-744.yaml b/cres/615-744.yaml index 7cde3b857..f1fcda780 100644 --- a/cres/615-744.yaml +++ b/cres/615-744.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.3.2 - sectionID: Verify that directory browsing is disabled unless deliberately desired. + section: Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders. + sectionID: V4.3.2 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/03-Test_File_Extensions_Handling_for_Sensitive_Information.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CONF-03 ltype: Linked To diff --git a/cres/616-305.yaml b/cres/616-305.yaml index f0fb0ecd4..d7103f2cf 100644 --- a/cres/616-305.yaml +++ b/cres/616-305.yaml @@ -3,7 +3,7 @@ id: 616-305 links: - document: doctype: CRE - id: 068-102 + id: 326-704 name: Architecture/design processes tags: - Architecture @@ -25,11 +25,21 @@ links: id: 473-177 name: Deploy/build ltype: Contains +- document: + doctype: CRE + id: 745-356 + name: Development process audit trail + ltype: Contains - document: doctype: CRE id: 613-285 name: Supply chain management ltype: Contains +- document: + doctype: CRE + id: 244-750 + name: Technical application security training + ltype: Contains - document: doctype: CRE id: 787-638 @@ -40,16 +50,21 @@ links: id: 820-877 name: Technical system documentation ltype: Contains -- document: - doctype: CRE - id: 244-750 - name: Technical training - ltype: Contains - document: doctype: CRE id: 433-442 name: Verification ltype: Contains +- document: + doctype: CRE + id: 261-010 + name: Program management for secure software development + ltype: Related +- document: + doctype: CRE + id: 148-853 + name: Setup and maintain a secure software development process + ltype: Related - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-15 @@ -74,20 +89,6 @@ links: section: Secure Application Design and Development sectionID: AIS-04 ltype: Linked To -- document: - doctype: Standard - hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md - name: ASVS - section: V1.1.1 - sectionID: Verify the use of a secure software development lifecycle that addresses - security in all stages of development. - ltype: Linked To -- document: - doctype: Standard - hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html - name: OWASP Proactive Controls - section: C1 - ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SA-8 @@ -100,4 +101,18 @@ links: name: NIST 800-53 v5 section: SI-3 Malicious Code Protection ltype: Linked To +- document: + doctype: Standard + hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md + name: ASVS + section: Verify the use of a secure software development lifecycle that addresses + security in all stages of development. + sectionID: V1.1.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owasp-top-10-proactive-controls-2018.readthedocs.io/en/latest/c1-security-requirements.html + name: OWASP Proactive Controls + section: C1 + ltype: Linked To name: Development processes for security diff --git a/cres/617-524.yaml b/cres/617-524.yaml index bee58ab4d..e01223ff8 100644 --- a/cres/617-524.yaml +++ b/cres/617-524.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.2.2 - sectionID: Verify that data stored in browser storage (such as localStorage, sessionStorage, + section: Verify that data stored in browser storage (such as localStorage, sessionStorage, IndexedDB, or cookies) does not contain sensitive data. + sectionID: V8.2.2 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/12-Testing_Browser_Storage.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-12 ltype: Linked To diff --git a/cres/618-403.yaml b/cres/618-403.yaml index 4c1fa51dd..563a7705f 100644 --- a/cres/618-403.yaml +++ b/cres/618-403.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.6.1 - sectionID: Verify that Relying Parties (RPs) specify the maximum authentication + section: Verify that Relying Parties (RPs) specify the maximum authentication time to Credential Service Providers (CSPs) and that CSPs re-authenticate the user if they haven't used a session within that period. + sectionID: V3.6.1 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-01 ltype: Linked To diff --git a/cres/620-101.yaml b/cres/620-101.yaml index fb1c65703..551224209 100644 --- a/cres/620-101.yaml +++ b/cres/620-101.yaml @@ -6,19 +6,19 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.1 - sectionID: "Verify that output encoding is relevant for the interpreter and context\ + section: "Verify that output encoding is relevant for the interpreter and context\ \ required. For example, use encoders specifically for HTML values, HTML attributes,\ \ JavaScript, URL parameters, HTTP headers, SMTP, and others as the context\ \ requires, especially from untrusted inputs (e.g. names with Unicode or apostrophes,\ \ such as \u201E\xC5\u2260\u201E\xC5\xEC or O'Hara)." + sectionID: V5.3.1 ltype: Linked To - document: doctype: Standard @@ -35,7 +35,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/6-Appendix/D-Encoded_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/D-Encoded_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-APPE-D ltype: Linked To diff --git a/cres/621-287.yaml b/cres/621-287.yaml index fbb473b3c..a24c84655 100644 --- a/cres/621-287.yaml +++ b/cres/621-287.yaml @@ -31,8 +31,8 @@ links: name: Store and serve user-uploaded files such that they cannot execute/damage server or client tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE diff --git a/cres/622-203.yaml b/cres/622-203.yaml index 28c8daf94..6bd9f4a73 100644 --- a/cres/622-203.yaml +++ b/cres/622-203.yaml @@ -12,12 +12,12 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.4.1 - sectionID: Verify that passwords are stored in a form that is resistant to offline + section: Verify that passwords are stored in a form that is resistant to offline attacks. Passwords SHALL be salted and hashed using an approved one-way key derivation or password hashing function. Key derivation and password hashing functions take a password, a salt, and a cost factor as inputs when generating a password hash. + sectionID: V2.4.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/622-835.yaml b/cres/622-835.yaml index 0b330ca0e..7f5b5e916 100644 --- a/cres/622-835.yaml +++ b/cres/622-835.yaml @@ -12,11 +12,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.3.1 - sectionID: Verify system generated initial passwords or activation codes SHOULD + section: Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password. + sectionID: V2.3.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/623-347.yaml b/cres/623-347.yaml index cdd33c102..290d4594f 100644 --- a/cres/623-347.yaml +++ b/cres/623-347.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.5.4 - sectionID: Verify shared or default accounts are not present (e.g. "root", "admin", + section: Verify shared or default accounts are not present (e.g. "root", "admin", or "sa"). + sectionID: V2.5.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/623-550.yaml b/cres/623-550.yaml index 01d19b3fa..a510863fa 100644 --- a/cres/623-550.yaml +++ b/cres/623-550.yaml @@ -84,6 +84,14 @@ links: tags: - Denial Of Service protection ltype: Related +- document: + doctype: CRE + id: 267-031 + name: Protect the availability of resources by providing more to higher-priority + processes + tags: + - Denial Of Service protection + ltype: Related - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-5 diff --git a/cres/626-250.yaml b/cres/626-250.yaml new file mode 100644 index 000000000..7d7bb332b --- /dev/null +++ b/cres/626-250.yaml @@ -0,0 +1,44 @@ +doctype: CRE +id: 626-250 +links: +- document: + doctype: CRE + id: 433-442 + name: Verification + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-6 + name: NIST 800-53 v5 + section: SI-6 Security and Privacy Function Verification + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owaspsamm.org/model/verification/architecture-assessment/stream-a + name: SAMM + section: Achitecture validation + sectionID: V-AA-A + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Have 1) a qualified person (or people) who were not involved with the + design and/or 2) automated processes instantiated in the toolchain review the + software design to confirm and enforce that it meets all of the security requirements + and satisfactorily addresses the identified risk information. + sectionID: PW.2.1 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-7 + name: NIST 800-53 v5 + section: SI-7 Software, Firmware, and Information Integrity + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owaspsamm.org/model/verification/architecture-assessment/stream-b + name: SAMM + section: Achitecture mitigation + sectionID: V-AA-B + ltype: Linked To +name: Design review diff --git a/cres/630-573.yaml b/cres/630-573.yaml index a90ba32e2..8b36d6128 100644 --- a/cres/630-573.yaml +++ b/cres/630-573.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.4 - sectionID: Verify that the application has anti-automation controls to protect - against excessive calls such as mass data exfiltration, business logic requests, - file uploads or denial of service attacks. + section: Verify that the application has anti-automation controls to protect against + excessive calls such as mass data exfiltration, business logic requests, file + uploads or denial of service attacks. + sectionID: V11.1.4 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-$$ ltype: Linked To diff --git a/cres/630-577.yaml b/cres/630-577.yaml index 666a8184f..c0b87cc9f 100644 --- a/cres/630-577.yaml +++ b/cres/630-577.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.11 - sectionID: Verify that "paste" functionality, browser password helpers, and external + section: Verify that "paste" functionality, browser password helpers, and external password managers are permitted. + sectionID: V2.1.11 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/635-851.yaml b/cres/635-851.yaml new file mode 100644 index 000000000..1a61a800f --- /dev/null +++ b/cres/635-851.yaml @@ -0,0 +1,31 @@ +doctype: CRE +id: 635-851 +links: +- document: + doctype: CRE + id: 261-010 + name: Program management for secure software development + ltype: Contains +- document: + doctype: Standard + hyperlink: https://owaspsamm.org/model/governance/strategy-and-metrics/stream-a + name: SAMM + section: Create and Promote + sectionID: G-SM-A + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://owaspsamm.org/model/governance/strategy-and-metrics/stream-b/ + name: SAMM + section: Measure and Improve + sectionID: G-SM-B + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Review the SDLC process, and update it if appropriate to prevent (or + reduce the likelihood of) the root cause recurring in updates to the software + or in new software that is created. + sectionID: RV.3.4 + ltype: Linked To +name: Steer the secure software development program diff --git a/cres/636-660.yaml b/cres/636-660.yaml index e3df965b7..e6b8c5a59 100644 --- a/cres/636-660.yaml +++ b/cres/636-660.yaml @@ -44,6 +44,8 @@ links: doctype: CRE id: 708-355 name: Secure implemented architecture + tags: + - Architecture ltype: Contains - document: doctype: CRE @@ -60,4 +62,11 @@ links: id: 724-770 name: Technical application access control ltype: Contains +- document: + doctype: Standard + name: NIST SSDF + section: "Follow all secure coding practices that are appropriate to the development\ + \ languages and environment to meet the organization\u2019s requirements" + sectionID: PW.5.1 + ltype: Linked To name: Technical application security controls diff --git a/cres/636-854.yaml b/cres/636-854.yaml index dc1a8fe76..84358a41b 100644 --- a/cres/636-854.yaml +++ b/cres/636-854.yaml @@ -12,12 +12,12 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.2.2 - sectionID: Verify that encrypted communications such as TLS is used for all inbound + section: Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecure or unencrypted protocols. + sectionID: V9.2.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/640-364.yaml b/cres/640-364.yaml index 2265f0aa1..2a2a3fd5a 100644 --- a/cres/640-364.yaml +++ b/cres/640-364.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.4.1 - sectionID: Verify that trusted enforcement points, such as access control gateways, + section: Verify that trusted enforcement points, such as access control gateways, servers, and serverless functions, enforce access controls. Never enforce access controls on the client. + sectionID: V1.4.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/646-227.yaml b/cres/646-227.yaml index 1485faba9..ab860c4b1 100644 --- a/cres/646-227.yaml +++ b/cres/646-227.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.8.5 - sectionID: Verify that if a time-based multi-factor OTP token is re-used during + section: Verify that if a time-based multi-factor OTP token is re-used during the validity period, it is logged and rejected with secure notifications being sent to the holder of the device. + sectionID: V2.8.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/646-462.yaml b/cres/646-462.yaml index bba42bb2d..2d57fba00 100644 --- a/cres/646-462.yaml +++ b/cres/646-462.yaml @@ -6,17 +6,17 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.8 - sectionID: Verify that the application sanitizes, disables, or sandboxes user-supplied + section: Verify that the application sanitizes, disables, or sandboxes user-supplied scriptable or expression template language content, such as Markdown, CSS or XSL stylesheets, BBCode, or similar. + sectionID: V5.2.8 ltype: Linked To - document: doctype: Standard @@ -27,7 +27,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client_Side_Testing/05-Testing_for_CSS_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client_Side_Testing/05-Testing_for_CSS_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CLNT-05 ltype: Linked To diff --git a/cres/650-560.yaml b/cres/650-560.yaml index e7b9b4f02..fe6e0b95a 100644 --- a/cres/650-560.yaml +++ b/cres/650-560.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V4-Access-Control.md name: ASVS - section: V4.1.1 - sectionID: Verify that the application enforces access control rules on a trusted + section: Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed. + sectionID: V4.1.1 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-02 ltype: Linked To diff --git a/cres/653-242.yaml b/cres/653-242.yaml index 836c180be..3aa914b0e 100644 --- a/cres/653-242.yaml +++ b/cres/653-242.yaml @@ -6,18 +6,18 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.1.4 - sectionID: Verify that structured data is strongly typed and validated against - a defined schema including allowed characters, length and pattern (e.g. credit + section: Verify that structured data is strongly typed and validated against a + defined schema including allowed characters, length and pattern (e.g. credit card numbers, e-mail addresses, telephone numbers, or validating that two related fields are reasonable, such as checking that suburb and zip/postcode match). + sectionID: V5.1.4 ltype: Linked To - document: doctype: Standard @@ -34,7 +34,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-00 ltype: Linked To diff --git a/cres/657-084.yaml b/cres/657-084.yaml index 737f4d5b8..06e0a4f88 100644 --- a/cres/657-084.yaml +++ b/cres/657-084.yaml @@ -6,8 +6,8 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE @@ -18,10 +18,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.6 - sectionID: Verify that the application protects against SSRF attacks, by validating + section: Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow lists of protocols, domains, paths and ports. + sectionID: V5.2.6 ltype: Linked To - document: doctype: Standard @@ -32,7 +32,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11-Testing_for_Code_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-11 ltype: Linked To diff --git a/cres/660-052.yaml b/cres/660-052.yaml index c2ab49bcc..9529f5a34 100644 --- a/cres/660-052.yaml +++ b/cres/660-052.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.1.1 - sectionID: Verify that the application will not accept large files that could - fill up storage or cause a denial of service. + section: Verify that the application will not accept large files that could fill + up storage or cause a denial of service. + sectionID: V12.1.1 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-09 ltype: Linked To diff --git a/cres/660-867.yaml b/cres/660-867.yaml index 1edbdb9bb..1eb09dc3f 100644 --- a/cres/660-867.yaml +++ b/cres/660-867.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.5 - sectionID: Verify the application has business logic limits or validation to protect + section: Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modeling or similar methodologies. + sectionID: V11.1.5 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-$$ ltype: Linked To diff --git a/cres/664-080.yaml b/cres/664-080.yaml index 1b84e99c5..453826072 100644 --- a/cres/664-080.yaml +++ b/cres/664-080.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x21-V13-API.md name: ASVS - section: V13.1.4 - sectionID: Verify that authorization decisions are made at both the URI, enforced + section: Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions. + sectionID: V13.1.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/664-571.yaml b/cres/664-571.yaml index 0f62f58c4..8c9db6209 100644 --- a/cres/664-571.yaml +++ b/cres/664-571.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.3.3 - sectionID: Verify that random numbers are created with proper entropy even when + section: Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances. + sectionID: V6.3.3 ltype: Linked To - document: doctype: Standard @@ -31,7 +31,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/668-364.yaml b/cres/668-364.yaml index 3b098e8a6..1cdd03ca1 100644 --- a/cres/668-364.yaml +++ b/cres/668-364.yaml @@ -17,8 +17,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.2.5 - sectionID: Verify that backend TLS connection failures are logged. + section: Verify that backend TLS connection failures are logged. + sectionID: V9.2.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/670-660.yaml b/cres/670-660.yaml index afae7cb49..f239e659a 100644 --- a/cres/670-660.yaml +++ b/cres/670-660.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.11.2 - sectionID: Verify that all high-value business logic flows, including authentication, + section: Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state. + sectionID: V1.11.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/673-475.yaml b/cres/673-475.yaml index 11013089b..9e43b453d 100644 --- a/cres/673-475.yaml +++ b/cres/673-475.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.14.6 - sectionID: Verify the application does not use unsupported, insecure, or deprecated + section: Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets. + sectionID: V1.14.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/673-736.yaml b/cres/673-736.yaml index 64bbe4691..54e8247df 100644 --- a/cres/673-736.yaml +++ b/cres/673-736.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.3.4 - sectionID: Verify that users are able to view and (having re-entered login credentials) + section: Verify that users are able to view and (having re-entered login credentials) log out of any or all currently active sessions and devices. + sectionID: V3.3.4 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality.html#testing-for-server-side-session-termination name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-06 ltype: Linked To diff --git a/cres/674-425.yaml b/cres/674-425.yaml index b27753e0e..e057138ae 100644 --- a/cres/674-425.yaml +++ b/cres/674-425.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.3 - sectionID: Verify that encryption initialization vector, cipher configuration, - and block modes are configured securely using the latest advice. + section: Verify that encryption initialization vector, cipher configuration, and + block modes are configured securely using the latest advice. + sectionID: V6.2.3 ltype: Linked To - document: doctype: Standard @@ -25,7 +25,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/675-168.yaml b/cres/675-168.yaml index 606ec0cda..84f00a6ae 100644 --- a/cres/675-168.yaml +++ b/cres/675-168.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.3.1 - sectionID: Verify that user-submitted filename metadata is not used directly by + section: Verify that user-submitted filename metadata is not used directly by system or framework filesystems and that a URL API is used to protect against path traversal. + sectionID: V12.3.1 ltype: Linked To - document: doctype: Standard @@ -24,7 +24,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-01 ltype: Linked To diff --git a/cres/681-823.yaml b/cres/681-823.yaml index c4a815230..e62b4e31e 100644 --- a/cres/681-823.yaml +++ b/cres/681-823.yaml @@ -12,8 +12,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.8.1 - sectionID: Verify that time-based OTPs have a defined lifetime before expiring. + section: Verify that time-based OTPs have a defined lifetime before expiring. + sectionID: V2.8.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/683-722.yaml b/cres/683-722.yaml index 35cf310ef..838adffab 100644 --- a/cres/683-722.yaml +++ b/cres/683-722.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.3.5 - sectionID: Verify that untrusted file metadata is not used directly with system + section: Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection. + sectionID: V12.3.5 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-12 ltype: Linked To diff --git a/cres/688-081.yaml b/cres/688-081.yaml index 8047868f1..316181014 100644 --- a/cres/688-081.yaml +++ b/cres/688-081.yaml @@ -10,9 +10,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.4.1 - sectionID: Verify that cookie-based session tokens have the 'Secure' attribute - set. + section: Verify that cookie-based session tokens have the 'Secure' attribute set. + sectionID: V3.4.1 ltype: Linked To - document: doctype: Standard @@ -29,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-02 ltype: Linked To diff --git a/cres/704-530.yaml b/cres/704-530.yaml index 7a9d4ade7..652880149 100644 --- a/cres/704-530.yaml +++ b/cres/704-530.yaml @@ -15,8 +15,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.2.2 - sectionID: Verify that session tokens possess at least 64 bits of entropy. + section: Verify that session tokens possess at least 64 bits of entropy. + sectionID: V3.2.2 ltype: Linked To - document: doctype: Standard @@ -33,7 +33,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-01 ltype: Linked To diff --git a/cres/705-182.yaml b/cres/705-182.yaml index c118d7854..a2bb2ea45 100644 --- a/cres/705-182.yaml +++ b/cres/705-182.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.4.5 - sectionID: Verify that if the application is published under a domain name with + section: Verify that if the application is published under a domain name with other applications that set or use session cookies that might disclose the session cookies, set the path attribute in cookie-based session tokens using the most precise path possible. + sectionID: V3.4.5 ltype: Linked To - document: doctype: Standard @@ -31,7 +31,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-02 ltype: Linked To diff --git a/cres/708-355.yaml b/cres/708-355.yaml index 31f63c356..60b26e433 100644 --- a/cres/708-355.yaml +++ b/cres/708-355.yaml @@ -3,15 +3,20 @@ id: 708-355 links: - document: doctype: CRE - id: 068-102 + id: 326-704 name: Architecture/design processes tags: - Architecture ltype: Related +- document: + doctype: CRE + id: 155-155 + name: Architecture + ltype: Related - document: doctype: CRE id: 344-611 - name: Centralize security controls + name: Use centralized reusable security controls tags: - Architecture ltype: Contains @@ -63,3 +68,5 @@ links: section: SC-44 Detonation Chambers ltype: Linked To name: Secure implemented architecture +tags: +- Architecture diff --git a/cres/713-683.yaml b/cres/713-683.yaml index 4e6a1344e..82f89e4fb 100644 --- a/cres/713-683.yaml +++ b/cres/713-683.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.3.3 - sectionID: Verify that security logs are protected from unauthorized access and + section: Verify that security logs are protected from unauthorized access and modification. + sectionID: V7.3.3 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-03 ltype: Linked To diff --git a/cres/715-223.yaml b/cres/715-223.yaml index 748045c5c..99049797f 100644 --- a/cres/715-223.yaml +++ b/cres/715-223.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.2.4 - sectionID: Verify that third party components come from pre-defined, trusted and + section: Verify that third party components come from pre-defined, trusted and continually maintained repositories. + sectionID: V14.2.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/715-304.yaml b/cres/715-304.yaml index 0401e0356..8a449919c 100644 --- a/cres/715-304.yaml +++ b/cres/715-304.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.6 - sectionID: Verify that sensitive information contained in memory is overwritten + section: Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeroes or random data. + sectionID: V8.3.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/715-334.yaml b/cres/715-334.yaml index b1f8a68ab..aec99de85 100644 --- a/cres/715-334.yaml +++ b/cres/715-334.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.2.1 - sectionID: Verify that all components are up to date, preferably using a dependency + section: Verify that all components are up to date, preferably using a dependency checker during build or compile time. + sectionID: V14.2.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/715-681.yaml b/cres/715-681.yaml index 029cc8953..3f0c829a4 100644 --- a/cres/715-681.yaml +++ b/cres/715-681.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.3 - sectionID: Verify that password truncation is not performed. However, consecutive + section: Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space. + sectionID: V2.1.3 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/725-682.yaml b/cres/725-682.yaml index 6b46269fa..37b7d9943 100644 --- a/cres/725-682.yaml +++ b/cres/725-682.yaml @@ -20,9 +20,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.8 - sectionID: Verify that the application has configurable alerting when automated + section: Verify that the application has configurable alerting when automated attacks or unusual activity is detected. + sectionID: V11.1.8 ltype: Linked To - document: doctype: Standard diff --git a/cres/727-043.yaml b/cres/727-043.yaml index 67e4cc505..060544186 100644 --- a/cres/727-043.yaml +++ b/cres/727-043.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.2.4 - sectionID: Verify that session tokens are generated using approved cryptographic + section: Verify that session tokens are generated using approved cryptographic algorithms. + sectionID: V3.2.4 ltype: Linked To - document: doctype: Standard @@ -34,7 +34,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.html#gray-box-testing-and-example name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-01 ltype: Linked To diff --git a/cres/731-120.yaml b/cres/731-120.yaml index 4ca6992e1..c29e9d0d4 100644 --- a/cres/731-120.yaml +++ b/cres/731-120.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.8.2 - sectionID: Verify that all protection levels have an associated set of protection + section: Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture. + sectionID: V1.8.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/732-148.yaml b/cres/732-148.yaml index cd39a1256..7b595b4dd 100644 --- a/cres/732-148.yaml +++ b/cres/732-148.yaml @@ -1,6 +1,16 @@ doctype: CRE id: 732-148 links: +- document: + doctype: CRE + id: 463-577 + name: Incident response + ltype: Related +- document: + doctype: CRE + id: 613-286 + name: Dependency management + ltype: Related - document: doctype: CRE id: 433-442 @@ -30,6 +40,14 @@ links: section: Defect Tracking sectionID: I-DM-A ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Gather information from software acquirers, users, and public sources + on potential vulnerabilities in the software and third-party components that + the software uses, and investigate all credible reports. + sectionID: RV.1.1 + ltype: Linked To - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SI-2 @@ -49,4 +67,38 @@ links: section: Metrics and Feedback sectionID: I-DM-B ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Analyze each vulnerability to gather sufficient information about risk + to plan its remediation or other risk response. + sectionID: RV.2.1 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Plan and implement risk responses for vulnerabilities. + sectionID: RV.2.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Analyze identified vulnerabilities to determine their root causes. + sectionID: RV.3.1 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Analyze the root causes over time to identify patterns, such as a particular + secure coding practice not being followed consistently. + sectionID: RV.3.2 + ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: Review the software for similar vulnerabilities to eradicate a class + of vulnerabilities, and proactively fix them rather than waiting for external + reports. + sectionID: RV.3.3 + ltype: Linked To name: Vulnerability management diff --git a/cres/732-873.yaml b/cres/732-873.yaml index f1c36ad07..ef69836a3 100644 --- a/cres/732-873.yaml +++ b/cres/732-873.yaml @@ -6,17 +6,17 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.4 - sectionID: Verify that data selection or database queries (e.g. SQL, HQL, ORM, - NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise - protected from database injection attacks. + section: Verify that data selection or database queries (e.g. SQL, HQL, ORM, NoSQL) + use parameterized queries, ORMs, entity frameworks, or are otherwise protected + from database injection attacks. + sectionID: V5.3.4 ltype: Linked To - document: doctype: Standard @@ -33,7 +33,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-05 ltype: Linked To diff --git a/cres/736-237.yaml b/cres/736-237.yaml index b1bd43695..e3289c090 100644 --- a/cres/736-237.yaml +++ b/cres/736-237.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.4.2 - sectionID: 'Verify that all API responses contain a Content-Disposition: attachment; + section: 'Verify that all API responses contain a Content-Disposition: attachment; filename="api.json" header (or other appropriate filename for the content type).' + sectionID: V14.4.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/736-554.yaml b/cres/736-554.yaml index 572bb4efa..932afa6fb 100644 --- a/cres/736-554.yaml +++ b/cres/736-554.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.5.2 - sectionID: Verify that serialization is not used when communicating with untrusted + section: Verify that serialization is not used when communicating with untrusted clients. If this is not possible, ensure that adequate integrity controls (and possibly encryption if sensitive data is sent) are enforced to prevent deserialization attacks including object injection. + sectionID: V1.5.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/737-086.yaml b/cres/737-086.yaml index 857bc1e06..918a4d710 100644 --- a/cres/737-086.yaml +++ b/cres/737-086.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.3.2 - sectionID: Verify that user-submitted filename metadata is validated or ignored + section: Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI). + sectionID: V12.3.2 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-01 ltype: Linked To diff --git a/cres/742-056.yaml b/cres/742-056.yaml index 3cedb8513..c5a188295 100644 --- a/cres/742-056.yaml +++ b/cres/742-056.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.3.3 - sectionID: Verify that user-submitted filename metadata is validated or ignored + section: Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files via Remote File Inclusion (RFI) or Server-side Request Forgery (SSRF) attacks. + sectionID: V12.3.3 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHZ-01 ltype: Linked To diff --git a/cres/742-431.yaml b/cres/742-431.yaml index 25fcf1138..c24737f8d 100644 --- a/cres/742-431.yaml +++ b/cres/742-431.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.2 - sectionID: Verify that industry proven or government approved cryptographic algorithms, + section: Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. + sectionID: V6.2.2 ltype: Linked To - document: doctype: Standard @@ -31,7 +31,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/743-110.yaml b/cres/743-110.yaml index ce2d58ca3..39ac07143 100644 --- a/cres/743-110.yaml +++ b/cres/743-110.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.3.3 - sectionID: Verify that the HTTP headers or any part of the HTTP response do not + section: Verify that the HTTP headers or any part of the HTTP response do not expose detailed version information of system components. + sectionID: V14.3.3 ltype: Linked To - document: doctype: Standard @@ -25,7 +25,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/README.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/README.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INFO-## ltype: Linked To diff --git a/cres/743-237.yaml b/cres/743-237.yaml index 126c17cc1..29b598655 100644 --- a/cres/743-237.yaml +++ b/cres/743-237.yaml @@ -6,18 +6,18 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.1.1 - sectionID: Verify that the application has defenses against HTTP parameter pollution + section: Verify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, or environment variables). + sectionID: V5.1.1 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-04 ltype: Linked To diff --git a/cres/745-045.yaml b/cres/745-045.yaml index 588fc53eb..5b39def0b 100644 --- a/cres/745-045.yaml +++ b/cres/745-045.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.1.1 - sectionID: Verify that TLS is used for all client connectivity, and does not fall + section: Verify that TLS is used for all client connectivity, and does not fall back to insecure or unencrypted communications. + sectionID: V9.1.1 ltype: Linked To - document: doctype: Standard @@ -31,7 +31,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-01 ltype: Linked To diff --git a/cres/745-356.yaml b/cres/745-356.yaml new file mode 100644 index 000000000..23aa88746 --- /dev/null +++ b/cres/745-356.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 745-356 +links: +- document: + doctype: CRE + id: 616-305 + name: Development processes for security + ltype: Contains +- document: + doctype: CRE + id: 464-513 + name: Assurance processes + ltype: Related +- document: + doctype: Standard + name: NIST SSDF + section: Configure tools to generate artifacts of their support of secure software + development practices as defined by the organization. + sectionID: PO.3.3 + ltype: Linked To +name: Development process audit trail diff --git a/cres/746-705.yaml b/cres/746-705.yaml index d60f51c06..16ba4610a 100644 --- a/cres/746-705.yaml +++ b/cres/746-705.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x19-V11-BusLogic.md name: ASVS - section: V11.1.3 - sectionID: Verify the application has appropriate limits for specific business - actions or transactions which are correctly enforced on a per user basis. + section: Verify the application has appropriate limits for specific business actions + or transactions which are correctly enforced on a per user basis. + sectionID: V11.1.3 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/README.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-$$ ltype: Linked To diff --git a/cres/751-176.yaml b/cres/751-176.yaml index ef031ee24..89b86605a 100644 --- a/cres/751-176.yaml +++ b/cres/751-176.yaml @@ -15,8 +15,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.5 - sectionID: Verify users can change their password. + section: Verify users can change their password. + sectionID: V2.1.5 ltype: Linked To - document: doctype: Standard @@ -27,7 +27,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/757-271.yaml b/cres/757-271.yaml index c68187fd3..0bf9af6d7 100644 --- a/cres/757-271.yaml +++ b/cres/757-271.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.10.1 - sectionID: Verify that a source code control system is in use, with procedures - to ensure that check-ins are accompanied by issues or change tickets. The source + section: Verify that a source code control system is in use, with procedures to + ensure that check-ins are accompanied by issues or change tickets. The source code control system should have access control and identifiable users to allow traceability of any changes. + sectionID: V1.10.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/760-764.yaml b/cres/760-764.yaml index 73907fa52..e0b8fa723 100644 --- a/cres/760-764.yaml +++ b/cres/760-764.yaml @@ -19,16 +19,16 @@ links: name: Store and serve user-uploaded files such that they cannot execute/damage server or client tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE @@ -42,16 +42,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE diff --git a/cres/760-765.yaml b/cres/760-765.yaml index 32a91dcbb..2d709bb33 100644 --- a/cres/760-765.yaml +++ b/cres/760-765.yaml @@ -26,32 +26,32 @@ links: name: Store and serve user-uploaded files such that they cannot execute/damage server or client tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Related - document: doctype: CRE diff --git a/cres/762-451.yaml b/cres/762-451.yaml index ebe95e8c3..dc6e7dff5 100644 --- a/cres/762-451.yaml +++ b/cres/762-451.yaml @@ -10,8 +10,8 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.3.2 - sectionID: Verify that users have a method to remove or export their data on demand. + section: Verify that users have a method to remove or export their data on demand. + sectionID: V8.3.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/762-616.yaml b/cres/762-616.yaml index 082fbad59..fca70dc1f 100644 --- a/cres/762-616.yaml +++ b/cres/762-616.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.5.1 - sectionID: Verify that serialized objects use integrity checks or are encrypted + section: Verify that serialized objects use integrity checks or are encrypted to prevent hostile object creation or data tampering. + sectionID: V5.5.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/764-507.yaml b/cres/764-507.yaml index 88f972e68..3e626a49d 100644 --- a/cres/764-507.yaml +++ b/cres/764-507.yaml @@ -3,8 +3,8 @@ id: 764-507 links: - document: doctype: CRE - id: 764-508 - name: XML Parser hardening + id: 503-455 + name: Input and output protection ltype: Contains - document: doctype: CRE @@ -22,11 +22,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.5.2 - sectionID: Verify that the application correctly restricts XML parsers to only - use the most restrictive configuration possible and to ensure that unsafe features + section: Verify that the application correctly restricts XML parsers to only use + the most restrictive configuration possible and to ensure that unsafe features such as resolving external entities are disabled to prevent XML eXternal Entity (XXE) attacks. + sectionID: V5.5.2 ltype: Linked To - document: doctype: Standard @@ -37,7 +37,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-07 ltype: Linked To diff --git a/cres/764-508.yaml b/cres/764-508.yaml index f449a3991..aa73e6cce 100644 --- a/cres/764-508.yaml +++ b/cres/764-508.yaml @@ -11,7 +11,7 @@ links: id: 764-507 name: Restrict XML parsing (against XXE) tags: - - Injection protection - Configuration + - Injection protection ltype: Contains name: XML Parser hardening diff --git a/cres/764-765.yaml b/cres/764-765.yaml index 1a9e9c483..bef958227 100644 --- a/cres/764-765.yaml +++ b/cres/764-765.yaml @@ -8,17 +8,17 @@ links: ltype: Contains - document: doctype: CRE - id: 760-764 - name: Injection protection + id: 760-765 + name: XSS protection tags: - - XSS protection + - Injection protection ltype: Related - document: doctype: CRE - id: 760-765 - name: XSS protection + id: 760-764 + name: Injection protection tags: - - Injection protection + - XSS protection ltype: Related - document: doctype: CRE @@ -73,5 +73,5 @@ links: ltype: Contains name: Sanitization and sandboxing tags: -- Injection protection - XSS protection +- Injection protection diff --git a/cres/765-788.yaml b/cres/765-788.yaml index b0a33f4f1..4c87dc205 100644 --- a/cres/765-788.yaml +++ b/cres/765-788.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.8.1 - sectionID: Verify that all sensitive data is identified and classified into protection + section: Verify that all sensitive data is identified and classified into protection levels. + sectionID: V1.8.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/766-162.yaml b/cres/766-162.yaml index ce9cd0b6e..82719cc09 100644 --- a/cres/766-162.yaml +++ b/cres/766-162.yaml @@ -36,6 +36,12 @@ links: id: 307-242 name: Security risk assessment ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-7 + name: NIST 800-53 v5 + section: PM-7 Enterprise Architecture + ltype: Linked To - document: doctype: Standard name: Cloud Controls Matrix diff --git a/cres/767-435.yaml b/cres/767-435.yaml index ddde236e5..8d45772d3 100644 --- a/cres/767-435.yaml +++ b/cres/767-435.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.4.3 - sectionID: Verify that if PBKDF2 is used, the iteration count SHOULD be as large + section: Verify that if PBKDF2 is used, the iteration count SHOULD be as large as verification server performance will allow, typically at least 100,000 iterations. + sectionID: V2.4.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/767-701.yaml b/cres/767-701.yaml index 9c8b1c1e7..c0072ae5c 100644 --- a/cres/767-701.yaml +++ b/cres/767-701.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x17-V9-Communications.md name: ASVS - section: V9.1.2 - sectionID: Verify using up to date TLS testing tools that only strong cipher suites + section: Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites set as preferred. + sectionID: V9.1.2 ltype: Linked To - document: doctype: Standard @@ -25,7 +25,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-01 ltype: Linked To diff --git a/cres/770-361.yaml b/cres/770-361.yaml index 1e5e6818c..027ad7d3e 100644 --- a/cres/770-361.yaml +++ b/cres/770-361.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.3.4 - sectionID: Verify that time sources are synchronized to the correct time and time + section: Verify that time sources are synchronized to the correct time and time zone. Strongly consider logging only in UTC if systems are global to assist with post-incident forensic analysis. + sectionID: V7.3.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/772-358.yaml b/cres/772-358.yaml index 1f4f52ba6..5e2826535 100644 --- a/cres/772-358.yaml +++ b/cres/772-358.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.5.2 - sectionID: Verify password hints or knowledge-based authentication (so-called - "secret questions") are not present. + section: Verify password hints or knowledge-based authentication (so-called "secret + questions") are not present. + sectionID: V2.5.2 ltype: Linked To - document: doctype: Standard @@ -23,7 +23,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-08 ltype: Linked To diff --git a/cres/774-888.yaml b/cres/774-888.yaml index a156df58f..3c0c3a250 100644 --- a/cres/774-888.yaml +++ b/cres/774-888.yaml @@ -12,12 +12,12 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.10.4 - sectionID: Verify passwords, integrations with databases and third-party systems, + section: Verify passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys are managed securely and not included in the source code or stored within source code repositories. Such storage SHOULD resist offline attacks. The use of a secure software key store (L1), hardware TPM, or an HSM (L3) is recommended for password storage. + sectionID: V2.10.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/777-470.yaml b/cres/777-470.yaml index d96e3886f..f52572759 100644 --- a/cres/777-470.yaml +++ b/cres/777-470.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.3.6 - sectionID: Verify that the application does not include and execute functionality + section: Verify that the application does not include and execute functionality from untrusted sources, such as unverified content distribution networks, JavaScript libraries, node npm libraries, or server-side DLLs. + sectionID: V12.3.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/782-234.yaml b/cres/782-234.yaml index 3f3cac6e0..816c652bd 100644 --- a/cres/782-234.yaml +++ b/cres/782-234.yaml @@ -15,10 +15,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.5.1 - sectionID: Verify that input and output requirements clearly define how to handle + section: Verify that input and output requirements clearly define how to handle and process data based on type, content, and applicable laws, regulations, and other policy compliance. + sectionID: V1.5.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/783-255.yaml b/cres/783-255.yaml index 3c5201cc6..238d081e6 100644 --- a/cres/783-255.yaml +++ b/cres/783-255.yaml @@ -12,11 +12,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.9.1 - sectionID: Verify that cryptographic keys used in verification are stored securely + section: Verify that cryptographic keys used in verification are stored securely and protected against disclosure, such as using a Trusted Platform Module (TPM) or Hardware Security Module (HSM), or an OS service that can use this secure storage. + sectionID: V2.9.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/786-224.yaml b/cres/786-224.yaml index 008c7563f..8163dff73 100644 --- a/cres/786-224.yaml +++ b/cres/786-224.yaml @@ -12,10 +12,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.7 - sectionID: Verify that encrypted data is authenticated via signatures, authenticated + section: Verify that encrypted data is authenticated via signatures, authenticated cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized party. + sectionID: V6.2.7 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-CRYP-04 ltype: Linked To diff --git a/cres/801-310.yaml b/cres/801-310.yaml index dca448d0d..016d50a34 100644 --- a/cres/801-310.yaml +++ b/cres/801-310.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.4.5 - sectionID: Verify that attribute or feature-based access control is used whereby + section: Verify that attribute or feature-based access control is used whereby the code checks the user's authorization for a feature/data item rather than just their role. Permissions should still be allocated using roles. + sectionID: V1.4.5 ltype: Linked To - document: doctype: Standard diff --git a/cres/802-056.yaml b/cres/802-056.yaml index 424a24b74..1766a39c1 100644 --- a/cres/802-056.yaml +++ b/cres/802-056.yaml @@ -10,14 +10,14 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.2.1 - sectionID: Verify that anti-automation controls are effective at mitigating breached + section: Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account. + sectionID: V2.2.1 ltype: Linked To - document: doctype: Standard @@ -28,7 +28,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/03-Testing_for_Weak_Lock_Out_Mechanism.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-03 ltype: Linked To diff --git a/cres/804-220.yaml b/cres/804-220.yaml index 660855d01..8a37bc311 100644 --- a/cres/804-220.yaml +++ b/cres/804-220.yaml @@ -17,9 +17,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x12-V3-Session-management.md name: ASVS - section: V3.4.2 - sectionID: Verify that cookie-based session tokens have the 'HttpOnly' attribute + section: Verify that cookie-based session tokens have the 'HttpOnly' attribute set. + sectionID: V3.4.2 ltype: Linked To - document: doctype: Standard @@ -36,7 +36,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html#domain-attribute name: OWASP Web Security Testing Guide (WSTG) section: WSTG-SESS-02 ltype: Linked To diff --git a/cres/806-367.yaml b/cres/806-367.yaml index ad94c54b1..9c4ba2eed 100644 --- a/cres/806-367.yaml +++ b/cres/806-367.yaml @@ -6,16 +6,16 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.5.4 - sectionID: Verify that output encoding occurs close to or by the interpreter for + section: Verify that output encoding occurs close to or by the interpreter for which it is intended. + sectionID: V1.5.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/807-565.yaml b/cres/807-565.yaml index 45a15defc..d9dd956ea 100644 --- a/cres/807-565.yaml +++ b/cres/807-565.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.1.9 - sectionID: Verify that there are no password composition rules limiting the type + section: Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. + sectionID: V2.1.9 ltype: Linked To - document: doctype: Standard @@ -30,7 +30,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ATHN-07 ltype: Linked To diff --git a/cres/808-425.yaml b/cres/808-425.yaml index 7aa94d07d..362f3daf1 100644 --- a/cres/808-425.yaml +++ b/cres/808-425.yaml @@ -15,13 +15,12 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.2.3 - sectionID: Verify that secure notifications are sent to users after updates to - authentication details, such as credential resets, email or address changes, - logging in from unknown or risky locations. The use of push notifications - - rather than SMS or email - is preferred, but in the absence of push notifications, - SMS or email is acceptable as long as no sensitive information is disclosed - in the notification. + section: Verify that secure notifications are sent to users after updates to authentication + details, such as credential resets, email or address changes, logging in from + unknown or risky locations. The use of push notifications - rather than SMS + or email - is preferred, but in the absence of push notifications, SMS or email + is acceptable as long as no sensitive information is disclosed in the notification. + sectionID: V2.2.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/813-610.yaml b/cres/813-610.yaml index ba6616bd6..12bf5b7aa 100644 --- a/cres/813-610.yaml +++ b/cres/813-610.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.10.1 - sectionID: Verify that intra-service secrets do not rely on unchanging credentials + section: Verify that intra-service secrets do not rely on unchanging credentials such as passwords, API keys or shared accounts with privileged access. + sectionID: V2.10.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/814-322.yaml b/cres/814-322.yaml index ec572e5d7..43e3280f8 100644 --- a/cres/814-322.yaml +++ b/cres/814-322.yaml @@ -17,10 +17,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x20-V12-Files-Resources.md name: ASVS - section: V12.6.1 - sectionID: Verify that the web or application server is configured with an allow + section: Verify that the web or application server is configured with an allow list of resources or systems to which the server can send requests or load data/files from. + sectionID: V12.6.1 ltype: Linked To - document: doctype: Standard @@ -31,7 +31,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-BUSL-09 ltype: Linked To diff --git a/cres/816-631.yaml b/cres/816-631.yaml index 3198aae25..e6547e5a3 100644 --- a/cres/816-631.yaml +++ b/cres/816-631.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.7.2 - sectionID: Verify that the out of band verifier expires out of band authentication + section: Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes. + sectionID: V2.7.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/817-808.yaml b/cres/817-808.yaml index 9f0bf452e..6d2937a3a 100644 --- a/cres/817-808.yaml +++ b/cres/817-808.yaml @@ -21,7 +21,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-IDNT-01 ltype: Linked To diff --git a/cres/820-421.yaml b/cres/820-421.yaml index d2a1d2f6f..a840a37eb 100644 --- a/cres/820-421.yaml +++ b/cres/820-421.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.5.4 - sectionID: Verify that HTTP headers added by a trusted proxy or SSO devices, such + section: Verify that HTTP headers added by a trusted proxy or SSO devices, such as a bearer token, are authenticated by the application. + sectionID: V14.5.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/820-877.yaml b/cres/820-877.yaml index dfec42bb5..c32216d72 100644 --- a/cres/820-877.yaml +++ b/cres/820-877.yaml @@ -29,4 +29,17 @@ links: name: NIST 800-53 v5 section: SA-5 System Documentation ltype: Linked To +- document: + doctype: Standard + name: NIST SSDF + section: "Track and maintain the software\u2019s security requirements, risks,\ + \ and design decisions." + sectionID: PW.1.2 + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PL-7 + name: NIST 800-53 v5 + section: PL-7 CONCEPT OF OPERATIONS + ltype: Linked To name: Technical system documentation diff --git a/cres/820-878.yaml b/cres/820-878.yaml index 02ad8daa2..aeddcb5ac 100644 --- a/cres/820-878.yaml +++ b/cres/820-878.yaml @@ -15,9 +15,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.1.4 - sectionID: Verify documentation and justification of all the application's trust + section: Verify documentation and justification of all the application's trust boundaries, components, and significant data flows. + sectionID: V1.1.4 ltype: Linked To - document: doctype: Standard diff --git a/cres/821-832.yaml b/cres/821-832.yaml index 90fb0b0fd..c175597b3 100644 --- a/cres/821-832.yaml +++ b/cres/821-832.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.6.3 - sectionID: Verify that all keys and passwords are replaceable and are part of - a well-defined process to re-encrypt sensitive data. + section: Verify that all keys and passwords are replaceable and are part of a + well-defined process to re-encrypt sensitive data. + sectionID: V1.6.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/822-100.yaml b/cres/822-100.yaml index da0a7f6ff..936b96761 100644 --- a/cres/822-100.yaml +++ b/cres/822-100.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.1.3 - sectionID: Verify that all user stories and features contain functional security + section: Verify that all user stories and features contain functional security constraints, such as "As a user, I should be able to view and edit my profile. I should not be able to view or edit anyone else's profile" + sectionID: V1.1.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/824-732.yaml b/cres/824-732.yaml index a2dac7ee2..86024818a 100644 --- a/cres/824-732.yaml +++ b/cres/824-732.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.4.2 - sectionID: Verify that format strings do not take potentially hostile input, and + section: Verify that format strings do not take potentially hostile input, and are constant. + sectionID: V5.4.2 ltype: Linked To - document: doctype: Standard diff --git a/cres/831-563.yaml b/cres/831-563.yaml index 836a484a6..95151a0c5 100644 --- a/cres/831-563.yaml +++ b/cres/831-563.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.5.3 - sectionID: Verify that deserialization of untrusted data is avoided or is protected + section: Verify that deserialization of untrusted data is avoided or is protected in both custom code and third-party libraries (such as JSON, XML and YAML parsers). + sectionID: V5.5.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/831-570.yaml b/cres/831-570.yaml index ba33abc04..21ffebdcb 100644 --- a/cres/831-570.yaml +++ b/cres/831-570.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.4.1 - sectionID: Verify that the application uses memory-safe string, safer memory copy + section: Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows. + sectionID: V5.4.1 ltype: Linked To - document: doctype: Standard @@ -25,7 +25,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Buffer_Overflow.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/13-Testing_for_Buffer_Overflow.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-13 ltype: Linked To diff --git a/cres/832-555.yaml b/cres/832-555.yaml new file mode 100644 index 000000000..af3b2e333 --- /dev/null +++ b/cres/832-555.yaml @@ -0,0 +1,14 @@ +doctype: CRE +id: 832-555 +links: +- document: + doctype: CRE + id: 433-442 + name: Verification + ltype: Contains +- document: + doctype: CRE + id: 611-158 + name: Use static analysis tooling to detect potentially malicious actions + ltype: Contains +name: Automated static security analysis of code and configuration diff --git a/cres/833-030.yaml b/cres/833-030.yaml new file mode 100644 index 000000000..68d797062 --- /dev/null +++ b/cres/833-030.yaml @@ -0,0 +1,21 @@ +doctype: CRE +id: 833-030 +links: +- document: + doctype: CRE + id: 571-271 + name: Program management + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-15 + name: NIST 800-53 v5 + section: PM-15 Security and Privacy Groups and Associations + ltype: Linked To +- document: + doctype: Standard + name: ISO 27001 + section: Contact with special interest groups + sectionID: '5.6' + ltype: Linked To +name: Connect with the community diff --git a/cres/834-645.yaml b/cres/834-645.yaml index 53c9062a3..993b2601d 100644 --- a/cres/834-645.yaml +++ b/cres/834-645.yaml @@ -10,11 +10,11 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.2.1 - sectionID: Verify that the application source code and third party libraries do + section: Verify that the application source code and third party libraries do not contain unauthorized phone home or data collection capabilities. Where such functionality exists, obtain the user's permission for it to operate before collecting any data. + sectionID: V10.2.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/838-636.yaml b/cres/838-636.yaml index c6939d655..9056909c8 100644 --- a/cres/838-636.yaml +++ b/cres/838-636.yaml @@ -10,12 +10,12 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x18-V10-Malicious.md name: ASVS - section: V10.2.3 - sectionID: Verify that the application source code and third party libraries do + section: Verify that the application source code and third party libraries do not contain back doors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered. + sectionID: V10.2.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/841-710.yaml b/cres/841-710.yaml index deb31816e..d740d77e8 100644 --- a/cres/841-710.yaml +++ b/cres/841-710.yaml @@ -10,10 +10,10 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.2.1 - sectionID: Verify that all authentication decisions are logged, without storing + section: Verify that all authentication decisions are logged, without storing sensitive session tokens or passwords. This should include requests with relevant metadata needed for security investigations. + sectionID: V7.2.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/841-757.yaml b/cres/841-757.yaml index ea3fdbf3b..47c6feafc 100644 --- a/cres/841-757.yaml +++ b/cres/841-757.yaml @@ -17,9 +17,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.8.3 - sectionID: Verify that approved cryptographic algorithms are used in the generation, + section: Verify that approved cryptographic algorithms are used in the generation, seeding, and verification of OTPs. + sectionID: V2.8.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/846-302.yaml b/cres/846-302.yaml index f8d682099..1c5601233 100644 --- a/cres/846-302.yaml +++ b/cres/846-302.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x16-V8-Data-Protection.md name: ASVS - section: V8.1.1 - sectionID: Verify the application protects sensitive data from being cached in - server components such as load balancers and application caches. + section: Verify the application protects sensitive data from being cached in server + components such as load balancers and application caches. + sectionID: V8.1.1 ltype: Linked To - document: doctype: Standard diff --git a/cres/848-711.yaml b/cres/848-711.yaml index 5e6d4bed8..c84521c28 100644 --- a/cres/848-711.yaml +++ b/cres/848-711.yaml @@ -6,8 +6,8 @@ links: id: 010-308 name: Input validation tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: CRE @@ -18,9 +18,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x10-V1-Architecture.md name: ASVS - section: V1.5.3 - sectionID: Verify that input validation is enforced on a trusted service layer. + section: Verify that input validation is enforced on a trusted service layer. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering)) + sectionID: V1.5.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/850-376.yaml b/cres/850-376.yaml index 0f036a803..e6a6dff68 100644 --- a/cres/850-376.yaml +++ b/cres/850-376.yaml @@ -13,13 +13,13 @@ links: ltype: Contains - document: doctype: CRE - id: 157-587 - name: Equipment management + id: 148-227 + name: Endpoint management ltype: Contains - document: doctype: CRE - id: 148-227 - name: Endpoint management + id: 157-587 + name: Equipment management ltype: Contains - document: doctype: CRE diff --git a/cres/857-718.yaml b/cres/857-718.yaml index 53ba02833..f0b7b3c1e 100644 --- a/cres/857-718.yaml +++ b/cres/857-718.yaml @@ -6,17 +6,17 @@ links: id: 161-451 name: Output encoding and injection prevention tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.3.8 - sectionID: Verify that the application protects against OS command injection and + section: Verify that the application protects against OS command injection and that operating system calls use parameterized OS queries or use contextual command line output encoding. + sectionID: V5.3.8 ltype: Linked To - document: doctype: Standard @@ -33,7 +33,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-12 ltype: Linked To diff --git a/cres/860-084.yaml b/cres/860-084.yaml index f81132bb9..c4042327d 100644 --- a/cres/860-084.yaml +++ b/cres/860-084.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.2.6 - sectionID: Verify that the attack surface is reduced by sandboxing or encapsulating + section: Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. + sectionID: V14.2.6 ltype: Linked To - document: doctype: Standard diff --git a/cres/862-452.yaml b/cres/862-452.yaml index 534f8f93c..34a158b8f 100644 --- a/cres/862-452.yaml +++ b/cres/862-452.yaml @@ -26,6 +26,11 @@ links: id: 010-678 name: Improvement management ltype: Contains +- document: + doctype: CRE + id: 148-853 + name: Setup and maintain a secure software development process + ltype: Related - document: doctype: Standard hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-26 diff --git a/cres/863-521.yaml b/cres/863-521.yaml index c78197347..0135d1f45 100644 --- a/cres/863-521.yaml +++ b/cres/863-521.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x22-V14-Config.md name: ASVS - section: V14.2.5 - sectionID: Verify that a Software Bill of Materials (SBOM) is maintained of all + section: Verify that a Software Bill of Materials (SBOM) is maintained of all third party libraries in use. + sectionID: V14.2.5 ltype: Linked To - document: doctype: Standard @@ -32,4 +32,11 @@ links: name: OWASP Cheat Sheets section: Vulnerable Dependency Management Cheat Sheet ltype: Linked To -name: Maintain/manage inventory of third party repositories +- document: + doctype: Standard + name: NIST SSDF + section: Collect, safeguard, maintain, and share provenance data for all components + of each software release (e.g., in a software bill of materials [SBOM]). + sectionID: PS.3.2 + ltype: Linked To +name: Maintain/manage inventory of third party components diff --git a/cres/863-636.yaml b/cres/863-636.yaml index fc80577e3..05de1722f 100644 --- a/cres/863-636.yaml +++ b/cres/863-636.yaml @@ -10,9 +10,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x15-V7-Error-Logging.md name: ASVS - section: V7.4.2 - sectionID: Verify that exception handling (or a functional equivalent) is used - across the codebase to account for expected and unexpected error conditions. + section: Verify that exception handling (or a functional equivalent) is used across + the codebase to account for expected and unexpected error conditions. + sectionID: V7.4.2 ltype: Linked To - document: doctype: Standard @@ -29,7 +29,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-ERRH-02 ltype: Linked To diff --git a/cres/878-880.yaml b/cres/878-880.yaml index 9efa852c3..24f00050b 100644 --- a/cres/878-880.yaml +++ b/cres/878-880.yaml @@ -12,10 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x14-V6-Cryptography.md name: ASVS - section: V6.2.8 - sectionID: Verify that all cryptographic operations are constant-time, with no - 'short-circuit' operations in comparisons, calculations, or returns, to avoid - leaking information. + section: Verify that all cryptographic operations are constant-time, with no 'short-circuit' + operations in comparisons, calculations, or returns, to avoid leaking information. + sectionID: V6.2.8 ltype: Linked To - document: doctype: Standard diff --git a/cres/881-321.yaml b/cres/881-321.yaml index b9a27419d..726b8723c 100644 --- a/cres/881-321.yaml +++ b/cres/881-321.yaml @@ -12,9 +12,9 @@ links: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md name: ASVS - section: V2.10.3 - sectionID: Verify that passwords are stored with sufficient protection to prevent + section: Verify that passwords are stored with sufficient protection to prevent offline recovery attacks, including local system access. + sectionID: V2.10.3 ltype: Linked To - document: doctype: Standard diff --git a/cres/881-434.yaml b/cres/881-434.yaml index 77d310104..a8d106ed5 100644 --- a/cres/881-434.yaml +++ b/cres/881-434.yaml @@ -6,16 +6,16 @@ links: id: 764-765 name: Sanitization and sandboxing tags: - - Injection protection - XSS protection + - Injection protection ltype: Contains - document: doctype: Standard hyperlink: https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md name: ASVS - section: V5.2.3 - sectionID: Verify that the application sanitizes user input before passing to - mail systems to protect against SMTP or IMAP injection. + section: Verify that the application sanitizes user input before passing to mail + systems to protect against SMTP or IMAP injection. + sectionID: V5.2.3 ltype: Linked To - document: doctype: Standard @@ -26,7 +26,7 @@ links: ltype: Linked To - document: doctype: Standard - hyperlink: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.html + hyperlink: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection.html name: OWASP Web Security Testing Guide (WSTG) section: WSTG-INPV-10 ltype: Linked To diff --git a/cres/888-770.yaml b/cres/888-770.yaml new file mode 100644 index 000000000..c26c0fe9d --- /dev/null +++ b/cres/888-770.yaml @@ -0,0 +1,27 @@ +doctype: CRE +id: 888-770 +links: +- document: + doctype: CRE + id: 307-242 + name: Security risk assessment + ltype: Contains +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=RA-10 + name: NIST 800-53 v5 + section: RA-10 Threat Hunting + ltype: Linked To +- document: + doctype: Standard + name: ISO 27001 + section: Threat intelligence + sectionID: '5.7' + ltype: Linked To +- document: + doctype: Standard + hyperlink: https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=PM-16 + name: NIST 800-53 v5 + section: PM-16 Threat Awareness Program + ltype: Linked To +name: Threat intelligence - stay up to date with new threats and consider them