Skip to main content

CASA

logo

Summary

The Cloud Application Security Assessment (CASA) has built upon the industry-recognized standards of the OWASP's Application Security Verification Standard (ASVS) to provide a consistent set of requirements to harden security for any application.

Definitions

DefinitionRequirements
1_2_2. Authentication Architecture
186. Use the principle of least privilege
228. Authenticate using standard protocols
1_2_3. Authentication Architecture
264. Request authentication
1_4_1. Access Control Architecture
265. Restrict access to critical processes
320. Avoid client-side control enforcement
1_4_4. Access Control Architecture
228. Authenticate using standard protocols
264. Request authentication
1_5_2. Input and Output Architecture
321. Avoid deserializing untrusted data
1_5_3. Input and Output Architecture
173. Discard unsafe inputs
1_5_4. Input and Output Architecture
160. Encode system outputs
1_8_2. Data Protection and Privacy Architecture
026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
1_9_1. Communications Architecture
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
1_11_3. Communications Architecture
337. Make critical logic flows thread safe
1_14_1. Configuration Architecture
176. Restrict system objects
1_14_2. Configuration Architecture
330. Verify Subresource Integrity
1_14_3. Configuration Architecture
330. Verify Subresource Integrity
1_14_4. Configuration Architecture
330. Verify Subresource Integrity
1_14_5. Configuration Architecture
321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
1_14_6. Configuration Architecture
262. Verify third-party components
2_2_1. General Authenticator Security
237. Ascertain human interaction
2_2_4. General Authenticator Security
328. Request MFA for critical systems
2_2_5. General Authenticator Security
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
2_3_1. Authenticator Lifecycle
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
2_4_1. Credential Storage
127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
2_4_3. Credential Storage
127. Store hashed passwords
2_4_5. Credential Storage
135. Passwords with random salt
2_6_1. Look-up Secret Verifier
131. Deny multiple password changing attempts
2_7_2. Out of Band Verifier
335. Define out of band token lifespan
2_7_3. Out of Band Verifier
335. Define out of band token lifespan
2_7_4. Out of Band Verifier
338. Implement perfect forward secrecy
2_7_5. Out of Band Verifier
153. Out of band transactions
2_7_6. Out of Band Verifier
223. Uniform distribution in random numbers
2_8_2. One Time Verifier
232. Require equipment identity
2_8_5. One Time Verifier
377. Store logs based on valid regulation
2_8_6. One Time Verifier
141. Force re-authentication
2_9_1. Cryptographic Verifier
145. Protect system cryptographic keys
2_9_3. Cryptographic Verifier
224. Use secure cryptographic mechanisms
2_10_1. Service Authentication
122. Validate credential ownership
228. Authenticate using standard protocols
236. Establish authentication time
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
362. Assign MFA mechanisms to a single account
2_10_2. Service Authentication
142. Change system default credentials
2_10_3. Service Authentication
134. Store passwords with salt
2_10_4. Service Authentication
156. Source code without sensitive information
3_2_3. Session Binding
029. Cookies with security attributes
3_3_1. Session Termination
030. Avoid object reutilization
3_3_3. Session Termination
028. Allow users to log out
141. Force re-authentication
3_3_4. Session Termination
028. Allow users to log out
3_4_1. Cookie-based Session Management
029. Cookies with security attributes
3_4_2. Cookie-based Session Management
029. Cookies with security attributes
3_4_3. Cookie-based Session Management
029. Cookies with security attributes
3_5_1. Token-based Session Management
173. Discard unsafe inputs
3_5_2. Token-based Session Management
357. Use stateless session tokens
3_5_3. Token-based Session Management
357. Use stateless session tokens
3_7_1. Defenses Against Session Management Exploits
319. Make authentication options equally secure
4_1_1. General Access Control Design
096. Set user's required privileges
341. Use the principle of deny by default
4_1_2. General Access Control Design
026. Encrypt client-side session information
096. Set user's required privileges
4_1_3. General Access Control Design
186. Use the principle of least privilege
4_1_5. General Access Control Design
359. Avoid using generic exceptions
4_2_2. Operation Level Access Control
030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
4_3_1. Other Access Control Considerations
122. Validate credential ownership
153. Out of band transactions
176. Restrict system objects
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
266. Disable insecure functionalities
319. Make authentication options equally secure
328. Request MFA for critical systems
4_3_2. Other Access Control Considerations
176. Restrict system objects
266. Disable insecure functionalities
4_3_3. Other Access Control Considerations
176. Restrict system objects
186. Use the principle of least privilege
341. Use the principle of deny by default
5_1_1. Input Validation
342. Validate request parameters
5_1_2. Input Validation
237. Ascertain human interaction
327. Set a rate limit
5_1_3. Input Validation
342. Validate request parameters
5_1_4. Input Validation
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_1_5. Input Validation
324. Control redirects
5_2_3. Sanitization and Sandboxing
115. Filter malicious emails
118. Inspect attachments
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_4. Sanitization and Sandboxing
344. Avoid dynamic code execution
5_2_5. Sanitization and Sandboxing
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
5_2_6. Sanitization and Sandboxing
173. Discard unsafe inputs
324. Control redirects
5_2_7. Sanitization and Sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_3_1. Output Encoding and Injection Prevention
160. Encode system outputs
5_3_2. Output Encoding and Injection Prevention
044. Define an explicit charset
5_3_3. Output Encoding and Injection Prevention
173. Discard unsafe inputs
342. Validate request parameters
5_3_4. Output Encoding and Injection Prevention
169. Use parameterized queries
5_3_6. Output Encoding and Injection Prevention
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_3_7. Output Encoding and Injection Prevention
173. Discard unsafe inputs
5_3_8. Output Encoding and Injection Prevention
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
5_3_9. Output Encoding and Injection Prevention
348. Use consistent encoding
5_3_10. Output Encoding and Injection Prevention
173. Discard unsafe inputs
5_5_1. Deserialization Prevention
321. Avoid deserializing untrusted data
5_5_2. Deserialization Prevention
157. Use the strict mode
6_1_1. Data Classification
185. Encrypt sensitive information
6_1_2. Data Classification
185. Encrypt sensitive information
6_1_3. Data Classification
185. Encrypt sensitive information
6_2_1. Algorithms
148. Set minimum size of asymmetric encryption
6_2_2. Algorithms
147. Use pre-existent mechanisms
6_2_3. Algorithms
346. Use initialization vectors once
6_2_4. Algorithms
223. Uniform distribution in random numbers
6_2_5. Algorithms
148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
6_2_6. Algorithms
346. Use initialization vectors once
6_2_7. Algorithms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_8. Algorithms
224. Use secure cryptographic mechanisms
6_3_1. Random Values
223. Uniform distribution in random numbers
6_3_2. Random Values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_3_3. Random Values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_4_2. Secret Management
156. Source code without sensitive information
380. Define a password management tool
7_1_1. Log Content
083. Avoid logging sensitive data
7_1_2. Log Content
377. Store logs based on valid regulation
7_1_3. Log Content
075. Record exceptional events in logs
7_3_1. Log Protection
080. Prevent log modification
173. Discard unsafe inputs
7_3_3. Log Protection
080. Prevent log modification
8_1_1. General Data Protection
266. Disable insecure functionalities
8_1_3. General Data Protection
173. Discard unsafe inputs
320. Avoid client-side control enforcement
8_1_6. General Data Protection
046. Manage the integrity of critical files
185. Encrypt sensitive information
8_2_1. Client-side Data Protection
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
8_2_2. Client-side Data Protection
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
8_3_1. Sensitive Private Data
349. Include HTTP security headers
8_3_2. Sensitive Private Data
317. Allow erasure requests
8_3_3. Sensitive Private Data
189. Specify the purpose of data collection
8_3_5. Sensitive Private Data
323. Exclude unverifiable files
8_3_6. Sensitive Private Data
350. Enable memory protection mechanisms
8_3_8. Sensitive Private Data
360. Remove unnecessary sensitive information
9_1_2. Client Communication Security
181. Transmit data using secure protocols
336. Disable insecure TLS versions
9_1_3. Client Communication Security
336. Disable insecure TLS versions
9_2_1. Server Communication Security
091. Use internally signed certificates
092. Use externally signed certificates
9_2_4. Server Communication Security
088. Request client certificates
089. Limit validity of certificates
090. Use valid certificates
9_2_5. Server Communication Security
075. Record exceptional events in logs
079. Record exact occurrence time of events
10_1_1. Code Integrity
155. Application free of malicious code
10_2_3. Malicious Code Search
154. Eliminate backdoors
10_2_4. Malicious Code Search
262. Verify third-party components
10_2_5. Malicious Code Search
262. Verify third-party components
10_3_2. Application Integrity
178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
10_3_3. Application Integrity
266. Disable insecure functionalities
11_1_4. Business Logic Security
039. Define maximum file size
043. Define an explicit content type
072. Set maximum response time
327. Set a rate limit
12_4_1. File Storage
339. Avoid storing sensitive files in the web root
12_4_2. File Storage
118. Inspect attachments
13_1_1. Generic Web Service Security
348. Use consistent encoding
13_1_3. Generic Web Service Security
261. Avoid exposing sensitive information
13_1_4. Generic Web Service Security
095. Define users with privileges
177. Avoid caching and temporary files
320. Avoid client-side control enforcement
341. Use the principle of deny by default
13_2_1. RESTful Web Service
342. Validate request parameters
14_1_1. Build and Deploy
051. Store source code in a repository
062. Define standard configurations
158. Use a secure programming language
14_1_4. Build and Deploy
062. Define standard configurations
14_1_5. Build and Deploy
228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
14_2_1. Dependency
302. Declare dependencies explicitly
14_3_2. Unintended Security Disclosure
078. Disable debugging events
14_5_2. HTTP Request Header Validation
129. Validate previous passwords
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on