-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathasvs-data.js
199 lines (199 loc) · 35.5 KB
/
asvs-data.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
var ASVS = {
chapters:[
'Security Architecture Documentation Requirements',
'Authentication Verification Requirements',
'Session Management Verification Requirements',
'Access Control Verification Requirements',
'Input Validation Verification Requirements',
'Output Encoding / Escaping Verification Requirements',
'Cryptography Verification Requirements',
'Error Handling and Logging Verification Requirements',
'Data Protection Verification Requirements',
'Communication Security Verification Requirements',
'HTTP Security Verification Requirements',
'Security Configuration Verification Requirements',
'Malicious Code Search Verification Requirements',
'Internal Security Verification Requirements'
],
rules:[
{chapter:1, nr:1, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that all application components (either individual or groups of source files, libraries, and/or executables) that are present in the application are identified.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:1, nr:2, levels:["2A", "2B", 3, 4], title:"Verify that all components that are not part of the application but that the application relies on to operate are identified.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:1, nr:3, levels:["2A", "2B", 3, 4], title:"Verify that a high-level architecture for the application has been defined.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:1, nr:4, levels:[3, 4], title:"Verify that all application components are defined in terms of the business functions and/or security functions they provide.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:1, nr:5, levels:[3, 4], title:"Verify that all components that are not part of the application but that the application relies on to operate are defined in terms of the business functions and/or security functions they provide.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:1, nr:6, levels:[3, 4], title:"Verify that threat modeling information has been provided.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:1, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that all pages and resources require authentication except those specifically intended to be public.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:2, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that all password fields do not echo the user’s password when it is entered, and that password fields (or the forms that contain them) have autocomplete disabled.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:3, levels:["1A", "2A", "2B", 3, 4], title:"Verify that if a maximum number of authentication attempts is exceeded, the account is locked for a period of time long enough to deter brute force attacks.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:4, levels:["2A", "2B", 3, 4], title:"Verify that all authentication controls are enforced on the server side.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:5, levels:["2B", 3, 4], title:"Verify that all authentication controls (including libraries that call external authentication services) have a centralized implementation.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:6, levels:["2A", "2B", 3, 4], title:"Verify that all authentication controls fail securely.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:7, levels:["2A", "2B", 3, 4], title:"Verify that the strength of any authentication credentials are sufficient to withstand attacks that are typical of the threats in the deployed environment.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:8, levels:["2A", "2B", 3, 4], title:"Verify that all account management functions are at least as resistant to attack as the primary authentication mechanism.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:9, levels:["2A", "2B", 3, 4], title:"Verify that users can safely change their credentials using a mechanism that is at least as resistant to attack as the primary authentication mechanism.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:10, levels:["2A", "2B", 3, 4], title:"Verify that re-authentication is required before any application-specific sensitive operations are permitted.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:11, levels:["2A", "2B", 3, 4], title:"Verify that after an administratively-configurable period of time, authentication credentials expire.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:12, levels:["2B", 3, 4], title:"Verify that all authentication decisions are logged.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:13, levels:["2B", 3, 4], title:"Verify that account passwords are salted using a salt that is unique to that account (e.g., internal user ID, account creation) and hashed before storing.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:14, levels:["2B", 3, 4], title:"Verify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location (not in source code).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:2, nr:15, levels:[4], title:"Verify that all code implementing or using authentication controls is not affected by any malicious code.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:1, levels:["1A", "2A", "2B", 3, 4], title:"Verify that the framework’s default session management control implementation is used by the application.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:2, levels:["1A", "2A", "2B", 3, 4], title:"Verify that sessions are invalidated when the user logs out.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:3, levels:["1A", "2A", "2B", 3, 4], title:"Verify that sessions timeout after a specified period of inactivity.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:4, levels:[3, 4], title:"Verify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:5, levels:["1A", "2A", "2B", 3, 4], title:"Verify that all pages that require authentication to access them have logout links.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:6, levels:["1B", "2B", 3, 4], title:"Verify that the session id is never disclosed other than in cookie headers; particularly in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:7, levels:["2A", "2B", 3, 4], title:"Verify that the session id is changed on login.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:8, levels:["2A", "2B", 3, 4], title:"Verify that the session id is changed on reauthentication.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:9, levels:["2A", "2B", 3, 4], title:"Verify that the session id is changed or cleared on logout.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:10, levels:["2A", 3, 4], title:"Verify that only session ids generated by the application framework are recognized as valid by the application.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:11, levels:[3, 4], title:"Verify that authenticated session tokens are sufficiently long and random to withstand attacks that are typical of the threats in the deployed environment.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:12, levels:[3, 4], title:"Verify that cookies which contain authenticated session tokens/ids have their domain and path set to an appropriately restrictive value for that site.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:3, nr:13, levels:[4], title:"Verify that all code implementing or using session management controls is not affected by any malicious code. ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:1, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that users can only access protected functions for which they possess specific authorization.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:2, levels:["1A", "2A", "2B", 3, 4], title:"Verify that users can only access URLs for which they possess specific authorization.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:3, levels:["1A", "2A", "2B", 3, 4], title:"Verify that users can only access data files for which they possess specific authorization.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:4, levels:["1A", "2A", "2B", 3, 4], title:"Verify that direct object references are protected, such that only authorized objects are accessible to each user.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:5, levels:["1A", "2A", 3, 4], title:"Verify that directory browsing is disabled unless deliberately desired.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:6, levels:["2A", "2B", 3, 4], title:"Verify that users can only access services for which they possess specific authorization.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:7, levels:["2A", "2B", 3, 4], title:"Verify that users can only access data for which they possess specific authorization.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:8, levels:["2A", "2B", 3, 4], title:"Verify that access controls fail securely.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:9, levels:["2A", "2B", 3, 4], title:"Verify that the same access control rules implied by the presentation layer are enforced on the server side.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:10, levels:["2A", "2B", 3, 4], title:"Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:11, levels:["2A", "2B", 3, 4], title:"Verify that all access controls are enforced on the server side.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:12, levels:["2B", 3, 4], title:"Verify that there is a centralized mechanism (including libraries that call external authorization services) for protecting access to each type of protected resource.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:13, levels:["2A", "2B", 3, 4], title:"Verify that limitations on input and access imposed by the business on the application (such as daily transaction limits or sequencing of tasks) cannot be bypassed.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:14, levels:["2B", 3, 4], title:"Verify that all access control decisions can be logged and all failed decisions are logged.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:4, nr:15, levels:[4], title:"Verify that all code implementing or using access controls is not affected by any malicious code. ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:1, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that the runtime environment is not susceptible to buffer overflows, or that security controls prevent buffer overflows. ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:2, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that a positive validation pattern is defined and applied to all input.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:3, levels:["1A", "2A", "2B", 3, 4], title:"Verify that all input validation failures result in input rejection or input sanitization.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:4, levels:["2A", "2B", 3, 4], title:"Verify that a character set, such as UTF-8, is specified for all sources of input.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:5, levels:["2A", "2B", 3, 4], title:"Verify that all input validation is performed on the server side.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:6, levels:["2B", 3, 4], title:"Verify that a single input validation control is used by the application for each type of data that is accepted.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:7, levels:["2B", 3, 4], title:"Verify that all input validation failures are logged.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:8, levels:[3, 4], title:"Verify that all input data is canonicalized for all downstream decoders or interpreters prior to validation.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:5, nr:9, levels:[4], title:"Verify that all input validation controls are not affected by any malicious code. ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:1, levels:["1B", "2A", "2B", 3, 4], title:"Verify that all untrusted data that are output to HTML (including HTML elements, HTML attributes, javascript data values, CSS blocks, and URI attributes) are properly escaped for the applicable context.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:2, levels:["2A", "2B", 3, 4], title:"Verify that all output encoding/escaping controls are implemented on the server side.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:3, levels:["2B", 3, 4], title:"Verify that output encoding /escaping controls encode all characters not known to be safe for the intended interpreter.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:4, levels:["2B", 3, 4], title:"Verify that all untrusted data that is output to SQL interpreters use parameterized interfaces, prepared statements, or are escaped properly.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:5, levels:["2B", 3, 4], title:"Verify that all untrusted data that are output to XML use parameterized interfaces or are escaped properly.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:6, levels:["2B", 3, 4], title:"Verify that all untrusted data that are used in LDAP queries are escaped properly.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:7, levels:["2B", 3, 4], title:"Verify that all untrusted data that are included in operating system command parameters are escaped properly.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:8, levels:["2B", 3, 4], title:"Verify that all untrusted data that are output to any interpreters not specifically listed above are escaped properly.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:9, levels:[3, 4], title:"Verify that for each type of output encoding/escaping performed by the application, there is a single security control for that type of output for the intended destination.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:6, nr:10, levels:[4], title:"Verify that all code implementing or using output validation controls is not affected by any malicious code. ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:1, levels:["2A", "2B", 3, 4], title:"Verify that all cryptographic functions used to protect secrets from the application user are implemented server side.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:2, levels:["2A", "2B", 3, 4], title:"Verify that all cryptographic modules fail securely.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:3, levels:["2B", 3, 4], title:"Verify that access to any master secret(s) is protected from unauthorized access (A master secret is an application credential stored as plaintext on disk that is used to protect access to security configuration information).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:4, levels:["2B", 3, 4], title:"Verify that password hashes are salted when they are created.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:5, levels:["2B", 3, 4], title:"Verify that cryptographic module failures are logged.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:6, levels:["2B", 3, 4], title:"Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be unguessable by an attacker.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:7, levels:[3, 4], title:"Verify that cryptographic modules used by the application have been validated against FIPS 140-2 or an equivalent standard. (See ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:8, levels:[3, 4], title:"Verify that cryptographic modules operate in their approved mode according to their published security policies (See http://csrc.nist.gov/groups/STM/cmvp/validation.html).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:9, levels:[3, 4], title:"Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, expired). Verify that this policy is properly enforced.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:7, nr:10, levels:[4], title:"Verify that all code supporting or using a cryptographic module is not affected by any malicious code.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:1, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id and personal information.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:2, levels:["2A", "2B", 3, 4], title:"Verify that all server side errors are handled on the server.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:3, levels:["2A", "2B", 3, 4], title:"Verify that all logging controls are implemented on the server.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:4, levels:["2A", "2B", 3, 4], title:"Verify that error handling logic in security controls denies access by default.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:5, levels:["2B", 3, 4], title:"Verify security logging controls provide the ability to log both success and failure events that are identified as security-relevant. ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:6, levels:["2B", 3, 4], title:"Verify that each log event includes:", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:7, levels:["2B", 3, 4], title:"Verify that all events that include untrusted data will not execute as code in the intended log viewing software.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:8, levels:["2B", 3, 4], title:"Verify that security logs are protected from unauthorized access and modification.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:9, levels:["2B", 3, 4], title:"Verify that there is a single logging implementation that is used by the application.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:10, levels:["2B", 3, 4], title:"Verify that that the application does not log application-specific sensitive data that could assist an attacker, including user’s session ids and personal or sensitive information.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:11, levels:["2B", 3, 4], title:"Verify that a log analysis tool is available which allows the analyst to search for log events based on combinations of search criteria across all fields in the log record format supported by this system.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:8, nr:12, levels:[4], title:"Verify that all code implementing or using error handling and logging controls is not affected by any malicious code. ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:9, nr:1, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that all forms containing sensitive information have disabled client side caching, including autocomplete features.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:9, nr:2, levels:["2B", 3, 4], title:"Verify that the list of sensitive data processed by this application is identified, and that there is an explicit policy for how access to this data must be controlled, and when this data must be encrypted (both at rest and in transit). Verify that this policy is properly enforced.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:9, nr:3, levels:["2A", 3, 4], title:"Verify that all sensitive data is sent to the server in the HTTP message body (i.e., URL parameters are never used to send sensitive data).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:9, nr:4, levels:["2B", 3, 4], title:"Verify that all cached or temporary copies of sensitive data sent to the client are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data (e.g., the proper no-cache and no-store Cache-Control headers are set).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:9, nr:5, levels:["2B", 3, 4], title:"Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:9, nr:6, levels:[3, 4], title:"Verify that there is a method to remove each type of sensitive data from the application at the end of its required retention period.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:1, levels:["1A", "2A", "2B", 3, 4], title:"Verify that a path can be built from a trusted CA to each Transport Layer Security (TLS) server certificate, and that each server certificate is valid.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:2, levels:["2A", 3, 4], title:"Verify that failed TLS connections do not fall back to an insecure connection.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:3, levels:["2B", 3, 4], title:"Verify that TLS is used for all connections (including both external and backend connections) that are authenticated or that involve sensitive data or functions.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:4, levels:["2B", 3, 4], title:"Verify that backend TLS connection failures are logged.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:5, levels:["2B", 3, 4], title:"Verify that certificate paths are built and verified for all client certificates using configured trust anchors and revocation information.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:6, levels:["2B", 3, 4], title:"Verify that all connections to external systems that involve sensitive information or functions are authenticated.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:7, levels:["2B", 3, 4], title:"Verify that all connections to external systems that involve sensitive information or functions use an account that has been set up to have the minimum privileges necessary for the application to function properly.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:8, levels:[3, 4], title:"Verify that there is a single standard TLS implementation that is used by the application that is configured to operate in an approved mode of operation (See ", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:10, nr:9, levels:[3, 4], title:"Verify that specific character encodings are defined for all connections (e.g., UTF-8).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:11, nr:1, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that redirects do not include unvalidated data.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:11, nr:2, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that the application accepts only a defined set of HTTP request methods, such as GET and POST.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:11, nr:3, levels:["1A", "1B", "2A", "2B", 3, 4], title:"Verify that every HTTP response contains a content type header specifying a safe character set (e.g., UTF-8).", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:11, nr:4, levels:["2A", "2B", 3, 4], title:"Verify that the HTTPOnly flag is used on all cookies that do not specifically require access from JavaScript.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:11, nr:5, levels:["2A", "2B", 3, 4], title:"Verify that the secure flag is used on all cookies that contain sensitive data, including the session cookie.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:11, nr:6, levels:["2A", "2B", 3, 4], title:"Verify that HTTP headers in both requests and responses contain only printable ASCII characters.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:11, nr:7, levels:[3, 4], title:"Verify that the application generates a strong random token as part of all links and forms associated with transactions or accessing sensitive data, and that the application verifies the presence of this token with the proper value for the current user when processing these requests.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:12, nr:1, levels:["2B", 3, 4], title:"Verify that all security-relevant configuration information is stored in locations that are protected from unauthorized access.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:12, nr:2, levels:["2B", 3, 4], title:"Verify that all access to the application is denied if the application cannot access its security configuration information.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:12, nr:3, levels:[3, 4], title:"Verify that all changes to the security configuration settings managed by the application are logged in the security event log.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:12, nr:4, levels:[4], title:"Verify that the configuration store can be output in a human-readable format to facilitate audit.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:13, nr:1, levels:[4], title:"Verify that no malicious code is in any code that was either developed or modified in order to create the application.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:13, nr:2, levels:[4], title:"Verify that the integrity of interpreted code, libraries, executables, and configuration files is verified using checksums or hashes.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:14, nr:1, levels:[3, 4], title:"Verify that the application protects user and data attributes and policy information used by access controls from unauthorized access or modification.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:14, nr:2, levels:[4], title:"Verify that security control interfaces are simple enough to use that developers are likely to use them correctly.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}},
{chapter:14, nr:3, levels:[4], title:"Verify that the application properly protects shared variables and resources from inappropriate concurrent access.", annotation:"", passed:{title:"", description:"", helpJustify:""}, failed:{title:"", description:""}}
],
risk:{
factors:{
likelihood:{
threatAgent:{
skillLevel:0,
motive:0,
opportunity:0,
size:0
},
vulnerability:{
easeOfDiscovery:0,
easeOfExploit:0,
awareness:0,
intrusionDetection:0
}
},
impact:{
business:{
financialDamage:0,
reputationDamage:0,
nonCompliance:0,
privacyViolation:0
},
technical:{
lossOfConfidentiality:0,
lossOfIntegrity:0,
lossOfAvailability:0,
lossOfAccountability:0
}
}
},
ranges:[
{
start:0,
end:3,
title:'Low',
translations:{
nl:'Laag'
}
},
{
start:3,
end:6,
title:'Medium',
translations:{
nl:'Middelmatig'
}
},
{
start:6,
end:10,
title:'High',
translations:{
nl:'Hoog'
}
}
]
}
};