Embedded Files
Background
Background
The web profile provides a baseline set of security requirements and associated test guidance for securing web applications. This framework is applicable to developers of web apps and web-accessible APIs.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Our Approach: OWASP ASVS as the Foundation
Our Approach: OWASP ASVS as the Foundation
This program leverages the internationally recognized OWASP Application Security Verification Standard (ASVS) as its core. The OWASP ASVS offers a comprehensive set of security assessment requirements and guidelines covering the entire web application development lifecycle. Building upon this base, the App Defense Alliance (ADA) focused on testable requirements with clear acceptance criteria. Further, the ADA approach emphasizes the use of automation where possible.
Web App Profile Specification
Web App Profile Specification
1 Authentication
1.1 Implement strong password security measures
1.2 Disable any default accounts for public application access interfaces
1.3 Out of band verifiers shall be random and not reused
2 Session Management
2.1 URLs shall not expose sensitive information
2.2 Implement session invalidation on logout, user request, and password change
2.3 Implement and secure application session tokens
2.4 Protect sensitive account modifications
3 Access Control
3.1 Implement access control mechanisms to protect data and APIs
3.2 Implement secure OAuth integrations to protect user data and prevent unauthorized access
3.3 Application exposed administrative interfaces shall use appropriate multi-factor authentication.
4 Communications
4.1 Protect data through strong cryptography
5 Data Validation and Sanitization
5.1 Implement validation & input sanitation
5.2 Securely handle untrusted files
6 Configuration
6.1 Keep all components up to date
6.2 Disable debug modes in production environments
6.3 The origin header shall not be used for authentication of access control decisions
6.4 Protect application from subdomain takeover
6.5 Do not log credentials or payment details
6.6 Sensitive user data is either not stored in browser storage or is deleted when the user logs out
6.7 Securely store server-side secrets
See GitHub for full details
Page updated
Report abuse