Home >> Taxonomy >> Asvs 4.0.3 >> Level 2 controls

Level 2 controls

Level 2 contains 259 controls listed below:

01-architecture-design-and-threat-modeling

01-secure-software-development-lifecycle

• V1.1.1 Verify the use of a secure software development li ...
• V1.1.2 Verify the use of threat modeling for every design ...
• V1.1.3 All user stories and features contain functional s ...
• V1.1.4 Verify documentation and justification of all the ...
• V1.1.5 Verify definition and security analysis of the app ...
• V1.1.6 Verify implementation of centralized, simple (econ ...
• V1.1.7 Verify availability of a secure coding checklist, ...

02-authentication-architecture

• V1.2.1 Verify the use of unique or special low-privilege ...
• V1.2.2 Communications between application components, inc ...
• V1.2.3 The application uses a single vetted authenticatio ...
• V1.2.4 All authentication pathways and identity managemen ...

04-access-control-architecture

• V1.4.1 Trusted enforcement points, such as access control ...
• V1.4.4 Verify the application uses a single and well-vett ...
• V1.4.5 Attribute or feature-based access control is used ...

05-input-and-output-architecture

• V1.5.1 Input and output requirements clearly define how t ...
• V1.5.2 Serialization is not used when communicating with ...
• V1.5.3 Input validation is enforced on a trusted service ...
• V1.5.4 Output encoding occurs close to or by the interpre ...

06-cryptographic-architecture

• V1.6.1 There is an explicit policy for management of cryp ...
• V1.6.2 Consumers of cryptographic services protect key ma ...
• V1.6.3 All keys and passwords are replaceable and are par ...
• V1.6.4 The architecture treats client-side secrets--such ...

07-errors-logging-and-auditing-architecture

• V1.7.1 A common logging format and approach is used acros ...
• V1.7.2 Logs are securely transmitted to a preferably remo ...

08-data-protection-and-privacy-architecture

• V1.8.1 All sensitive data is identified and classified in ...
• V1.8.2 All protection levels have an associated set of pr ...

09-communications-architecture

• V1.9.1 Verify the application encrypts communications bet ...
• V1.9.2 Application components verify the authenticity of ...

10-malicious-software-architecture

• V1.10.1 A source code control system is in use, with proce ...

11-business-logic-architecture

• V1.11.1 Verify the definition and documentation of all app ...
• V1.11.2 All high-value business logic flows, including aut ...

12-secure-file-upload-architecture

• V1.12.2 User-uploaded files - if required to be displayed ...

14-configuration-architecture

• V1.14.1 Verify the segregation of components of differing ...
• V1.14.2 Binary signatures, trusted connections, and verifi ...
• V1.14.3 The build pipeline warns of out-of-date or insecur ...
• V1.14.4 The build pipeline contains a build step to automa ...
• V1.14.5 Application deployments adequately sandbox, contai ...
• V1.14.6 Verify the application does not use unsupported, i ...

02-authentication

01-password-security

• V2.1.1 User set passwords are at least 12 characters in l ...
• V2.1.2 Passwords of at least 64 characters are permitted, ...
• V2.1.3 Password truncation is not performed. however, con ...
• V2.1.4 Any printable unicode character, including languag ...
• V2.1.5 Verify users can change their password. ...
• V2.1.6 Password change functionality requires the user's ...
• V2.1.7 Passwords submitted during account registration, l ...
• V2.1.8 A password strength meter is provided to help user ...
• V2.1.9 There are no password composition rules limiting t ...
• V2.1.10 There are no periodic credential rotation or passw ...
• V2.1.11 "paste" functionality, browser password helpers, a ...
• V2.1.12 The user can choose to either temporarily view the ...

02-general-authenticator-security

• V2.2.1 Anti-automation controls are effective at mitigati ...
• V2.2.2 The use of weak authenticators (such as sms and em ...
• V2.2.3 Secure notifications are sent to users after updat ...

03-authenticator-lifecycle

• V2.3.1 Verify system generated initial passwords or activ ...
• V2.3.2 Enrollment and use of user-provided authentication ...
• V2.3.3 Renewal instructions are sent with sufficient time ...

04-credential-storage

• V2.4.1 Passwords are stored in a form that is resistant t ...
• V2.4.2 The salt is at least 32 bits in length and be chos ...
• V2.4.3 If pbkdf2 is used, the iteration count should be a ...
• V2.4.4 If bcrypt is used, the work factor should be as la ...
• V2.4.5 An additional iteration of a key derivation functi ...

05-credential-recovery

• V2.5.1 A system generated initial activation or recovery ...
• V2.5.2 Verify password hints or knowledge-based authentic ...
• V2.5.3 Verify password credential recovery does not revea ...
• V2.5.4 Verify shared or default accounts are not present ...
• V2.5.5 If an authentication factor is changed or replaced ...
• V2.5.6 Verify forgotten password, and other recovery path ...
• V2.5.7 If otp or multi-factor authentication factors are ...

06-look-up-secret-verifier

• V2.6.1 Lookup secrets can be used only once. ...
• V2.6.2 Lookup secrets have sufficient randomness (112 bit ...
• V2.6.3 Lookup secrets are resistant to offline attacks, s ...

07-out-of-band-verifier

• V2.7.1 Clear text out of band (nist "restricted") authent ...
• V2.7.2 The out of band verifier expires out of band authe ...
• V2.7.3 The out of band verifier authentication requests, ...
• V2.7.4 The out of band authenticator and verifier communi ...
• V2.7.5 The out of band verifier retains only a hashed ver ...
• V2.7.6 The initial authentication code is generated by a ...

08-one-time-verifier

• V2.8.1 Time-based otps have a defined lifetime before exp ...
• V2.8.2 Symmetric keys used to verify submitted otps are h ...
• V2.8.3 Approved cryptographic algorithms are used in the ...
• V2.8.4 Time-based otp can be used only once within the va ...
• V2.8.5 If a time-based multi-factor otp token is re-used ...
• V2.8.6 Verify physical single-factor otp generator can be ...
• V2.8.7 Biometric authenticators are limited to use only a ...

09-cryptographic-verifier

• V2.9.1 Cryptographic keys used in verification are stored ...
• V2.9.2 The challenge nonce is at least 64 bits in length, ...
• V2.9.3 Approved cryptographic algorithms are used in the ...

10-service-authentication

• V2.10.1 Intra-service secrets do not rely on unchanging cr ...
• V2.10.2 If passwords are required for service authenticati ...
• V2.10.3 Passwords are stored with sufficient protection to ...
• V2.10.4 Verify passwords, integrations with databases and ...

03-session-management

01-fundamental-session-management-security

• V3.1.1 Verify the application never reveals session token ...

02-session-binding

• V3.2.1 Verify the application generates a new session tok ...
• V3.2.2 Session tokens possess at least 64 bits of entropy ...
• V3.2.3 Verify the application only stores session tokens ...
• V3.2.4 Session tokens are generated using approved crypto ...

03-session-termination

• V3.3.1 Logout and expiration invalidate the session token ...
• V3.3.2 If authenticators permit users to remain logged in ...
• V3.3.3 The application gives the option to terminate all ...
• V3.3.4 Users are able to view and (having re-entered logi ...

04-cookie-based-session-management

• V3.4.1 Cookie-based session tokens have the 'secure' attr ...
• V3.4.2 Cookie-based session tokens have the 'httponly' at ...
• V3.4.3 Cookie-based session tokens utilize the 'samesite' ...
• V3.4.4 Cookie-based session tokens use the "__host-" pref ...
• V3.4.5 If the application is published under a domain nam ...

05-token-based-session-management

• V3.5.1 Verify the application allows users to revoke oaut ...
• V3.5.2 Verify the application uses session tokens rather ...
• V3.5.3 Stateless session tokens use digital signatures, e ...

07-defenses-against-session-management-exploits

• V3.7.1 Verify the application ensures a full, valid login ...

04-access-control

01-general-access-control-design

• V4.1.1 The application enforces access control rules on a ...
• V4.1.2 All user and data attributes and policy informatio ...
• V4.1.3 The principle of least privilege exists - users sh ...
• V4.1.5 Access controls fail securely including when an ex ...

02-operation-level-access-control

• V4.2.1 Sensitive data and apis are protected against inse ...
• V4.2.2 The application or framework enforces a strong ant ...

03-other-access-control-considerations

• V4.3.1 Verify administrative interfaces use appropriate m ...
• V4.3.2 Directory browsing is disabled unless deliberately ...
• V4.3.3 Verify the application has additional authorizatio ...

05-validation-sanitization-and-encoding

01-input-validation

• V5.1.1 The application has defenses against http paramete ...
• V5.1.2 Frameworks protect against mass parameter assignme ...
• V5.1.3 All input (html form fields, rest requests, url pa ...
• V5.1.4 Structured data is strongly typed and validated ag ...
• V5.1.5 Url redirects and forwards only allow destinations ...

02-sanitization-and-sandboxing

• V5.2.1 All untrusted html input from wysiwyg editors or s ...
• V5.2.2 Unstructured data is sanitized to enforce safety m ...
• V5.2.3 The application sanitizes user input before passin ...
• V5.2.4 The application avoids the use of eval() or other ...
• V5.2.5 The application protects against template injectio ...
• V5.2.6 The application protects against ssrf attacks, by ...
• V5.2.7 The application sanitizes, disables, or sandboxes ...
• V5.2.8 The application sanitizes, disables, or sandboxes ...

03-output-encoding-and-injection-prevention

• V5.3.1 Output encoding is relevant for the interpreter an ...
• V5.3.2 Output encoding preserves the user's chosen charac ...
• V5.3.3 Context-aware, preferably automated - or at worst, ...
• V5.3.4 Data selection or database queries (e.g. sql, hql, ...
• V5.3.5 Where parameterized or safer mechanisms are not pr ...
• V5.3.6 The application protects against json injection at ...
• V5.3.7 The application protects against ldap injection vu ...
• V5.3.8 The application protects against os command inject ...
• V5.3.9 The application protects against local file inclus ...
• V5.3.10 The application protects against xpath injection o ...

04-memory-string-and-unmanaged-code

• V5.4.1 The application uses memory-safe string, safer mem ...
• V5.4.2 Format strings do not take potentially hostile inp ...
• V5.4.3 Sign, range, and input validation techniques are u ...

05-deserialization-prevention

• V5.5.1 Serialized objects use integrity checks or are enc ...
• V5.5.2 The application correctly restricts xml parsers to ...
• V5.5.3 Deserialization of untrusted data is avoided or is ...
• V5.5.4 When parsing json in browsers or javascript-based ...

06-stored-cryptography

01-data-classification

• V6.1.1 Regulated private data is stored encrypted while a ...
• V6.1.2 Regulated health data is stored encrypted while at ...
• V6.1.3 Regulated financial data is stored encrypted while ...

02-algorithms

• V6.2.1 All cryptographic modules fail securely, and error ...
• V6.2.2 Industry proven or government approved cryptograph ...
• V6.2.3 Encryption initialization vector, cipher configura ...
• V6.2.4 Random number, encryption or hashing algorithms, k ...
• V6.2.5 Known insecure block modes (i.e. ecb, etc.), paddi ...
• V6.2.6 Nonces, initialization vectors, and other single u ...

03-random-values

• V6.3.1 All random numbers, random file names, random guid ...
• V6.3.2 Random guids are created using the guid v4 algorit ...

04-secret-management

• V6.4.1 A secrets management solution such as a key vault ...
• V6.4.2 Key material is not exposed to the application but ...

07-error-handling-and-logging

01-log-content

• V7.1.1 The application does not log credentials or paymen ...
• V7.1.2 The application does not log other sensitive data ...
• V7.1.3 The application logs security relevant events incl ...
• V7.1.4 Each log event includes necessary information that ...

02-log-processing

• V7.2.1 All authentication decisions are logged, without s ...
• V7.2.2 All access control decisions can be logged and all ...

03-log-protection

• V7.3.1 All logging components appropriately encode data t ...
• V7.3.3 Security logs are protected from unauthorized acce ...
• V7.3.4 Time sources are synchronized to the correct time ...

04-error-handling

• V7.4.1 A generic message is shown when an unexpected or s ...
• V7.4.2 Exception handling (or a functional equivalent) is ...
• V7.4.3 A "last resort" error handler is defined which wil ...

08-data-protection

01-general-data-protection

• V8.1.1 Verify the application protects sensitive data fro ...
• V8.1.2 All cached or temporary copies of sensitive data s ...
• V8.1.3 Verify the application minimizes the number of par ...
• V8.1.4 Verify the application can detect and alert on abn ...

02-client-side-data-protection

• V8.2.1 Verify the application sets sufficient anti-cachin ...
• V8.2.2 Data stored in browser storage (such as localstora ...
• V8.2.3 Authenticated data is cleared from client storage, ...

03-sensitive-private-data

• V8.3.1 Sensitive data is sent to the server in the http m ...
• V8.3.2 Users have a method to remove or export their data ...
• V8.3.3 Users are provided clear language regarding collec ...
• V8.3.4 All sensitive data created and processed by the ap ...
• V8.3.5 Verify accessing sensitive data is audited (withou ...
• V8.3.6 Sensitive information contained in memory is overw ...
• V8.3.7 Sensitive or private information that is required ...
• V8.3.8 Sensitive personal information is subject to data ...

09-communication

01-client-communication-security

• V9.1.1 Tls is used for all client connectivity, and does ...
• V9.1.2 Verify using up to date tls testing tools that onl ...
• V9.1.3 Only the latest recommended versions of the tls pr ...

02-server-communication-security

• V9.2.1 Connections to and from the server use trusted tls ...
• V9.2.2 Encrypted communications such as tls is used for a ...
• V9.2.3 All encrypted connections to external systems that ...
• V9.2.4 Proper certification revocation, such as online ce ...

10-malicious-code

02-malicious-code-search

• V10.2.1 The application source code and third party librar ...
• V10.2.2 The application does not ask for unnecessary or ex ...

03-application-integrity

• V10.3.1 If the application has a client or server auto-upd ...
• V10.3.2 The application employs integrity protections, suc ...
• V10.3.3 The application has protection from subdomain take ...

11-business-logic

01-business-logic-security

• V11.1.1 The application will only process business logic f ...
• V11.1.2 The application will only process business logic f ...
• V11.1.3 Verify the application has appropriate limits for ...
• V11.1.4 The application has anti-automation controls to pr ...
• V11.1.5 Verify the application has business logic limits o ...
• V11.1.6 The application does not suffer from "time of chec ...
• V11.1.7 The application monitors for unusual events or act ...
• V11.1.8 The application has configurable alerting when aut ...

12-files-and-resources

01-file-upload

• V12.1.1 The application will not accept large files that c ...
• V12.1.2 The application checks compressed files (e.g. zip, ...
• V12.1.3 A file size quota and maximum number of files per ...

02-file-integrity

• V12.2.1 Files obtained from untrusted sources are validate ...

03-file-execution

• V12.3.1 User-submitted filename metadata is not used direc ...
• V12.3.2 User-submitted filename metadata is validated or i ...
• V12.3.3 User-submitted filename metadata is validated or i ...
• V12.3.4 The application protects against reflective file d ...
• V12.3.5 Untrusted file metadata is not used directly with ...
• V12.3.6 The application does not include and execute funct ...

04-file-storage

• V12.4.1 Files obtained from untrusted sources are stored o ...
• V12.4.2 Files obtained from untrusted sources are scanned ...

05-file-download

• V12.5.1 The web tier is configured to serve only files wit ...
• V12.5.2 Direct requests to uploaded files will never be ex ...

06-ssrf-protection

• V12.6.1 The web or application server is configured with a ...

13-api-and-web-service

01-generic-web-service-security

• V13.1.1 All application components use the same encodings ...
• V13.1.3 Verify api urls do not expose sensitive informatio ...
• V13.1.4 Authorization decisions are made at both the uri, ...
• V13.1.5 Requests containing unexpected or missing content ...

02-restful-web-service

• V13.2.1 Enabled restful http methods are a valid choice fo ...
• V13.2.2 Json schema validation is in place and verified be ...
• V13.2.3 Restful web services that utilize cookies are prot ...
• V13.2.5 Rest services explicitly check the incoming conten ...
• V13.2.6 The message headers and payload are trustworthy an ...

03-soap-web-service

• V13.3.1 Xsd schema validation takes place to ensure a prop ...
• V13.3.2 The message payload is signed using ws-security to ...

04-graphql

• V13.4.1 A query allow list or a combination of depth limit ...
• V13.4.2 Graphql or other data layer authorization logic sh ...

14-configuration

01-build-and-deploy

• V14.1.1 The application build and deployment processes are ...
• V14.1.2 Compiler flags are configured to enable all availa ...
• V14.1.3 Server configuration is hardened as per the recomm ...
• V14.1.4 The application, configuration, and all dependenci ...

02-dependency

• V14.2.1 All components are up to date, preferably using a ...
• V14.2.2 All unneeded features, documentation, sample appli ...
• V14.2.3 If application assets, such as javascript librarie ...
• V14.2.4 Third party components come from pre-defined, trus ...
• V14.2.5 A software bill of materials (sbom) is maintained ...
• V14.2.6 The attack surface is reduced by sandboxing or enc ...

03-unintended-security-disclosure

• V14.3.2 Web or application server and application framewor ...
• V14.3.3 The http headers or any part of the http response ...

04-http-security-headers

• V14.4.1 Every http response contains a content-type header ...
• V14.4.2 All api responses contain a content-disposition: a ...
• V14.4.3 A content security policy (csp) response header is ...
• V14.4.4 All responses contain a x-content-type-options: no ...
• V14.4.5 A strict-transport-security header is included on ...
• V14.4.6 A suitable referrer-policy header is included to a ...
• V14.4.7 The content of a web application cannot be embedde ...

05-http-request-header-validation

• V14.5.1 The application server only accepts the http metho ...
• V14.5.2 The supplied origin header is not used for authent ...
• V14.5.3 The cross-origin resource sharing (cors) access-co ...
• V14.5.4 Http headers added by a trusted proxy or sso devic ...

Loading comments 0%