The OWASP Application Security Verification Standard is used in the development of web applications.
Ensure secure communication mechanisms to protect data transmitted between systems and users. For example, enforce TLS encryption for all network communications, implement HTTP Strict Transport Security (HSTS), and prevent protocol downgrade attacks; Secure API communications by validating certificates and enforcing mutual authentication; Continuously monitor for misconfigurations and vulnerabilities in communication channels to mitigate security risks.
V9.1 Communications Security Requirements Encrypt all sensitive communications using strong cryptographic protocols (e.g., TLS 1.2 or higher) to protect data in transit from interception and tampering. Enforce strong encryption standards and ensure that SSL/TLS certificates are valid, properly configured, and periodically updated. Use perfect forward secrecy (PFS) to prevent the compromise of encrypted communications, even if encryption keys are exposed in the future. Disable weak ciphers and protocols (e.g., SSL, TLS 1.0, and TLS 1.1) to mitigate vulnerabilities and ensure secure connections. Implement authentication and authorization controls on all communications to ensure only authorized parties can send or receive sensitive data. V9.2 Server Communications Security Requirements Enforce encryption for all server-to-server communication, including database connections, APIs, and microservices, to protect sensitive data and ensure confidentiality. Ensure API communications are secured with TLS/SSL, and enforce mutual authentication if necessary to validate both client and server identities. Monitor and audit server communications to detect anomalies, such as unauthorized data access attempts or insecure configurations. Use API gateways to manage and secure server-to-server communications, enforcing access controls, and encryption standards. Apply rate limiting and throttling to protect server communications from denial-of-service (DoS) attacks and abuse. By implementing strong encryption, authentication, and continuous monitoring, organizations can ensure that both client and server communications remain secure, preventing data breaches and maintaining confidentiality and integrity.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-09-01-01 | Encrypt data transmission using tls 1.2 or higher | Ensure that all sensitive data transmitted over networks is encrypted using TLS 1.2 or higher to protect against eavesdropping and tampering. | Development | Security Teams, IT Operations |
| SSS-02-11-09-01-02 | Prevent man-in-the-middle (mitm) attacks | Implement proper certificate validation, including checking for valid, trusted certificate authorities, to prevent MITM attacks during data transmission. | Development | Security Engineers, IT Operations |
| SSS-02-11-09-01-03 | Enforce http strict transport security (hsts) | Implement HSTS to enforce the use of secure HTTPS connections, preventing protocol downgrades and ensuring that communications are always transmitted over TLS. | Development | Security Teams, Web Developers |
| SSS-02-11-09-01-04 | Protect api endpoints with secure communication | Ensure that all API endpoints use secure communication practices, such as TLS encryption, and implement additional measures like API keys or OAuth for authentication. | Development | DevOps Teams, API Developers |
| SSS-02-11-09-01-05 | Manage tls certificates properly | Ensure that TLS certificates are regularly updated, are not expired, and are not self-signed. Use trusted certificate authorities to avoid vulnerabilities in certificate management. | Post-deployment | Security Engineers, IT Operations |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |