Table of contents

Objective

The objective of this index is to help an OWASP Application Security Verification Standard (ASVS) user clearly identify which cheat sheets are useful for each section during his or her usage of the ASVS.

This index is based on the version 4.x of the ASVS.

V1: Architecture, Design and Threat Modeling Requirements

V1.1 Secure Software Development Lifecycle Requirements

Threat Modeling Cheat Sheet.

Abuse Case Cheat Sheet.

Attack Surface Analysis Cheat Sheet.

V1.2 Authentication Architectural Requirements

None.

V1.3 Session Management Architectural Requirements

None.

V1.4 Access Control Architectural Requirements

Docker Security Cheat Sheet.

V1.5 Input and Output Architectural Requirements

Abuse Case Cheat Sheet.

Deserialization Cheat Sheet.

V1.6 Cryptographic Architectural Requirements

Cryptographic Storage Cheat Sheet.

Key Management Cheat Sheet.

V1.7 Errors, Logging and Auditing Architectural Requirements

Logging Cheat Sheet.

V1.8 Data Protection and Privacy Architectural Requirements

Abuse Case Cheat Sheet.

User Privacy Protection Cheat Sheet.

V1.9 Communications Architectural Requirements

Transport Layer Protection Cheat Sheet.

TLS Cipher String Cheat Sheet.

V1.10 Malicious Software Architectural Requirements

Third Party Javascript Management Cheat Sheet.

Virtual Patching Cheat Sheet.

V1.11 Business Logic Architectural Requirements

Abuse Case Cheat Sheet.

V1.12 Secure File Upload Architectural Requirements

None.

V1.13 API Architectural Requirements

REST Security Cheat Sheet.

V1.14 Configuration Architectural Requirements

None.

V2: Authentication Verification Requirements

V2.1 Password Security Requirements

Choosing and Using Security Questions Cheat Sheet.

Forgot Password Cheat Sheet.

Credential Stuffing Prevention Cheat Sheet

V2.2 General Authenticator Requirements

Authentication Cheat Sheet.

Transport Layer Protection Cheat Sheet.

TLS Cipher String Cheat Sheet.

V2.3 Authenticator Lifecycle Requirements

None.

V2.4 Credential Storage Requirements

Password Storage Cheat Sheet.

V2.5 Credential Recovery Requirements

Choosing and Using Security Questions Cheat Sheet.

Forgot Password Cheat Sheet.

V2.6 Look-up Secret Verifier Requirements

None.

V2.7 Out of Band Verifier Requirements

Forgot Password Cheat Sheet.

V2.8 Single or Multi Factor One Time Verifier Requirements

None.

V2.9 Cryptographic Software and Devices Verifier Requirements

Cryptographic Storage Cheat Sheet.

Key Management Cheat Sheet.

V2.10 Service Authentication Requirements

None.

V3: Session Management Verification Requirements

V3.1 Fundamental Session Management Requirements

None.

V3.2 Session Binding Requirements

Session Management Cheat Sheet.

V3.3 Session Logout and Timeout Requirements

Session Management Cheat Sheet.

V3.4 Cookie-based Session Management

Session Management Cheat Sheet.

Cross-Site Request Forgery Prevention Cheat Sheet.

V3.5 Token-based Session Management

JSON Web Token Cheat Sheet for Java.

REST Security Cheat Sheet.

V3.6 Re-authentication from a Federation or Assertion

None.

V3.7 Defenses Against Session Management Exploits

Session Management Cheat Sheet.

Transaction Authorization Cheat Sheet.

V4: Access Control Verification Requirements

V4.1 General Access Control Design

Access Control Cheat Sheet.

Authorization Testing Automation.

V4.2 Operation Level Access Control

Insecure Direct Object Reference Prevention Cheat Sheet.

Cross-Site Request Forgery Prevention Cheat Sheet.

Authorization Testing Automation.

V4.3 Other Access Control Considerations

REST Assessment Cheat Sheet.

V5: Validation, Sanitization and Encoding Verification Requirements

V5.1 Input Validation Requirements

Mass Assignment Cheat Sheet.

Input Validation Cheat Sheet.

V5.2 Sanitization and Sandboxing Requirements

Server Side Request Forgery Prevention Cheat Sheet.

XSS Prevention Cheat Sheet.

DOM based XSS Prevention Cheat Sheet.

Unvalidated Redirects and Forwards Cheat Sheet.

V5.3 Output encoding and Injection Prevention Requirements

XSS Prevention Cheat Sheet.

DOM based XSS Prevention Cheat Sheet.

HTML5 Security Cheat Sheet.

Injection Prevention Cheat Sheet.

Injection Prevention Cheat Sheet in Java.

Input Validation Cheat Sheet.

LDAP Injection Prevention Cheat Sheet.

OS Command Injection Defense Cheat Sheet.

Protect File Upload Against Malicious File.

Query Parameterization Cheat Sheet.

SQL Injection Prevention Cheat Sheet.

Unvalidated Redirects and Forwards Cheat Sheet.

Bean Validation Cheat Sheet.

XXE Prevention Cheat Sheet.

XML Security Cheat Sheet.

V5.4 Memory, String, and Unmanaged Code Requirements

None.

V5.5 Deserialization Prevention Requirements

Deserialization Cheat Sheet.

XXE Prevention Cheat Sheet.

XML Security Cheat Sheet.

V6: Stored Cryptography Verification Requirements

V6.1 Data Classification

Abuse Case Cheat Sheet.

User Privacy Protection Cheat Sheet.

V6.2 Algorithms

Cryptographic Storage Cheat Sheet.

Key Management Cheat Sheet.

V6.3 Random Values

None.

V6.4 Secret Management

Key Management Cheat Sheet.

V7: Error Handling and Logging Verification Requirements

V7.1 Log Content Requirements

Logging Cheat Sheet.

V7.2 Log Processing Requirements

Logging Cheat Sheet.

V7.3 Log Protection Requirements

Logging Cheat Sheet.

V7.4 Error Handling

Error Handling Cheat Sheet.

V8: Data Protection Verification Requirements

V8.1 General Data Protection

None.

V8.2 Client-side Data Protection

None.

V8.3 Sensitive Private Data

None.

V9: Communications Verification Requirements

V9.1 Communications Security Requirements

HTTP Strict Transport Security Cheat Sheet.

Transport Layer Protection Cheat Sheet.

TLS Cipher String Cheat Sheet.

V9.2 Server Communications Security Requirements

None.

V10: Malicious Code Verification Requirements

V10.1 Code Integrity Controls

Third Party Javascript Management Cheat Sheet.

V10.2 Malicious Code Search

None.

V10.3 Deployed Application Integrity Controls

Docker Security Cheat Sheet.

V11: Business Logic Verification Requirements

V11.1 Business Logic Security Requirements

Abuse Case Cheat Sheet.

V12: File and Resources Verification Requirements

V12.1 File Upload Requirements

Protect File Upload Against Malicious File.

V12.2 File Integrity Requirements

Protect File Upload Against Malicious File.

Third Party Javascript Management Cheat Sheet.

V12.3 File execution Requirements

None.

V12.4 File Storage Requirements

None.

V12.5 File Download Requirements

None.

V12.6 SSRF Protection Requirements

Server Side Request Forgery Prevention Cheat Sheet.

Unvalidated Redirects and Forwards Cheat Sheet.

V13: API and Web Service Verification Requirements

V13.1 Generic Web Service Security Verification Requirements

Web Service Security Cheat Sheet.

Server Side Request Forgery Prevention Cheat Sheet.

V13.2 RESTful Web Service Verification Requirements

REST Assessment Cheat Sheet.

REST Security Cheat Sheet.

Cross-Site Request Forgery Prevention Cheat Sheet.

V13.3 SOAP Web Service Verification Requirements

XML Security Cheat Sheet.

V13.4 GraphQL and other Web Service Data Layer Security Requirements

None.

V14: Configuration Verification Requirements

V14.1 Build

Docker Security Cheat Sheet.

V14.2 Dependency

Docker Security Cheat Sheet.

Vulnerable Dependency Management Cheat Sheet.

V14.3 Unintended Security Disclosure Requirements

Error Handling Cheat Sheet.

V14.4 HTTP Security Headers Requirements

Content Security Policy Cheat Sheet.

V14.5 Validate HTTP Request Header Requirements

None.