OWASP ASVS 4.0.3 Level 3
69 requirements mapped to controls.
Requirements
| Requirement | Title | Controls | Owner |
|---|---|---|---|
| V1.1 | Secure Software Development Lifecycle | SID-OPS-08 | platform |
| V1.2 | Authentication Architecture | SID-AUTH-01, SID-AUTH-02, SID-AUTH-03, SID-AUTH-04 | platform |
| V1.4 | Access Control Architecture | SID-ACCESS-01, SID-ACCESS-04 | platform |
| V1.5 | Input and Output Architecture | SID-HARD-02, SID-TRANS-04 | platform |
| V1.6 | Cryptographic Architecture | SID-CRYPTO-01, SID-CRYPTO-02, SID-CRYPTO-03, SID-CRYPTO-05 | platform |
| V1.7 | Errors, Logging and Auditing Architecture | SID-AUDIT-01, SID-OPS-06 | platform |
| V1.8 | Data Protection and Privacy Architecture | SID-DATA-06, SID-PRIV-01 | platform |
| V1.9 | Communications Architecture | SID-TRANS-01 | platform |
| V1.10 | Malicious Software Architecture | SID-OPS-04 | platform |
| V1.11 | Business Logic Architecture | SID-OPS-08 | platform |
| V1.12 | Secure File Upload Architecture | SID-HARD-07 | platform |
| V1.14 | Configuration Architecture | SID-HARD-03, SID-OPS-04 | platform |
| V2.1 | Password Security | SID-ARCH-01 | platform |
| V2.2 | General Authenticator Security | SID-AUTH-01, SID-ACCESS-02 | platform |
| V2.3 | Authenticator Lifecycle | SID-AUTH-01 | platform |
| V2.4 | Credential Storage | SID-ARCH-01 | platform |
| V2.5 | Credential Recovery | SID-ARCH-01 | platform |
| V2.6 | Look-up Secret Verifier | SID-ARCH-01 | platform |
| V2.7 | Out of Band Verifier | SID-ARCH-01 | platform |
| V2.8 | One Time Verifier | SID-ARCH-01 | platform |
| V2.9 | Cryptographic Verifier | SID-CRYPTO-01, SID-KEY-01 | platform |
| V2.10 | SID-CRYPTO-01 | platform | |
| V3.1 | Fundamental Session Management Security | SID-AUTH-02 | platform |
| V3.2 | Session Binding | SID-AUTH-02 | platform |
| V3.3 | Session Termination | SID-AUTH-02 | platform |
| V3.4 | Cookie-based Session Management | SID-AUTH-02 | platform |
| V3.5 | Token-based Session Management | SID-AUTH-02 | platform |
| V3.6 | Federated Re-authentication | SID-AUTH-03 | platform |
| V3.7 | Defenses Against Session Management Exploits | SID-AUTH-02 | platform |
| V4.1 | General Access Control Design | SID-ACCESS-01, SID-ACCESS-04 | platform |
| V4.2 | Operation Level Access Control | SID-ACCESS-01 | platform |
| V4.3 | Other Access Control Considerations | SID-HARD-03, SID-ACCESS-01 | platform |
| V5.1 | Input Validation | SID-HARD-02 | platform |
| V5.2 | Sanitization and Sandboxing | SID-HARD-02, SID-TRANS-04 | platform |
| V5.3 | Output Encoding and Injection Prevention | SID-HARD-02 | platform |
| V5.4 | Memory, String, and Unmanaged Code | SID-HARD-02 | platform |
| V5.5 | Deserialization Prevention | SID-HARD-02 | platform |
| V6.1 | Data Classification | SID-DATA-06, SID-CRYPTO-03 | platform |
| V6.2 | Algorithms | SID-CRYPTO-01, SID-CRYPTO-05 | platform |
| V6.3 | Random Values | SID-CRYPTO-05 | platform |
| V6.4 | Secret Management | SID-CRYPTO-01 | platform |
| V7.1 | Log Content | SID-AUDIT-01 | platform |
| V7.2 | Log Processing | SID-AUDIT-01, SID-OPS-06 | platform |
| V7.3 | Log Protection | SID-AUDIT-01 | platform |
| V7.4 | Error Handling | SID-HARD-01 | platform |
| V8.1 | General Data Protection | SID-DATA-08, SID-HARD-02 | platform |
| V8.2 | Client-side Data Protection | SID-HARD-05 | platform |
| V8.3 | Sensitive Private Data | SID-DATA-06, SID-PRIV-01, SID-PRIV-03 | platform |
| V9.1 | Client Communication Security | SID-TRANS-01 | platform |
| V9.2 | Server Communication Security | SID-TRANS-01 | platform |
| V10.1 | Code Integrity | SID-OPS-04 | platform |
| V10.2 | Malicious Code Search | SID-OPS-04 | platform |
| V10.3 | Application Integrity | SID-HARD-05, SID-OPS-04 | platform |
| V11.1 | Business Logic Security | SID-ACCESS-02, SID-OPS-08 | platform |
| V12.1 | File Upload | SID-HARD-07 | platform |
| V12.2 | File Integrity | SID-HARD-07 | platform |
| V12.3 | File Execution | SID-HARD-02 | platform |
| V12.4 | File Storage | SID-HARD-07 | platform |
| V12.5 | File Download | SID-HARD-07 | platform |
| V12.6 | SSRF Protection | SID-TRANS-04 | platform |
| V13.1 | Generic Web Service Security | SID-HARD-02, SID-ACCESS-04 | platform |
| V13.2 | RESTful Web Service | SID-HARD-02 | platform |
| V13.3 | SOAP Web Service | SID-ARCH-01 | platform |
| V13.4 | GraphQL | SID-ARCH-01 | platform |
| V14.1 | Build and Deploy | SID-OPS-08, SID-OPS-04 | platform |
| V14.2 | Dependency | SID-OPS-04, SID-ORG-04 | platform |
| V14.3 | Unintended Security Disclosure | SID-HARD-01 | platform |
| V14.4 | HTTP Security Headers | SID-HARD-05 | platform |
| V14.5 | HTTP Request Header Validation | SID-HARD-02 | platform |