👨‍🎨 🤒 🌒 Translation of ASVS 4.0 standard. Part 1 💻 🖱️ 👩🏽‍🤝‍👨🏻

Application Security Verification Standard 4.0, OWASP 2019 . 14 . (V1) , , , , . .

ASVS, , .

(Application Security Verification Standard – ASVS 4.0)

1.

ASVS – , , , , , , , .

1.1 ASVS

ASVS :

- ;

- .

1.2

, .

- 1 .

- 2 , , .

- 3 – , , .

ASVS . , .

1 – , . , , , . 1 « » ( ), , . , , . , , . « », , , .

30 « » , , . , « » , . , , , . .

, DAST (Dynamic Application Security Testing) SAST (Static Application Security Testing), , .

ASVS . , , , , . - .

1.3

– - , . ASVS , .

1 - , (First steps, automated, or whole of portfolio view)

1 ASVS, , OWASP Top 10 -, , CVE (Common Vulnerabilities and Exposures) CWE (Common Weakness Enumeration).

1 – , . 1 , , , 2 3. 1 , . 1 , .

, , , . , . , , , 1.

2 –

2 ASVS, , .

2 , . 2 , B2B-, , . , , , , .

2, , , , , .

3 - ,

3 – ASVS. , , , , , , ..

3 , , . 3- ASVS, , .

3 ASVS , , . ( , , , ), ( / ) , . (, ), (, , ), (, ), ( ), , ().

1.4 ASVS

, . - ASVS.

2.

2.1 OWASP ASVS

OWASP, , , , .

, , OWASP. , - , ASVS.

, OWASP.

2.2

, , , , , ( ), 2 3.

, , . (, , , SSOauthentication), , , , .

. , API- , (V3 Session Management) . - ASVS, .

, , , , , , . . , . , , .

2.3

, . , . , , .

. ASVS . 1 , . , . , .

4.0 1 , . , , . .

2 3 , , . , , , « » « ».

3. ASVS

, ASVS.

- . Sherwood Applied Business Security Architecture (SABSA) , . ASVS , , .

ASVS, ASVS, , . , . , 4.1 ASVS, 4.1 .

ASVS . , , . , , , , , XSS, LDAP- SQL-. , , , , XSS .

ASVS . « » - . , . ASVS, , -10 .

Agile-

ASVS Agile , , . : 1, ASVS , , , . Agile-. , ASVS , «», .

ASVS - , . , , , X ASVS, . OWASP .

. .

4. V1: ,

, - . - , , , «». , . , , .

-, , , , , . – , , . , , , .

, SAML, , NIST 800-63, . , , , . SAML – , , . , , .

ASVS : , , , . . Shift-left , , , , , , , , . , , production . Agile-, , , , .

1 – V1.1

№		1	2	3	CWE
1.1.1	.		+	+
1.1.2	, , .		+	+	1053
1.1.3	, « , . ».		+	+	1110
1.1.4	, .		+	+	1059
1.1.5	.		+	+	1059
1.1.6	, , , , , , .		+	+	637
1.1.7	, , .		+	+	637

V1.2

, , , . .

2 – V1.2

№		1	2	3	CWE
1.2.1	, .		+	+	250
1.2.2	, API-, , . .		+	+	306
1.2.3	, , .		+	+	306
1.2.4	API- , , .		+	+	306

V1.3

V1.4

3 – V1.4

№		1	2	3	CWE
1.4.1	, , , . .		+	+	602
1.4.2	, , .		+	+	284
1.4.3	, , URL-, , . .		+	+	272
1.4.4	. , .		+	+	284
1.4.5	, / , . - .		+	+	275

V1.5

4.0 « » . - – . . , ASVS « », , , , API, , API , API . .

4 – V1.5

№		1	2	3	CWE
1.5.1	, , , , .		+	+	1029
1.5.2	, . , , (, ), , .		+	+	502
1.5.3	.		+	+	602
1.5.4	, .		+	+	116

V1.6

. , – . , .

5 – V1.6

№		1	2	3	CWE
1.6.1	, , NIST SP 800-57.		+	+	320
1.6.2	, , API.		+	+	320
1.6.3	.		+	+	320
1.6.4	, , API, , , , , . .		+	+	320

V1.7 ,

6 – V1.7 ,

№		1	2	3	CWE
1.7.1	.		+	+	1009
1.7.2	( ) , , .		+	+

V1.8

7 – V1.8

№		1	2	3	CWE
1.8.1	.		+	+
1.8.2	, , , , , .		+	+

V1.9

8 – V1.9

№		1	2	3	CWE
1.9.1	, , , .		+	+	319
1.9.2	, « ». , TLS.		+	+	295

V1.10

9 – V1.10

№		1	2	3	CWE
1.10.1	, , , . , .		+	+	284

V1.11 -

10 – V1.11 -

№		1	2	3	CWE
1.11.1	- , .		+	+	1059
1.11.2	-, , , .		+	+	362
1.11.3	-, , , Time-of-check to time-of-use .			+	367

V1.12

11 – V1.12

№		1	2	3	CWE
1.12.1	.		+	+	552
1.12.2	, - – octet-stream , , , . , XSS- .		+	+	646

V1.13 API

API .

V1.14

12 – V1.14

№		1	2	3	CWE
1.14.1	, , API, -, (cloud-based security groups) .		+	+	923
1.14.2	, .		+	+	494
1.14.3	(build pipeline) .		+	+	1104
1.14.4	(build pipeline) , , , .		+	+
1.14.5	, , / , , , .		+	+	256
1.14.6	, , NSAPI, Flash, Shockwave, ActiveX, Silverlight, NACL Java-.		+	+	477

. :

- OWASP Threat Modeling Cheat Sheet;

- OWASP Attack Surface Analysis Cheat Sheet;

- OWASP Threat modeling;

- OWASP Secure SDLC Cheat Sheet;

- Microsoft SDL;

- NIST SP 800-57.

Translation of ASVS 4.0 standard. Part 1