The OWASP Application Security Verification Standard is used in the development of web applications.
Ensure secure application architecture, design, and threat modeling to mitigate security risks from the early development stages. For example, establish clear security requirements, apply the principle of least privilege, and enforce strict separation of security concerns; Conduct comprehensive threat modeling and risk analysis to identify and mitigate attack vectors; Maintain architectural integrity by regularly assessing design decisions and ensuring adherence to security best practices.
V1.1 Secure Software Development Lifecycle Requirements Integrate security practices throughout the software development lifecycle (SDLC), including threat modeling, code reviews, and security testing. V1.2 Authentication Architectural Requirements Design strong authentication mechanisms with multi-factor authentication (MFA) and secure credential management. V1.3 Session Management Architectural Requirements Implement secure session handling, including session expiration, token management, and secure cookie attributes. V1.4 Access Control Architectural Requirements Apply role-based access control (RBAC), least privilege, and context-based restrictions to ensure secure access to resources. V1.5 Input and Output Architectural Requirements Ensure input validation, output encoding, and proper data sanitization to prevent injection and cross-site scripting (XSS) attacks. V1.6 Cryptographic Architectural Requirements Use strong encryption standards for data at rest and in transit, and implement key management best practices. V1.7 Errors, Logging and Auditing Architectural Requirements Implement secure error handling, logging, and auditing mechanisms to capture critical events while protecting sensitive data. V1.8 Data Protection and Privacy Architectural Requirements Ensure data encryption, privacy by design, and compliance with data protection regulations like GDPR and CCPA. V1.9 Communications Architectural Requirements Secure communications channels with TLS encryption, mutual authentication, and proper API security. V1.10 Malicious Software Architectural Requirements Protect against malware with endpoint security, malicious code scanning, and secure software supply chain practices. V1.11 Business Logic Architectural Requirements Secure business logic by enforcing validation checks and minimizing logic flaws that could be exploited. V1.12 Secure File Upload Architectural Requirements Implement file validation, file integrity checks, and secure storage for uploaded files to prevent malicious files. V1.13 API Architectural Requirements Secure API endpoints with authentication, rate limiting, input validation, and secure data transmission. V1.14 Configuration Architectural Requirements Use secure default configurations, automatic configuration validation, and regular patch management to prevent vulnerabilities. By following these architectural guidelines, organizations can ensure their systems are built with security, privacy, and integrity in mind from the ground up.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-01-01-01 | Ensure secure Development principles | Require applications to follow secure Development principles, incorporating security-by-Development approaches from the beginning of the development lifecycle. | Preparation | Software Architects, Security Teams |
| SSS-02-11-01-01-02 | Define security requirements before development | Mandate the documentation of security requirements during the requirements analysis phase to ensure security considerations are integrated into the development process. | Preparation | Product Managers, Security Teams, Development Teams |
| SSS-02-11-01-01-03 | Conduct threat modeling | Encourage and standardize the use of threat modeling techniques to identify potential attack vectors and risks early in the Development phase. Use methodologies like STRIDE or DREAD. | Development | Security Architects, Development Teams |
| SSS-02-11-01-01-04 | Ensure separation of security controls | Enforce the proper separation of security concerns, ensuring that authentication, authorization, encryption, and other security mechanisms operate independently and do not interfere with one another. | Development | Security Engineers, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Implement robust authentication mechanisms to verify user identities and prevent unauthorized access. For example, enforce multi-factor authentication, secure password storage using modern hashing algorithms, and prevent brute force attacks through account lockouts and rate limiting; Ensure session expiration and re-authentication for critical actions, reducing the risk of session hijacking; Continuously monitor authentication events and enforce strong identity verification to safeguard access control.
V2.1 Password Security Requirements Enforce strong passwords and multi-factor authentication (MFA) for sensitive actions. V2.2 General Authenticator Requirements Use secure authentication methods appropriate for the application’s security needs. V2.3 Authenticator Lifecycle Requirements Securely manage authenticators, with regular rotation and invalidation. V2.4 Credential Storage Requirements Hash passwords with strong algorithms (e.g., bcrypt) and store secrets securely. V2.5 Credential Recovery Requirements Implement secure recovery methods with multi-step verification and rate-limiting. V2.6 Look-up Secret Verifier Requirements Use secure, unpredictable questions for look-up secrets. V2.7 Out of Band Verifier Requirements Implement out-of-band verification for sensitive actions, ensuring strong security. V2.8 Single or Multi-Factor One-Time Verifier Requirements Use TOTP or hardware tokens for multi-factor authentication. V2.9 Cryptographic Software and Devices Verifier Requirements Use secure cryptographic verification methods (e.g., FIDO2, HSMs). V2.10 Service Authentication Requirements Use OAuth or mutual TLS for secure service-to-service authentication. By implementing strong authentication, secure credential storage, and MFA, organizations can strengthen authentication systems and protect user credentials.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-02-01-01 | Implement strong authentication mechanisms | Ensure that all authentication processes use strong, secure methods, including multi-factor authentication (MFA) and biometric authentication, to verify user identities. | Development | Security Teams, IT Operations |
| SSS-02-11-02-01-02 | Enforce secure password policies | Define and enforce password policies, including minimum length, complexity requirements, and password expiration rules to mitigate weak credential usage. | Development | Security Teams, DevOps Teams |
| SSS-02-11-02-01-03 | Mitigate credential-based attacks | Protect authentication mechanisms against credential stuffing, brute-force attacks, and replay attacks using techniques like rate limiting, account lockout policies, and CAPTCHAs. | Deployment | Security Engineers, DevOps Teams |
| SSS-02-11-02-01-04 | Use secure password storage | Store passwords securely using strong hashing algorithms such as bcrypt, PBKDF2, or Argon2 to prevent credential leaks in case of data breaches. | Post-deployment | Security Teams, Compliance Officers |
| SSS-02-11-02-01-05 | Ensure proper session expiration & re-authentication | Enforce session expiration policies and require re-authentication for high-risk actions to prevent session hijacking and unauthorized access. | Post-deployment | Security Teams, Software Architects |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Ensure secure session management by establishing, maintaining, and terminating sessions with strong security measures. For example, generate unique, unpredictable session identifiers and enforce session expiration policies to minimize exposure to session hijacking attacks; Implement secure cookie attributes and restrict session reuse across devices and locations; Continuously log, audit, and monitor session-related activities to detect anomalies and potential security threats.
V3.1 Fundamental Session Management Requirements Use unique, high-entropy session IDs and ensure they are confidential. Limit session lifetime and ensure sessions are invalidated on logout. V3.2 Session Binding Requirements Bind sessions to specific contexts (IP, device) to prevent hijacking. Regenerate session IDs when context changes. V3.3 Session Logout and Timeout Requirements Timeout sessions after inactivity and ensure secure logout that invalidates the session on the server. V3.4 Cookie-based Session Management Use Secure, HttpOnly, and SameSite flags for cookies to secure them. Set cookie expiration for session cookies. V3.5 Token-based Session Management Use signed and encrypted tokens with short expiration and token validation on each request. V3.6 Re-authentication from a Federation or Assertion Ensure re-authentication for federated logins (e.g., OAuth, SAML) with strong token validation. V3.7 Defenses Against Session Management Exploits Regenerate session IDs to prevent session fixation and monitor for suspicious session activity. Implement rate limiting to prevent brute-force attacks. By regenerating session IDs, binding sessions to contexts, and ensuring secure cookie management, you can effectively secure user sessions.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-03-01-01 | Establish secure session management | Implement secure session handling mechanisms, ensuring unique session IDs and protection against session fixation and hijacking. Use cryptographically strong session identifiers. | Implementation | Security Teams, Software Architects |
| SSS-02-11-03-01-02 | Enforce secure cookie attributes | Configure cookies with security attributes such as HttpOnly, Secure, and SameSite to protect against Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. | Development | Security Teams |
| SSS-02-11-03-01-03 | Implement session expiration policies | Prevent session timeout exploitation by enforcing session expiration, automatic logout for inactive users, and short-lived session tokens. Require re-authentication for sensitive actions. | Deployment | Security Teams, Compliance Officers |
| SSS-02-11-03-01-04 | Ensure proper logout and session revocation | Implement a robust logout mechanism that invalidates session tokens and prevents reuse. Ensure session revocation occurs on logout or after authentication context changes. | Post-deployment | Security Engineers, DevOps Teams |
| SSS-02-11-03-01-05 | Monitor and audit session activities | Continuously monitor active sessions, detect anomalies, and log session-related events to identify potential security risks. Implement automated session termination for detected threats. | Post-deployment | Security Teams, Compliance Officers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Enforce strict access control mechanisms to prevent unauthorized access and privilege escalation. For example, implement role-based or attribute-based access control (RBAC/ABAC) and enforce the principle of least privilege; Restrict access to sensitive data and operations based on defined authorization rules; Continuously monitor access attempts, log violations, and audit privilege changes to maintain security integrity.
V4.1 General Access Control Design Design access control mechanisms from the ground up, ensuring that they are based on role-based access control (RBAC), attribute-based access control (ABAC), or other suitable models tailored to the application's needs. Implement least privilege by ensuring users and systems are granted the minimum necessary access to perform their tasks. Ensure access control policies are consistently applied across all components and layers of the application, such as the user interface, API, and backend. Regularly review access control policies to ensure they align with business needs, legal requirements, and evolving security risks. V4.2 Operation Level Access Control Apply operation-level access control to ensure that users or services can only perform actions they are authorized for, such as creating, updating, or deleting records. Use access control checks for each critical operation in the system, ensuring they align with the defined access policies. Ensure that all sensitive or privileged operations (e.g., administrative actions, financial transactions) are subject to stricter access controls and logging. Enforce auditing and logging of all access-related actions to maintain traceability and detect potential misuse or abuse of privileges. V4.3 Other Access Control Considerations Secure administrative access by implementing additional layers of protection such as multi-factor authentication (MFA), IP whitelisting, and time-based restrictions for privileged accounts. Implement access control for non-human entities, such as service accounts or automated processes, ensuring they only have access to resources required for their operation. Enforce access control in distributed environments by managing access at both the network level (e.g., firewalls, VPNs) and application level (e.g., API access, service meshes). Ensure segmentation and isolation of sensitive environments (e.g., production, development, test) and restrict cross-environment access to minimize risk. By designing access control from the ground up, enforcing operation-level restrictions, and addressing special access considerations for sensitive or privileged actions, organizations can effectively secure their systems against unauthorized access and potential misuse.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-04-01-01 | Implement role-based or attribute-based access control | Enforce Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) to ensure users have access only to authorized resources based on their roles and attributes. | Development | Security Teams, Software Architects |
| SSS-02-11-04-01-02 | Enforce least privilege and separation of duties | Ensure users, applications, and services have only the minimum access necessary to perform their functions, preventing excessive permissions and reducing security risks. | Development | Security Teams, IT Operations |
| SSS-02-11-04-01-03 | Prevent privilege escalation | Implement strict access controls to prevent unauthorized privilege escalation. Use privilege separation, access audits, and continuous monitoring to detect and mitigate privilege abuse. | Deployment | Security Engineers, DevOps Teams |
| SSS-02-11-04-01-04 | Ensure object-level access control | Verify that users can access only their own data by implementing object-level authorization checks in APIs and databases, preventing unauthorized data access. | Post-deployment | Security Teams, Compliance Officers |
| SSS-02-11-04-01-05 | Prevent authorization bypass attacks | Secure applications against forced browsing, direct object reference attacks, and API abuse by enforcing proper authorization checks at every layer of access control. | Post-deployment | Security Engineers, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Ensure input validation and output encoding to prevent security vulnerabilities such as injection attacks. For example, apply strict allowlists for user input, sanitize untrusted data, and encode output to prevent cross-site scripting (XSS); Restrict direct user control over security-sensitive operations, preventing mass assignment and insecure object references; Continuously validate and monitor user inputs and data processing flows to maintain data integrity and security.
V5.1 Input Validation Requirements Validate all incoming input to ensure that it conforms to expected formats, types, and ranges. Use whitelisting to only accept known, safe input values and reject anything outside of the defined boundaries. Implement server-side validation to ensure that client-side validation cannot be bypassed by attackers. Ensure that input validation covers all potential entry points, such as APIs, forms, and headers. V5.2 Sanitization and Sandboxing Requirements Sanitize user inputs to remove any harmful data or characters before processing, such as special characters that could lead to code injection attacks. Use sandboxing techniques to isolate untrusted code from the main application, preventing access to critical system resources. Enforce secure execution environments for any code or operations that handle untrusted inputs, ensuring they run with minimal privileges and in a restricted environment. V5.3 Output Encoding and Injection Prevention Requirements Encode all output data before rendering it in the browser, especially for dynamic content like user inputs or database queries, to prevent XSS (Cross-Site Scripting) and other injection attacks. Apply context-specific encoding depending on where the output will appear (e.g., HTML, JavaScript, SQL, URL). Use parameterized queries and prepared statements to prevent SQL injection and other injection attacks, ensuring that data is never directly concatenated into queries or commands. V5.4 Memory, String, and Unmanaged Code Requirements Manage memory securely by using safe functions to handle buffers and memory allocations to prevent vulnerabilities like buffer overflows. Use safe string manipulation functions that prevent issues like string-based buffer overflows or string formatting errors. If working with unmanaged code (e.g., in languages like C or C++), ensure the proper handling of memory boundaries and use tools like static analysis to detect unsafe coding practices. V5.5 Deserialization Prevention Requirements Avoid deserializing untrusted data by implementing strict checks and controls on all incoming serialized data. Use safe deserialization libraries that can detect and prevent harmful payloads from being executed. Limit the types of objects that can be deserialized and enforce additional security controls to ensure that only safe, expected objects are processed. Apply input validation to ensure that deserialized objects adhere to the expected schema or structure, preventing the deserialization of arbitrary code. By validating inputs, sanitizing data, encoding outputs, and implementing memory safety practices, organizations can significantly reduce the risks of injection attacks, buffer overflows, and other common security vulnerabilities.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-05-01-01 | Implement strict input validation | Enforce strong input validation using allowlists instead of blacklists to prevent injection attacks like SQL Injection and XSS. Validate data types, length, format, and structure at the application and API levels. | Development | Security Teams, Software Developers |
| SSS-02-11-05-01-02 | Apply output encoding | Implement secure output encoding mechanisms (e.g., HTML encoding, escaping special characters) to prevent reflected and stored XSS attacks in web applications. | Development | Security Engineers, Frontend Developers |
| SSS-02-11-05-01-03 | Ensure secure parsing of user input | Protect against XML External Entity (XXE) attacks by disabling insecure XML parsers, enforcing secure configurations, and validating all external input before processing. | Deployment | Security Teams, DevOps Teams |
| SSS-02-11-05-01-04 | Prevent mass assignment vulnerabilities | Restrict object properties exposed to users, ensuring that users can only modify allowed attributes through controlled access mechanisms. Use explicit allowlists for data binding. | Post-deployment | Security Engineers, Compliance Officers |
| SSS-02-11-05-01-05 | Monitor and audit input handling | Continuously monitor application logs for suspicious input patterns, detect potential injection attempts, and conduct regular security testing (e.g., automated scanners, penetration testing). | Post-deployment | Security Teams, Compliance Officers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Securely store sensitive data using modern cryptographic techniques to prevent unauthorized access. For example, apply strong encryption algorithms for data at rest, implement secure key management practices, and enforce cryptographic key rotation; Prevent the use of deprecated or insecure cryptographic functions such as MD5 and SHA-1; Continuously audit cryptographic implementations to identify vulnerabilities and ensure compliance with security standards.
V6.1 Data Classification Classify data based on its sensitivity and business value to determine the appropriate security controls. Define categories such as public, internal, confidential, and highly sensitive data to apply appropriate encryption, access control, and storage policies. Implement data classification labels to ensure proper handling of different data types across the organization. Ensure that sensitive data is subject to higher levels of protection, including encryption and restricted access. V6.2 Algorithms Use strong, industry-standard cryptographic algorithms (e.g., AES-256, RSA-2048, SHA-256) for encrypting and hashing sensitive data. Avoid deprecated or weak cryptographic algorithms (e.g., MD5, SHA-1, DES) that are vulnerable to modern attack methods. Regularly review and update cryptographic algorithms and protocols to comply with evolving security standards and best practices. V6.3 Random Values Ensure cryptographically secure random number generation (e.g., CSPRNG - Cryptographically Secure Pseudo-Random Number Generator) for generating keys, IVs, and other sensitive values. Ensure that random values such as session IDs, nonces, and salts are generated using secure sources to prevent predictability or attacks. Avoid using predictable sources, such as timestamps or user data, for generating random values to mitigate risks of attacks (e.g., brute-force or guessing). V6.4 Secret Management Implement secure storage and management of secrets (e.g., passwords, API keys, private keys) using key management systems (KMS), hardware security modules (HSMs), or vaults. Encrypt secrets at rest and ensure they are accessed only by authorized applications and users. Use access control mechanisms and audit logs to track and restrict access to sensitive secrets, ensuring they are not exposed. Rotate and revoke secrets regularly, and implement secure key life cycle management to ensure secrets remain protected. By classifying data, using strong cryptographic algorithms, and employing secure secret management practices, organizations can protect sensitive data and ensure the integrity and confidentiality of critical information.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-06-01-01 | Use strong encryption for sensitive data at rest | Ensure that sensitive data is encrypted using strong encryption algorithms (e.g., AES-256) when stored at rest, protecting it from unauthorized access in case of data breaches. | Development | Security Teams, IT Operations |
| SSS-02-11-06-01-02 | Implement Secure Key Management | Use a Hardware Security Module (HSM) or secure key vaults to manage encryption keys securely. Ensure that keys are never hardcoded in the application or stored in insecure locations. | Development | Security Engineers, DevOps Teams |
| SSS-02-11-06-01-03 | Ensure Secure Hashing for Password Storage | Use secure, modern hashing algorithms (e.g., bcrypt, PBKDF2, Argon2) to store passwords securely, with salting techniques to further protect against dictionary and rainbow table attacks. | Development | Security Teams, DevOps Teams |
| SSS-02-11-06-01-04 | Avoid Insecure Cryptographic Algorithms | Prevent the use of outdated and insecure cryptographic algorithms such as MD5 and SHA-1. Enforce the use of strong and approved algorithms for hashing and encryption. | Development | Security Engineers, Compliance Officers |
| SSS-02-11-06-01-05 | Rotate Encryption Keys Periodically | Implement policies for the periodic rotation of encryption keys and ensure that key management follows best practices. Ensure keys are never hardcoded in the source code and are updated securely. | Post-deployment | Security Teams, Compliance Officers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Ensure secure error handling and logging mechanisms to prevent information leakage and unauthorized access to sensitive data. For example, implement structured logging while avoiding the storage of credentials or personally identifiable information (PII); Ensure error messages provide minimal information to end users while capturing sufficient details for security investigations; Continuously monitor, log, and audit security events to detect potential threats and unauthorized activities.
V7.1 Log Content Requirements Ensure logs contain sufficient context, including timestamps, user IDs, source IPs, event types, and resource identifiers. Log critical security events such as failed login attempts, access control violations, and sensitive data access. Avoid logging sensitive information (e.g., passwords, full credit card numbers) unless necessary and ensure that sensitive data is masked or anonymized when logged. Ensure logs are granular enough to distinguish between normal and suspicious activity. V7.2 Log Processing Requirements Centralize log collection across all systems to simplify analysis and ensure logs are stored in a secure, tamper-evident manner. Use automated log analysis tools to identify patterns of suspicious activity and raise alerts for anomalies or potential security incidents. Implement real-time monitoring of logs to detect immediate threats, such as DDoS attacks or unauthorized access attempts. Establish log rotation and archiving policies to maintain an organized log storage system while ensuring compliance with retention requirements. V7.3 Log Protection Requirements Ensure logs are stored securely by applying encryption at rest and access controls to limit access to authorized personnel only. Implement log integrity measures, such as write-once storage or hashing, to prevent tampering or unauthorized modification of log files. Monitor access to logs and generate alerts for suspicious activities, such as unauthorized access or attempted deletions. V7.4 Error Handling Handle errors gracefully, ensuring that detailed error messages (e.g., stack traces, database queries) are not exposed to users, as they could aid attackers. Log errors with sufficient detail for troubleshooting, but ensure sensitive information is not included in the logs. Implement generic error messages for users (e.g., "An error occurred") and ensure detailed errors are logged securely for administrators. Use rate limiting and input validation to prevent common error-related attacks like SQL injection or buffer overflow. By ensuring comprehensive log content, secure log processing, and effective error handling, organizations can detect, protect, and respond to security incidents quickly, while maintaining secure and reliable logging practices.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-07-01-01 | Prevent sensitive data exposure in error messages | Ensure error messages do not expose sensitive information such as stack traces, database queries, or internal system details that could be exploited by attackers. | Development | Security Teams, Software Developers |
| SSS-02-11-07-01-02 | Ensure proper logging of security events | Log critical security events, such as authentication failures, access control violations, and any other events relevant to the security posture of the system, while ensuring proper access controls for logs. | Deployment | Security Engineers, IT Operations |
| SSS-02-11-07-01-03 | Implement tamper-proof logs | Use techniques such as digital signatures or hash-based integrity checks to ensure that logs cannot be tampered with or altered, preserving their integrity for auditing purposes. | Post-deployment | Security Engineers, Compliance Officers |
| SSS-02-11-07-01-04 | Prevent logging of sensitive data | Ensure that sensitive information like passwords, API keys, and other credentials are never logged, even in error logs, by masking or omitting them in log entries. | Development | Security Teams, DevOps Teams |
| SSS-02-11-07-01-05 | Ensure alerting mechanisms for security anomalies | Implement real-time alerting systems to detect abnormal behaviors, such as failed login attempts or unusual access patterns, and notify relevant personnel for further investigation. | Post-deployment | Security Teams, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Protect sensitive data throughout its lifecycle to prevent unauthorized disclosure and manipulation. For example, enforce encryption for data at rest and in transit, apply access controls to sensitive information, and prevent unnecessary data exposure; Implement secure data storage and disposal policies, ensuring compliance with regulatory requirements such as GDPR and CCPA; Continuously monitor data access and protection mechanisms to detect and respond to potential security breaches.
V8.1 General Data Protection Classify data according to its sensitivity and apply appropriate protection measures based on privacy laws (e.g., GDPR, CCPA). Minimize data collection by only storing necessary information and implementing data retention policies to delete data once it is no longer needed. Implement access control mechanisms to ensure only authorized users can access sensitive or personal data. Ensure data encryption at rest and in transit to protect data from unauthorized access or breaches. Comply with data protection laws and standards to mitigate risks of fines and data breaches. V8.2 Client-side Data Protection Use client-side encryption for sensitive data, ensuring that only authorized parties can decrypt it. Limit data storage on the client to reduce the risk of exposure through client-side attacks. Implement strong session management and authentication protocols (e.g., JWT, OAuth) to secure client-side interactions. Enforce secure storage mechanisms (e.g., Secure Storage APIs) for sensitive data like passwords or tokens. Avoid storing sensitive data in places like local storage or cookies, where it can be easily accessed or stolen. V8.3 Sensitive Private Data Encrypt sensitive private data (e.g., health, financial, personal data) both at rest and in transit to ensure confidentiality. Apply data masking or tokenization techniques where appropriate to limit exposure of sensitive data. Implement strong access control and audit trails for any systems that process or store sensitive data to detect and prevent unauthorized access. Ensure compliance with industry-specific regulations (e.g., PCI-DSS, HIPAA) for handling and processing sensitive data. Educate employees and stakeholders on the risks of mishandling sensitive data and enforce proper handling procedures. By classifying data, applying encryption and access controls, and complying with relevant regulations, organizations can ensure the protection of sensitive and private data while mitigating risks of data exposure or breaches.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-08-01-01 | Protect personally identifiable information (pii) | Implement measures to ensure that PII and other sensitive data are securely handled, including anonymization, pseudonymization, and strict access controls to protect user privacy. | Development | Security Teams, Privacy Officers |
| SSS-02-11-08-01-02 | Enforce encryption for data at rest and in transit | Apply strong encryption standards (e.g., AES-256) to protect sensitive data both at rest and during transmission over networks (e.g., using TLS for secure communications). | Development | Security Engineers, IT Operations |
| SSS-02-11-08-01-03 | Ensure secure storage mechanisms | Utilize secure storage mechanisms, such as database encryption, tokenization, or secure vaults, to protect sensitive data and prevent unauthorized access. | Deployment | Security Engineers, Database Administrators |
| SSS-02-11-08-01-04 | Implement access restrictions to sensitive data | Enforce strict access controls, including role-based access control (RBAC), to ensure that only authorized personnel can access sensitive data based on their roles and responsibilities. | Post-deployment | Security Teams, Compliance Officers |
| SSS-02-11-08-01-05 | Ensure compliance with data protection regulations | Ensure that data protection measures are in line with regulations like GDPR, CCPA, and other relevant laws, including data retention policies, data subject rights, and cross-border data flow compliance. | Post-deployment | Compliance Officers, Legal Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Ensure secure communication mechanisms to protect data transmitted between systems and users. For example, enforce TLS encryption for all network communications, implement HTTP Strict Transport Security (HSTS), and prevent protocol downgrade attacks; Secure API communications by validating certificates and enforcing mutual authentication; Continuously monitor for misconfigurations and vulnerabilities in communication channels to mitigate security risks.
V9.1 Communications Security Requirements Encrypt all sensitive communications using strong cryptographic protocols (e.g., TLS 1.2 or higher) to protect data in transit from interception and tampering. Enforce strong encryption standards and ensure that SSL/TLS certificates are valid, properly configured, and periodically updated. Use perfect forward secrecy (PFS) to prevent the compromise of encrypted communications, even if encryption keys are exposed in the future. Disable weak ciphers and protocols (e.g., SSL, TLS 1.0, and TLS 1.1) to mitigate vulnerabilities and ensure secure connections. Implement authentication and authorization controls on all communications to ensure only authorized parties can send or receive sensitive data. V9.2 Server Communications Security Requirements Enforce encryption for all server-to-server communication, including database connections, APIs, and microservices, to protect sensitive data and ensure confidentiality. Ensure API communications are secured with TLS/SSL, and enforce mutual authentication if necessary to validate both client and server identities. Monitor and audit server communications to detect anomalies, such as unauthorized data access attempts or insecure configurations. Use API gateways to manage and secure server-to-server communications, enforcing access controls, and encryption standards. Apply rate limiting and throttling to protect server communications from denial-of-service (DoS) attacks and abuse. By implementing strong encryption, authentication, and continuous monitoring, organizations can ensure that both client and server communications remain secure, preventing data breaches and maintaining confidentiality and integrity.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-09-01-01 | Encrypt data transmission using tls 1.2 or higher | Ensure that all sensitive data transmitted over networks is encrypted using TLS 1.2 or higher to protect against eavesdropping and tampering. | Development | Security Teams, IT Operations |
| SSS-02-11-09-01-02 | Prevent man-in-the-middle (mitm) attacks | Implement proper certificate validation, including checking for valid, trusted certificate authorities, to prevent MITM attacks during data transmission. | Development | Security Engineers, IT Operations |
| SSS-02-11-09-01-03 | Enforce http strict transport security (hsts) | Implement HSTS to enforce the use of secure HTTPS connections, preventing protocol downgrades and ensuring that communications are always transmitted over TLS. | Development | Security Teams, Web Developers |
| SSS-02-11-09-01-04 | Protect api endpoints with secure communication | Ensure that all API endpoints use secure communication practices, such as TLS encryption, and implement additional measures like API keys or OAuth for authentication. | Development | DevOps Teams, API Developers |
| SSS-02-11-09-01-05 | Manage tls certificates properly | Ensure that TLS certificates are regularly updated, are not expired, and are not self-signed. Use trusted certificate authorities to avoid vulnerabilities in certificate management. | Post-deployment | Security Engineers, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Prevent the introduction and execution of malicious code within applications by enforcing secure coding practices. For example, perform regular code reviews, static and dynamic security testing, and implement dependency scanning to detect supply chain risks; Restrict the use of untrusted third-party components and libraries, ensuring integrity verification before integration; Continuously monitor application behavior for anomalies and unauthorized code execution to mitigate potential threats.
V10.1 Code Integrity Controls Use version control systems (VCS) like Git to manage code changes and ensure that code changes are tracked and reviewed. Implement digital signatures and code signing to ensure that the deployed code matches the original source and has not been tampered with. Employ code integrity checks during the build process, using automated tools to verify that no unauthorized modifications have been made to the code before deployment. Review code dependencies and libraries for authenticity and security to ensure that no vulnerable or unauthorized code is included. V10.2 Malicious Code Search Integrate static and dynamic analysis tools into the development and deployment pipeline to automatically scan for malicious code such as backdoors, ransomware, or other malware. Regularly conduct manual code reviews and employ automated scanning tools to detect and remove malicious or suspicious code from the application codebase. Use threat intelligence feeds to stay informed about known malicious code patterns and vulnerabilities that could impact your codebase. V10.3 Deployed Application Integrity Controls Monitor deployed applications using integrity verification mechanisms such as file integrity monitoring (FIM) to detect any unauthorized modifications to the application or its components in production. Implement continuous integrity checks by comparing the deployed code and configuration with the expected state from source control to identify discrepancies. Ensure that runtime application self-protection (RASP) is implemented to continuously monitor and defend against unauthorized changes or attacks on deployed applications. By implementing code integrity controls, regular malicious code scans, and deployed application integrity checks, organizations can protect their applications from tampering, unauthorized modifications, and malware attacks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-10-01-01 | Enforce secure coding practices | Ensure developers follow secure coding practices to prevent backdoors and malware injection, including validating inputs, using secure libraries, and avoiding unsafe coding patterns. | Development | Security Engineers, Software Developers |
| SSS-02-11-10-01-02 | Verify third-party dependencies for supply chain security | Conduct thorough checks on third-party dependencies and libraries to ensure they are free from known vulnerabilities and malware. Use trusted sources and maintain a software bill of materials (SBOM). | Development | DevOps Teams, Security Teams |
| SSS-02-11-10-01-03 | Conduct regular vulnerability scanning | Perform regular vulnerability scanning on codebases to identify potential security flaws, misconfigurations, or vulnerabilities that could be exploited by attackers. | Development | Security Teams, Quality Assurance |
| SSS-02-11-10-01-04 | Prevent unsafe use of deserialization | Avoid unsafe deserialization techniques that can lead to remote code execution or other vulnerabilities. Ensure that deserialization processes are secure and input is properly validated. | Development | Security Engineers, Software Developers |
| SSS-02-11-10-01-05 | Implement software composition analysis (sca) | Use software composition analysis tools to detect vulnerable dependencies in the codebase, ensuring that third-party components do not introduce risks into the application. | Deployment | Security Teams, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Secure business logic workflows to prevent logical flaws that attackers can exploit. For example, validate critical transactions, enforce rate limits on automated processes, and prevent workflow abuse that could lead to financial or reputational loss; Apply authorization checks within business logic to prevent privilege escalation and unauthorized actions; Continuously audit, test, and monitor business processes to detect and mitigate logic-based security risks.
V11.1 Business Logic Security Requirements -Design secure business logic by ensuring it is resilient to manipulation and cannot be bypassed by attackers. This includes considering potential edge cases and abnormal user behavior. -Implement strong access control to ensure only authorized users can access or modify business-critical functions and data. -Protect sensitive business workflows (e.g., financial transactions, sensitive data processing) with additional layers of security, such as multi-factor authentication (MFA), validation of input, and role-based access control (RBAC). -Verify that business rules are enforced consistently across all components of the application, including APIs, user interfaces, and background processes. -Monitor for abnormal activities that could indicate business logic abuse, such as unexpected patterns of behavior or excessive usage of particular functions. -Test business logic thoroughly, including use cases and misuse cases, to identify potential vulnerabilities or unintended behaviors. -Minimize complex workflows to reduce the attack surface and ensure easier auditing and detection of malicious activities. By designing secure, consistent, and validated business logic, organizations can protect against attacks that exploit weaknesses in core business processes.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-11-01-01 | Ensure business logic is not exploitable | Prevent exploitation of business logic by identifying and mitigating potential abuse scenarios, such as misuse of discount codes, invalid workflows, or unintended system behavior. | Development | Security Engineers, Business Analysts |
| SSS-02-11-11-01-02 | Enforce business logic workflows | Implement strict enforcement of business workflows to prevent logic-based attacks, ensuring that business processes follow the intended rules and restrictions. | Development | Software Architects, Security Teams |
| SSS-02-11-11-01-03 | Prevent automation attacks | Implement measures to protect against automation attacks (e.g., bot-driven abuse of business rules) by using CAPTCHA, rate limiting, and bot detection systems. | Development | Security Engineers, IT Operations |
| SSS-02-11-11-01-04 | Add extra authentication for security-critical transactions | Ensure that sensitive or security-critical transactions, such as fund transfers or changes to user accounts, require additional authentication layers (e.g., multi-factor authentication). | Deployment | Security Teams, IT Operations |
| SSS-02-11-11-01-05 | Protect against replay attacks | Implement mechanisms to prevent replay attacks on business logic workflows, such as using unique tokens for each transaction and enforcing timestamps or nonce validation. | Post-deployment | Security Teams, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Securely handle files and resources to prevent unauthorized access, manipulation, and execution of malicious content. For example, validate file uploads with allowlists, implement malware scanning, and enforce secure storage locations; Prevent path traversal attacks by sanitizing file paths and restricting direct file access; Continuously monitor file interactions, log access attempts, and audit resource usage to mitigate security risks.
V12.1 File Upload Requirements Validate file types and extensions before allowing upload, ensuring only allowed formats are accepted. Enforce size limits on file uploads to prevent DoS (Denial of Service) via large files. Use temporary storage for uploaded files and validate them using antivirus scanning and other security checks before processing. Implement authentication and authorization checks to ensure only authorized users can upload files. V12.2 File Integrity Requirements Use checksums or hashes (e.g., SHA-256) to verify file integrity during upload, ensuring the file has not been tampered with. Apply integrity controls during file transmission, ensuring files are not altered or corrupted in transit. Monitor file uploads for unusual activity and alert administrators if integrity checks fail or anomalies are detected. V12.3 File Execution Requirements Restrict file execution to only authorized directories or services, preventing malicious files from being executed. Avoid allowing executable file types (e.g., .exe, .bat, .sh) to be uploaded or executed on the server. Implement sandboxing for files that must be processed or executed to limit the risk of exploitation. V12.4 File Storage Requirements Store files in a separate, isolated storage location, distinct from the main web server or sensitive systems. Encrypt sensitive files at rest, using strong encryption algorithms to ensure data confidentiality. Apply access controls to restrict access to files based on user roles, ensuring only authorized personnel can view or modify files. V12.5 File Download Requirements Implement authentication and authorization checks before allowing file downloads, ensuring only authorized users can access files. Sanitize file names and paths to prevent directory traversal or path injection attacks. Use secure download mechanisms such as HTTPS to protect data integrity and confidentiality during the download process. V12.6 SSRF Protection Requirements Restrict outbound network access for uploaded files to prevent SSRF (Server-Side Request Forgery) attacks. Implement an allowlist for URLs that the server can access, preventing arbitrary connections to internal or external services. Use input validation and sanitization on any URLs or data submitted by users to prevent manipulation and SSRF vulnerabilities. By enforcing secure file upload and download mechanisms, file integrity checks, and robust SSRF protections, organizations can minimize the risks associated with file handling and ensure the integrity and confidentiality of uploaded data.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-12-01-01 | Secure handling of file uploads | Ensure that all file uploads are scanned for malware and other potential threats. Implement checks to ensure uploaded files do not contain malicious code. | Development | Security Engineers, DevOps Teams |
| SSS-02-11-12-01-02 | Prevent path traversal attacks | Protect against path traversal attacks by blocking sequences like ../ and validating file paths to ensure files are stored in secure directories, avoiding unauthorized access. | Development | Security Engineers, Software Developers |
| SSS-02-11-12-01-03 | Validate mime types for uploaded files | Ensure proper MIME type validation for uploaded files to prevent the uploading of dangerous files (e.g., executable files disguised as images or documents). | Development | Security Teams, QA Teams |
| SSS-02-11-12-01-04 | Implement access control for uploaded files | Prevent direct access to uploaded files by enforcing proper access control policies, such as using unique URLs, file permission settings, and authentication checks. | Deployment | Security Engineers, IT Operations |
| SSS-02-11-12-01-05 | Secure handling of external resources | Safeguard against Server-Side Request Forgery (SSRF) and similar attacks by validating and sanitizing external resource requests, and preventing unauthorized internal resource access. | Post-deployment | Security Teams, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Ensure secure implementation and management of APIs and web services to prevent data leaks and unauthorized access. For example, enforce authentication and authorization for API endpoints, apply rate limiting to prevent abuse, and validate all incoming and outgoing data; Secure API communications with TLS and implement proper access controls for sensitive operations; Continuously monitor API traffic, log access attempts, and audit security controls to detect and mitigate threats.
V13.1 Generic Web Service Security Verification Requirements Authenticate and authorize all users and services accessing the web service, ensuring proper identity and access control mechanisms are in place. Implement encryption for both data in transit and at rest using strong cryptographic protocols (e.g., TLS, AES). Validate all incoming and outgoing data, using input validation, output encoding, and sanitization to prevent common attacks like injection and XSS. Use rate limiting and monitoring to detect and mitigate potential attacks, such as DDoS or abuse of service. V13.2 RESTful Web Service Verification Requirements Ensure statelessness in API design, where each request contains all necessary information, and session management is handled securely. Implement secure authentication methods such as OAuth or JWT for RESTful APIs, ensuring token validation and authorization checks are done at every endpoint. Use CORS (Cross-Origin Resource Sharing) policies to control cross-origin access, enforcing trusted domains for API access. Validate and sanitize JSON data sent via the API, applying strict checks to prevent malicious data injection. V13.3 SOAP Web Service Verification Requirements Secure SOAP-based communication using XML Encryption and XML Signature to ensure confidentiality and data integrity. Validate the integrity of SOAP messages by ensuring WS-Security standards are applied, including the use of secure token exchanges. Use endpoint security controls, such as IP whitelisting, to restrict which clients can access the SOAP service. Implement strict input validation for XML-based data to prevent common XML-based attacks like XXE (XML External Entity) attacks. V13.4 GraphQL and Other Web Service Data Layer Security Requirements Implement fine-grained access control for GraphQL queries, ensuring users can only query authorized fields and data (e.g., based on roles and permissions). Enforce rate limiting for GraphQL queries to prevent complex query abuse that could impact the performance or security of the server. Sanitize and validate all inputs and outputs of GraphQL operations to prevent SQL injection and other data manipulation attacks. Implement authentication and authorization checks at each resolver to ensure that only authorized users can access specific data fields or execute queries. By implementing secure authentication, encryption, input validation, and rate limiting across web service types (RESTful, SOAP, GraphQL), organizations can protect their services from a wide range of attacks while maintaining secure and efficient data exchanges.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-13-01-01 | Ensure api authentication and authorization | Use strong authentication mechanisms such as OAuth 2.0, JWT, or API keys to verify and authorize API users, ensuring that only authenticated and authorized users can access API endpoints. | Development | Security Teams, API Developers |
| SSS-02-11-13-01-02 | Prevent api abuse and rate limiting bypass | Implement rate limiting and request throttling to prevent abuse of API resources and mitigate denial-of-service (DoS) attacks. Ensure proper handling of excessive requests to protect against service overload. | Deployment | Security Engineers, DevOps Teams |
| SSS-02-11-13-01-03 | Ensure secure api data transmission | Enforce secure communication for all API data transmissions by using TLS encryption, ensuring that sensitive data is protected during transit from eavesdropping and tampering. | Development | Security Engineers, IT Operations |
| SSS-02-11-13-01-04 | Prevent insecure direct object references (idor) | Ensure that API endpoints properly validate and authorize access to resources to prevent insecure direct object references, ensuring that users cannot access resources they are not authorized to. | Development | Security Engineers, API Developers |
| SSS-02-11-13-01-05 | Configure cors policies properly | Implement and configure Cross-Origin Resource Sharing (CORS) policies to prevent cross-origin attacks, ensuring that only trusted origins can access the API resources. | Development | Security Teams, API Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |
Maintain secure configurations to minimize security risks arising from misconfigurations and outdated software. For example, enforce secure default settings, remove unnecessary features in production environments, and regularly apply patches and updates; Implement strict access controls for administrative configurations and prevent exposure of sensitive settings; Continuously audit system configurations, monitor for vulnerabilities, and enforce best practices to maintain a secure and resilient environment.
V14.1 Build Ensure the build process incorporates security checks, such as static analysis and code scanning, to identify vulnerabilities early in the development cycle. Use CI/CD pipelines that integrate automated security testing and enforce secure coding practices. V14.2 Dependency Regularly update and patch dependencies, ensuring that all third-party libraries and components are secure and up-to-date. Use dependency management tools like OWASP Dependency-Check and SCA tools to detect known vulnerabilities in dependencies. V14.3 Unintended Security Disclosure Requirements Minimize security disclosures by ensuring that sensitive information such as debugging output and stack traces are never exposed in production environments. Implement proper error handling to return generic error messages and log detailed errors on the server side only. V14.4 HTTP Security Headers Requirements Enforce critical HTTP security headers like Content Security Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, and X-Frame-Options to protect against a variety of attacks (e.g., XSS, clickjacking). Use Secure and HttpOnly flags for cookies to prevent JavaScript access and ensure secure transmission. V14.5 Validate HTTP Request Header Requirements Validate incoming HTTP request headers to ensure they conform to expected formats and do not contain malicious or unexpected content (e.g., restricting the User-Agent or Referer headers). Implement rate limiting and input sanitization for header values to prevent header injection attacks and mitigate abuse. By adhering to secure build practices, managing dependencies, and implementing essential HTTP headers, organizations can strengthen their web application security posture and reduce vulnerability to attacks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-14-01-01 | Implement secure default configurations | Ensure that all systems and applications are configured with secure default settings to prevent misconfigurations that could lead to vulnerabilities. Disable unnecessary features and services by default. | Preparation | Security Teams, IT Operations |
| SSS-02-11-14-01-02 | Enforce software updates and patch management | Implement policies and mechanisms to ensure timely software updates and patch management, reducing the risk of vulnerabilities due to outdated software components. | Deployment | IT Operations, Security Teams |
| SSS-02-11-14-01-03 | Remove unnecessary features in production | Ensure that unnecessary features, such as debug modes or verbose error messages, are removed or disabled in production environments to prevent potential attack vectors. | Deployment | Development Teams, IT Operations |
| SSS-02-11-14-01-04 | Configure proper security headers | Implement necessary security headers such as Content Security Policy (CSP), X-Frame-Options, X-XSS-Protection, and others to enhance security and prevent attacks like clickjacking, XSS, and content injection. | Development | Security Engineers, Web Developers |
| SSS-02-11-14-01-05 | Ensure secure dependency management | Implement secure dependency management practices, including regular checks for outdated libraries and known vulnerabilities, and enforce the use of trusted and up-to-date dependencies. | Development | Security Teams, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |