The OWASP Application Security Verification Standard is used in the development of web applications.
Implement robust authentication mechanisms to verify user identities and prevent unauthorized access. For example, enforce multi-factor authentication, secure password storage using modern hashing algorithms, and prevent brute force attacks through account lockouts and rate limiting; Ensure session expiration and re-authentication for critical actions, reducing the risk of session hijacking; Continuously monitor authentication events and enforce strong identity verification to safeguard access control.
V2.1 Password Security Requirements Enforce strong passwords and multi-factor authentication (MFA) for sensitive actions. V2.2 General Authenticator Requirements Use secure authentication methods appropriate for the application’s security needs. V2.3 Authenticator Lifecycle Requirements Securely manage authenticators, with regular rotation and invalidation. V2.4 Credential Storage Requirements Hash passwords with strong algorithms (e.g., bcrypt) and store secrets securely. V2.5 Credential Recovery Requirements Implement secure recovery methods with multi-step verification and rate-limiting. V2.6 Look-up Secret Verifier Requirements Use secure, unpredictable questions for look-up secrets. V2.7 Out of Band Verifier Requirements Implement out-of-band verification for sensitive actions, ensuring strong security. V2.8 Single or Multi-Factor One-Time Verifier Requirements Use TOTP or hardware tokens for multi-factor authentication. V2.9 Cryptographic Software and Devices Verifier Requirements Use secure cryptographic verification methods (e.g., FIDO2, HSMs). V2.10 Service Authentication Requirements Use OAuth or mutual TLS for secure service-to-service authentication. By implementing strong authentication, secure credential storage, and MFA, organizations can strengthen authentication systems and protect user credentials.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-02-01-01 | Implement strong authentication mechanisms | Ensure that all authentication processes use strong, secure methods, including multi-factor authentication (MFA) and biometric authentication, to verify user identities. | Development | Security Teams, IT Operations |
| SSS-02-11-02-01-02 | Enforce secure password policies | Define and enforce password policies, including minimum length, complexity requirements, and password expiration rules to mitigate weak credential usage. | Development | Security Teams, DevOps Teams |
| SSS-02-11-02-01-03 | Mitigate credential-based attacks | Protect authentication mechanisms against credential stuffing, brute-force attacks, and replay attacks using techniques like rate limiting, account lockout policies, and CAPTCHAs. | Deployment | Security Engineers, DevOps Teams |
| SSS-02-11-02-01-04 | Use secure password storage | Store passwords securely using strong hashing algorithms such as bcrypt, PBKDF2, or Argon2 to prevent credential leaks in case of data breaches. | Post-deployment | Security Teams, Compliance Officers |
| SSS-02-11-02-01-05 | Ensure proper session expiration & re-authentication | Enforce session expiration policies and require re-authentication for high-risk actions to prevent session hijacking and unauthorized access. | Post-deployment | Security Teams, Software Architects |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |