|
1_1_1. Secure Software Development Lifecycle
|
331. Guarantee legal compliance
|
|
1_2_1. Authentication architecture
|
096. Set user's required privileges
186. Use the principle of least privilege
|
|
1_2_2. Authentication architecture
|
186. Use the principle of least privilege
228. Authenticate using standard protocols
|
|
1_2_3. Authentication architecture
|
264. Request authentication
|
|
1_2_4. Authentication architecture
|
328. Request MFA for critical systems
|
|
1_4_1. Access control architecture
|
265. Restrict access to critical processes
320. Avoid client-side control enforcement
|
|
1_5_2. Input and output architecture
|
321. Avoid deserializing untrusted data
|
|
1_5_3. Input and output architecture
|
173. Discard unsafe inputs
|
|
1_5_4. Input and output architecture
|
160. Encode system outputs
|
|
1_6_2. Cryptographic architecture
|
145. Protect system cryptographic keys
|
|
1_6_3. Cryptographic architecture
|
361. Replace cryptographic keys
|
|
1_6_4. Cryptographic architecture
|
145. Protect system cryptographic keys
|
|
1_7_2. Errors, logging and auditing architecture
|
378. Use of log management system
|
|
1_8_2. Data protection and privacy architecture
|
026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
|
|
1_9_1. Communications architecture
|
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
|
|
1_9_2. Communications architecture
|
336. Disable insecure TLS versions
|
|
1_12_2. Secure File Upload Architecture
|
349. Include HTTP security headers
|
|
1_14_5. Configuration architecture
|
321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
|
|
1_14_6. Configuration architecture
|
262. Verify third-party components
|
|
2_1_1. Password security
|
133. Passwords with at least 20 characters
|
|
2_1_2. Password security
|
132. Passphrases with at least 4 words
|
|
2_1_3. Password security
|
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
|
|
2_1_4. Password security
|
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
|
|
2_1_5. Password security
|
126. Set a password regeneration mechanism
|
|
2_1_6. Password security
|
141. Force re-authentication
|
|
2_1_7. Password security
|
332. Prevent the use of breached passwords
|
|
2_1_8. Password security
|
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
|
|
2_1_9. Password security
|
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
|
|
2_1_10. Password security
|
129. Validate previous passwords
|
|
2_2_1. General authenticator security
|
237. Ascertain human interaction
|
|
2_2_2. General authenticator security
|
153. Out of band transactions
231. Implement a biometric verification component
|
|
2_2_3. General authenticator security
|
153. Out of band transactions
|
|
2_2_4. General authenticator security
|
328. Request MFA for critical systems
|
|
2_2_6. General authenticator security
|
139. Set minimum OTP length
140. Define OTP lifespan
347. Invalidate previous OTPs
|
|
2_2_7. General authenticator security
|
153. Out of band transactions
231. Implement a biometric verification component
|
|
2_3_1. Authenticator lifecycle
|
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
|
|
2_3_2. Authenticator lifecycle
|
153. Out of band transactions
231. Implement a biometric verification component
|
|
2_4_1. Credential storage
|
127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
|
|
2_4_2. Credential storage
|
135. Passwords with random salt
|
|
2_4_3. Credential storage
|
127. Store hashed passwords
|
|
2_4_4. Credential storage
|
127. Store hashed passwords
|
|
2_4_5. Credential storage
|
135. Passwords with random salt
|
|
2_5_1. Credential recovery
|
126. Set a password regeneration mechanism
|
|
2_5_2. Credential recovery
|
334. Avoid knowledge-based authentication
|
|
2_5_3. Credential recovery
|
238. Establish safe recovery
|
|
2_5_4. Credential recovery
|
142. Change system default credentials
|
|
2_5_5. Credential recovery
|
301. Notify configuration changes
|
|
2_5_6. Credential recovery
|
140. Define OTP lifespan
238. Establish safe recovery
|
|
2_6_1. Look-up secret verifier
|
131. Deny multiple password changing attempts
|
|
2_6_2. Look-up secret verifier
|
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
|
|
2_6_3. Look-up secret verifier
|
126. Set a password regeneration mechanism
238. Establish safe recovery
|
|
2_7_1. Out of band verifier
|
153. Out of band transactions
|
|
2_7_2. Out of band verifier
|
335. Define out of band token lifespan
|
|
2_7_3. Out of band verifier
|
335. Define out of band token lifespan
|
|
2_7_4. Out of band verifier
|
338. Implement perfect forward secrecy
|
|
2_7_6. Out of band verifier
|
223. Uniform distribution in random numbers
|
|
2_8_1. One time verifier
|
140. Define OTP lifespan
|
|
2_8_2. One time verifier
|
232. Require equipment identity
|
|
2_8_3. One time verifier
|
147. Use pre-existent mechanisms
|
|
2_8_4. One time verifier
|
347. Invalidate previous OTPs
|
|
2_8_5. One time verifier
|
377. Store logs based on valid regulation
|
|
2_8_6. One time verifier
|
141. Force re-authentication
|
|
2_8_7. One time verifier
|
231. Implement a biometric verification component
|
|
2_9_1. Cryptographic verifier
|
145. Protect system cryptographic keys
|
|
2_9_3. Cryptographic verifier
|
224. Use secure cryptographic mechanisms
|
|
2_10_2. Service authentication
|
142. Change system default credentials
|
|
2_10_3. Service authentication
|
134. Store passwords with salt
|
|
2_10_4. Service authentication
|
156. Source code without sensitive information
|
|
3_1_1. Fundamental session management security
|
037. Parameters without sensitive data
|
|
3_2_1. Session binding
|
030. Avoid object reutilization
|
|
3_2_2. Session binding
|
224. Use secure cryptographic mechanisms
|
|
3_2_3. Session binding
|
029. Cookies with security attributes
|
|
3_2_4. Session binding
|
224. Use secure cryptographic mechanisms
|
|
3_3_1. Session termination
|
030. Avoid object reutilization
|
|
3_3_2. Session termination
|
141. Force re-authentication
|
|
3_3_3. Session termination
|
028. Allow users to log out
141. Force re-authentication
|
|
3_3_4. Session termination
|
028. Allow users to log out
|
|
3_4_1. Cookie-based session management
|
029. Cookies with security attributes
|
|
3_4_2. Cookie-based session management
|
029. Cookies with security attributes
|
|
3_4_3. Cookie-based session management
|
029. Cookies with security attributes
|
|
3_4_4. Cookie-based session management
|
029. Cookies with security attributes
|
|
3_4_5. Cookie-based session management
|
029. Cookies with security attributes
031. Discard user session data
|
|
3_5_2. Token-based session management
|
357. Use stateless session tokens
|
|
3_5_3. Token-based session management
|
357. Use stateless session tokens
|
|
3_7_1. Defenses against session management exploits
|
319. Make authentication options equally secure
|
|
4_1_1. General access control design
|
096. Set user's required privileges
341. Use the principle of deny by default
|
|
4_1_2. General access control design
|
026. Encrypt client-side session information
096. Set user's required privileges
|
|
4_1_3. General access control design
|
186. Use the principle of least privilege
|
|
4_1_5. General access control design
|
359. Avoid using generic exceptions
|
|
4_2_1. Operation level access control
|
176. Restrict system objects
|
|
4_2_2. Operation level access control
|
030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
|
|
4_3_1. Other access control considerations
|
122. Validate credential ownership
153. Out of band transactions
176. Restrict system objects
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
266. Disable insecure functionalities
319. Make authentication options equally secure
328. Request MFA for critical systems
|
|
5_1_1. Input validation
|
342. Validate request parameters
|
|
5_1_2. Input validation
|
237. Ascertain human interaction
327. Set a rate limit
|
|
5_1_3. Input validation
|
342. Validate request parameters
|
|
5_1_4. Input validation
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
|
|
5_1_5. Input validation
|
324. Control redirects
|
|
5_2_1. Sanitization and sandboxing
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
|
|
5_2_2. Sanitization and sandboxing
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
|
|
5_2_3. Sanitization and sandboxing
|
115. Filter malicious emails
118. Inspect attachments
173. Discard unsafe inputs
320. Avoid client-side control enforcement
|
|
5_2_4. Sanitization and sandboxing
|
344. Avoid dynamic code execution
|
|
5_2_5. Sanitization and sandboxing
|
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
|
|
5_2_6. Sanitization and sandboxing
|
173. Discard unsafe inputs
324. Control redirects
|
|
5_2_7. Sanitization and sandboxing
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
|
|
5_2_8. Sanitization and sandboxing
|
050. Control calls to interpreted code
374. Use of isolation methods in running applications
|
|
5_3_1. Output encoding and injection prevention
|
160. Encode system outputs
|
|
5_3_2. Output encoding and injection prevention
|
044. Define an explicit charset
|
|
5_3_3. Output encoding and injection prevention
|
173. Discard unsafe inputs
342. Validate request parameters
|
|
5_3_4. Output encoding and injection prevention
|
169. Use parameterized queries
|
|
5_3_5. Output encoding and injection prevention
|
169. Use parameterized queries
173. Discard unsafe inputs
342. Validate request parameters
|
|
5_3_6. Output encoding and injection prevention
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
|
|
5_3_7. Output encoding and injection prevention
|
173. Discard unsafe inputs
|
|
5_3_8. Output encoding and injection prevention
|
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
|
|
5_3_9. Output encoding and injection prevention
|
348. Use consistent encoding
|
|
5_3_10. Output encoding and injection prevention
|
173. Discard unsafe inputs
|
|
5_4_1. Memory, string, and unmanaged code
|
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
|
|
5_4_2. Memory, string, and unmanaged code
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
|
|
5_4_3. Memory, string, and unmanaged code
|
345. Establish protections against overflows
|
|
5_5_1. Deserialization prevention
|
321. Avoid deserializing untrusted data
|
|
5_5_2. Deserialization prevention
|
157. Use the strict mode
|
|
5_5_3. Deserialization prevention
|
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
|
|
5_5_4. Deserialization prevention
|
173. Discard unsafe inputs
321. Avoid deserializing untrusted data
344. Avoid dynamic code execution
|
|
6_1_1. Data classification
|
185. Encrypt sensitive information
|
|
6_1_2. Data classification
|
185. Encrypt sensitive information
|
|
6_1_3. Data classification
|
185. Encrypt sensitive information
|
|
6_2_1. Algorithms
|
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
|
|
6_2_2. Algorithms
|
147. Use pre-existent mechanisms
|
|
6_2_3. Algorithms
|
346. Use initialization vectors once
|
|
6_2_4. Algorithms
|
223. Uniform distribution in random numbers
|
|
6_2_5. Algorithms
|
148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
|
|
6_2_6. Algorithms
|
346. Use initialization vectors once
|
|
6_2_7. Algorithms
|
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
|
|
6_2_8. Algorithms
|
224. Use secure cryptographic mechanisms
|
|
6_3_1. Random values
|
223. Uniform distribution in random numbers
|
|
6_3_2. Random values
|
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
|
|
6_3_3. Random values
|
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
|
|
6_4_1. Secret management
|
145. Protect system cryptographic keys
380. Define a password management tool
|
|
6_4_2. Secret management
|
156. Source code without sensitive information
380. Define a password management tool
|
|
7_1_1. Log content
|
083. Avoid logging sensitive data
|
|
7_1_2. Log content
|
377. Store logs based on valid regulation
|
|
7_1_3. Log content
|
075. Record exceptional events in logs
|
|
7_1_4. Log content
|
322. Avoid excessive logging
|
|
7_2_2. Log processing
|
075. Record exceptional events in logs
378. Use of log management system
|
|
7_2_4. Log processing
|
083. Avoid logging sensitive data
|
|
7_3_1. Log protection
|
080. Prevent log modification
173. Discard unsafe inputs
|
|
7_3_3. Log protection
|
080. Prevent log modification
|
|
7_3_4. Log protection
|
079. Record exact occurrence time of events
|
|
7_4_1. Error handling
|
075. Record exceptional events in logs
|
|
7_4_2. Error handling
|
075. Record exceptional events in logs
079. Record exact occurrence time of events
|
|
7_4_3. Error handling
|
378. Use of log management system
|
|
8_1_1. General data protection
|
266. Disable insecure functionalities
|
|
8_1_2. General data protection
|
177. Avoid caching and temporary files
|
|
8_1_3. General data protection
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
|
|
8_1_4. General data protection
|
075. Record exceptional events in logs
378. Use of log management system
|
|
8_2_1. Client-side data protection
|
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
|
|
8_3_1. Sensitive private data
|
349. Include HTTP security headers
|
|
8_3_2. Sensitive private data
|
317. Allow erasure requests
|
|
8_3_3. Sensitive private data
|
189. Specify the purpose of data collection
|
|
8_3_4. Sensitive private data
|
315. Provide processed data information
|
|
8_3_5. Sensitive private data
|
323. Exclude unverifiable files
|
|
8_3_6. Sensitive private data
|
350. Enable memory protection mechanisms
|
|
8_3_7. Sensitive private data
|
147. Use pre-existent mechanisms
|
|
9_1_1. Client communication security
|
336. Disable insecure TLS versions
|
|
9_1_2. Client communication security
|
181. Transmit data using secure protocols
336. Disable insecure TLS versions
|
|
9_1_3. Client communication security
|
336. Disable insecure TLS versions
|
|
9_2_1. Server communication security
|
091. Use internally signed certificates
092. Use externally signed certificates
|
|
9_2_2. Server communication security
|
181. Transmit data using secure protocols
|
|
9_2_3. Server communication security
|
176. Restrict system objects
264. Request authentication
|
|
10_1_1. Code integrity
|
155. Application free of malicious code
|
|
10_2_1. Malicious code search
|
041. Scan files for malicious code
155. Application free of malicious code
|
|
10_2_3. Malicious code search
|
154. Eliminate backdoors
|
|
10_2_4. Malicious code search
|
262. Verify third-party components
|
|
10_2_5. Malicious code search
|
262. Verify third-party components
|
|
10_2_6. Malicious code search
|
041. Scan files for malicious code
155. Application free of malicious code
|
|
10_3_1. Application integrity
|
088. Request client certificates
090. Use valid certificates
093. Use consistent certificates
178. Use digital signatures
|
|
10_3_2. Application integrity
|
178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
|
|
10_3_3. Application integrity
|
266. Disable insecure functionalities
|
|
11_1_1. Business logic security
|
337. Make critical logic flows thread safe
|
|
11_1_2. Business logic security
|
072. Set maximum response time
327. Set a rate limit
|
|
11_1_3. Business logic security
|
072. Set maximum response time
327. Set a rate limit
|
|
11_1_4. Business logic security
|
039. Define maximum file size
043. Define an explicit content type
072. Set maximum response time
327. Set a rate limit
|
|
12_1_1. File upload
|
039. Define maximum file size
|
|
12_1_2. File upload
|
039. Define maximum file size
042. Validate file format
|
|
12_1_3. File upload
|
039. Define maximum file size
|
|
12_2_1. File integrity
|
340. Use octet stream downloads
|
|
12_3_1. File execution
|
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
|
|
12_3_2. File execution
|
173. Discard unsafe inputs
176. Restrict system objects
|
|
12_3_3. File execution
|
348. Use consistent encoding
|
|
12_3_4. File execution
|
043. Define an explicit content type
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
|
|
12_3_5. File execution
|
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
|
|
12_3_6. File execution
|
266. Disable insecure functionalities
340. Use octet stream downloads
|
|
12_4_1. File storage
|
339. Avoid storing sensitive files in the web root
|
|
12_4_2. File storage
|
118. Inspect attachments
|
|
12_5_1. File download
|
040. Compare file format and extension
|
|
12_5_2. File download
|
040. Compare file format and extension
042. Validate file format
043. Define an explicit content type
|
|
12_6_1. SSRF protection
|
173. Discard unsafe inputs
324. Control redirects
|
|
13_1_1. Generic web service security
|
348. Use consistent encoding
|
|
13_1_3. Generic web service security
|
261. Avoid exposing sensitive information
|
|
13_1_5. Generic web service security
|
062. Define standard configurations
349. Include HTTP security headers
|
|
13_2_1. RESTful web service
|
266. Disable insecure functionalities
|
|
13_2_2. RESTful web service
|
342. Validate request parameters
|
|
13_2_3. RESTful web service
|
029. Cookies with security attributes
174. Transactions without a distinguishable pattern
|
|
13_2_5. RESTful web service
|
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
|
|
13_2_6. RESTful web service
|
181. Transmit data using secure protocols
336. Disable insecure TLS versions
|
|
13_3_1. SOAP web service
|
173. Discard unsafe inputs
|
|
13_3_2. SOAP web service
|
228. Authenticate using standard protocols
|
|
13_4_1. GraphQL
|
077. Avoid disclosing technical information
176. Restrict system objects
264. Request authentication
|
|
14_1_1. Build and deploy
|
051. Store source code in a repository
062. Define standard configurations
|
|
14_1_2. Build and deploy
|
157. Use the strict mode
158. Use a secure programming language
164. Use optimized structures
|
|
14_1_3. Build and deploy
|
266. Disable insecure functionalities
|
|
14_1_4. Build and deploy
|
062. Define standard configurations
|
|
14_1_5. Build and deploy
|
228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
|
|
14_2_1. Dependency
|
302. Declare dependencies explicitly
|
|
14_2_2. Dependency
|
360. Remove unnecessary sensitive information
|
|
14_2_3. Dependency
|
330. Verify Subresource Integrity
|
|
14_2_4. Dependency
|
362. Assign MFA mechanisms to a single account
|
|
14_2_5. Dependency
|
262. Verify third-party components
|
|
14_2_6. Dependency
|
374. Use of isolation methods in running applications
|
|
14_3_2. Unintended security disclosure
|
078. Disable debugging events
|
|
14_3_3. Unintended security disclosure
|
077. Avoid disclosing technical information
|
|
14_4_1. HTTP security headers
|
062. Define standard configurations
266. Disable insecure functionalities
349. Include HTTP security headers
|
|
14_4_2. HTTP security headers
|
043. Define an explicit content type
349. Include HTTP security headers
|
|
14_4_3. HTTP security headers
|
062. Define standard configurations
349. Include HTTP security headers
|
|
14_4_4. HTTP security headers
|
062. Define standard configurations
349. Include HTTP security headers
|
|
14_4_5. HTTP security headers
|
062. Define standard configurations
349. Include HTTP security headers
|
|
14_4_6. HTTP security headers
|
062. Define standard configurations
349. Include HTTP security headers
|
|
14_4_7. HTTP security headers
|
062. Define standard configurations
349. Include HTTP security headers
|
|
14_5_1. HTTP request header validation
|
062. Define standard configurations
173. Discard unsafe inputs
266. Disable insecure functionalities
320. Avoid client-side control enforcement
349. Include HTTP security headers
|
