CASA | Compliance | Fluid Attacks Help

CASA

logo

Summary

The Cloud Application Security Assessment (CASA) has built upon the industry-recognized standards of the OWASP's Application Security Verification Standard (ASVS) to provide a consistent set of requirements to harden security for any application.

Definitions

Definition Requirements
1_2_2. Authentication Architecture 186. Use the principle of least privilege
228. Authenticate using standard protocols
1_2_3. Authentication Architecture 264. Request authentication
1_4_1. Access Control Architecture 265. Restrict access to critical processes
320. Avoid client-side control enforcement
1_4_4. Access Control Architecture 228. Authenticate using standard protocols
264. Request authentication
1_5_2. Input and Output Architecture 321. Avoid deserializing untrusted data
1_5_3. Input and Output Architecture 173. Discard unsafe inputs
1_5_4. Input and Output Architecture 160. Encode system outputs
1_8_2. Data Protection and Privacy Architecture 026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
1_9_1. Communications Architecture 147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
1_11_3. Communications Architecture 337. Make critical logic flows thread safe
1_14_1. Configuration Architecture 176. Restrict system objects
1_14_2. Configuration Architecture 330. Verify Subresource Integrity
1_14_3. Configuration Architecture 330. Verify Subresource Integrity
1_14_4. Configuration Architecture 330. Verify Subresource Integrity
1_14_5. Configuration Architecture 321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
1_14_6. Configuration Architecture 262. Verify third-party components
2_2_1. General Authenticator Security 237. Ascertain human interaction
2_2_4. General Authenticator Security 328. Request MFA for critical systems
2_2_5. General Authenticator Security 181. Transmit data using secure protocols
338. Implement perfect forward secrecy
2_3_1. Authenticator Lifecycle 138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
2_4_1. Credential Storage 127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
2_4_3. Credential Storage 127. Store hashed passwords
2_4_5. Credential Storage 135. Passwords with random salt
2_6_1. Look-up Secret Verifier 131. Deny multiple password changing attempts
2_7_2. Out of Band Verifier 335. Define out of band token lifespan
2_7_3. Out of Band Verifier 335. Define out of band token lifespan
2_7_4. Out of Band Verifier 338. Implement perfect forward secrecy
2_7_5. Out of Band Verifier 153. Out of band transactions
2_7_6. Out of Band Verifier 223. Uniform distribution in random numbers
2_8_2. One Time Verifier 232. Require equipment identity
2_8_5. One Time Verifier 377. Store logs based on valid regulation
2_8_6. One Time Verifier 141. Force re-authentication
2_9_1. Cryptographic Verifier 145. Protect system cryptographic keys
2_9_3. Cryptographic Verifier 224. Use secure cryptographic mechanisms
2_10_1. Service Authentication 122. Validate credential ownership
228. Authenticate using standard protocols
236. Establish authentication time
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
362. Assign MFA mechanisms to a single account
2_10_2. Service Authentication 142. Change system default credentials
2_10_3. Service Authentication 134. Store passwords with salt
2_10_4. Service Authentication 156. Source code without sensitive information
3_2_3. Session Binding 029. Cookies with security attributes
3_3_1. Session Termination 030. Avoid object reutilization
3_3_3. Session Termination 028. Allow users to log out
141. Force re-authentication
3_3_4. Session Termination 028. Allow users to log out
3_4_1. Cookie-based Session Management 029. Cookies with security attributes
3_4_2. Cookie-based Session Management 029. Cookies with security attributes
3_4_3. Cookie-based Session Management 029. Cookies with security attributes
3_5_1. Token-based Session Management 173. Discard unsafe inputs
3_5_2. Token-based Session Management 357. Use stateless session tokens
3_5_3. Token-based Session Management 357. Use stateless session tokens
3_7_1. Defenses Against Session Management Exploits 319. Make authentication options equally secure
4_1_1. General Access Control Design 096. Set user's required privileges
341. Use the principle of deny by default
4_1_2. General Access Control Design 026. Encrypt client-side session information
096. Set user's required privileges
4_1_3. General Access Control Design 186. Use the principle of least privilege
4_1_5. General Access Control Design 359. Avoid using generic exceptions
4_2_2. Operation Level Access Control 030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
4_3_1. Other Access Control Considerations 122. Validate credential ownership
153. Out of band transactions
176. Restrict system objects
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
266. Disable insecure functionalities
319. Make authentication options equally secure
328. Request MFA for critical systems
4_3_2. Other Access Control Considerations 176. Restrict system objects
266. Disable insecure functionalities
4_3_3. Other Access Control Considerations 176. Restrict system objects
186. Use the principle of least privilege
341. Use the principle of deny by default
5_1_1. Input Validation 342. Validate request parameters
5_1_2. Input Validation 237. Ascertain human interaction
327. Set a rate limit
5_1_3. Input Validation 342. Validate request parameters
5_1_4. Input Validation 173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_1_5. Input Validation 324. Control redirects
5_2_3. Sanitization and Sandboxing 115. Filter malicious emails
118. Inspect attachments
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_4. Sanitization and Sandboxing 344. Avoid dynamic code execution
5_2_5. Sanitization and Sandboxing 173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
5_2_6. Sanitization and Sandboxing 173. Discard unsafe inputs
324. Control redirects
5_2_7. Sanitization and Sandboxing 173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_3_1. Output Encoding and Injection Prevention 160. Encode system outputs
5_3_2. Output Encoding and Injection Prevention 044. Define an explicit charset
5_3_3. Output Encoding and Injection Prevention 173. Discard unsafe inputs
342. Validate request parameters
5_3_4. Output Encoding and Injection Prevention 169. Use parameterized queries
5_3_6. Output Encoding and Injection Prevention 173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_3_7. Output Encoding and Injection Prevention 173. Discard unsafe inputs
5_3_8. Output Encoding and Injection Prevention 173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
5_3_9. Output Encoding and Injection Prevention 348. Use consistent encoding
5_3_10. Output Encoding and Injection Prevention 173. Discard unsafe inputs
5_5_1. Deserialization Prevention 321. Avoid deserializing untrusted data
5_5_2. Deserialization Prevention 157. Use the strict mode
6_1_1. Data Classification 185. Encrypt sensitive information
6_1_2. Data Classification 185. Encrypt sensitive information
6_1_3. Data Classification 185. Encrypt sensitive information
6_2_1. Algorithms 148. Set minimum size of asymmetric encryption
6_2_2. Algorithms 147. Use pre-existent mechanisms
6_2_3. Algorithms 346. Use initialization vectors once
6_2_4. Algorithms 223. Uniform distribution in random numbers
6_2_5. Algorithms 148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
6_2_6. Algorithms 346. Use initialization vectors once
6_2_7. Algorithms 148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_8. Algorithms 224. Use secure cryptographic mechanisms
6_3_1. Random Values 223. Uniform distribution in random numbers
6_3_2. Random Values 223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_3_3. Random Values 223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_4_2. Secret Management 156. Source code without sensitive information
380. Define a password management tool
7_1_1. Log Content 083. Avoid logging sensitive data
7_1_2. Log Content 377. Store logs based on valid regulation
7_1_3. Log Content 075. Record exceptional events in logs
7_3_1. Log Protection 080. Prevent log modification
173. Discard unsafe inputs
7_3_3. Log Protection 080. Prevent log modification
8_1_1. General Data Protection 266. Disable insecure functionalities
8_1_3. General Data Protection 173. Discard unsafe inputs
320. Avoid client-side control enforcement
8_1_6. General Data Protection 046. Manage the integrity of critical files
185. Encrypt sensitive information
8_2_1. Client-side Data Protection 329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
8_2_2. Client-side Data Protection 329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
8_3_1. Sensitive Private Data 349. Include HTTP security headers
8_3_2. Sensitive Private Data 317. Allow erasure requests
8_3_3. Sensitive Private Data 189. Specify the purpose of data collection
8_3_5. Sensitive Private Data 323. Exclude unverifiable files
8_3_6. Sensitive Private Data 350. Enable memory protection mechanisms
8_3_8. Sensitive Private Data 360. Remove unnecessary sensitive information
9_1_2. Client Communication Security 181. Transmit data using secure protocols
336. Disable insecure TLS versions
9_1_3. Client Communication Security 336. Disable insecure TLS versions
9_2_1. Server Communication Security 091. Use internally signed certificates
092. Use externally signed certificates
9_2_4. Server Communication Security 088. Request client certificates
089. Limit validity of certificates
090. Use valid certificates
9_2_5. Server Communication Security 075. Record exceptional events in logs
079. Record exact occurrence time of events
10_1_1. Code Integrity 155. Application free of malicious code
10_2_3. Malicious Code Search 154. Eliminate backdoors
10_2_4. Malicious Code Search 262. Verify third-party components
10_2_5. Malicious Code Search 262. Verify third-party components
10_3_2. Application Integrity 178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
10_3_3. Application Integrity 266. Disable insecure functionalities
11_1_4. Business Logic Security 039. Define maximum file size
043. Define an explicit content type
072. Set maximum response time
327. Set a rate limit
12_4_1. File Storage 339. Avoid storing sensitive files in the web root
12_4_2. File Storage 118. Inspect attachments
13_1_1. Generic Web Service Security 348. Use consistent encoding
13_1_3. Generic Web Service Security 261. Avoid exposing sensitive information
13_1_4. Generic Web Service Security 095. Define users with privileges
177. Avoid caching and temporary files
320. Avoid client-side control enforcement
341. Use the principle of deny by default
13_2_1. RESTful Web Service 342. Validate request parameters
14_1_1. Build and Deploy 051. Store source code in a repository
062. Define standard configurations
158. Use a secure programming language
14_1_4. Build and Deploy 062. Define standard configurations
14_1_5. Build and Deploy 228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
14_2_1. Dependency 302. Declare dependencies explicitly
14_3_2. Unintended Security Disclosure 078. Disable debugging events
14_5_2. HTTP Request Header Validation 129. Validate previous passwords
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.