Skip to main content

CASA

logo

Summary

The Cloud Application Security Assessment (CASA) has built upon the industry-recognized standards of the OWASP's Application Security Verification Standard (ASVS) to provide a consistent set of requirements to harden security for any application.

Definitions

DefinitionRequirements
1_2_2. Authentication Architecture
186. Use the principle of least privilege
228. Authenticate using standard protocols
1_2_3. Authentication Architecture
264. Request authentication
1_4_1. Access Control Architecture
265. Restrict access to critical processes
320. Avoid client-side control enforcement
1_4_4. Access Control Architecture
228. Authenticate using standard protocols
264. Request authentication
1_5_2. Input and Output Architecture
321. Avoid deserializing untrusted data
1_5_3. Input and Output Architecture
173. Discard unsafe inputs
1_5_4. Input and Output Architecture
160. Encode system outputs
1_8_2. Data Protection and Privacy Architecture
026. Encrypt client-side session information
185. Encrypt sensitive information
329. Keep client-side storage without sensitive data
1_9_1. Communications Architecture
147. Use pre-existent mechanisms
181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
1_11_3. Communications Architecture
337. Make critical logic flows thread safe
1_14_1. Configuration Architecture
176. Restrict system objects
1_14_2. Configuration Architecture
330. Verify Subresource Integrity
1_14_3. Configuration Architecture
330. Verify Subresource Integrity
1_14_4. Configuration Architecture
330. Verify Subresource Integrity
1_14_5. Configuration Architecture
321. Avoid deserializing untrusted data
374. Use of isolation methods in running applications
1_14_6. Configuration Architecture
262. Verify third-party components
2_2_1. General Authenticator Security
237. Ascertain human interaction
2_2_4. General Authenticator Security
328. Request MFA for critical systems
2_2_5. General Authenticator Security
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
2_3_1. Authenticator Lifecycle
138. Define lifespan for temporary passwords
367. Proper generation of temporary passwords
2_4_1. Credential Storage
127. Store hashed passwords
134. Store passwords with salt
150. Set minimum size for hash functions
2_4_3. Credential Storage
127. Store hashed passwords
2_4_5. Credential Storage
135. Passwords with random salt
2_6_1. Look-up Secret Verifier
131. Deny multiple password changing attempts
2_7_2. Out of Band Verifier
335. Define out of band token lifespan
2_7_3. Out of Band Verifier
335. Define out of band token lifespan
2_7_4. Out of Band Verifier
338. Implement perfect forward secrecy
2_7_5. Out of Band Verifier
153. Out of band transactions
2_7_6. Out of Band Verifier
223. Uniform distribution in random numbers
2_8_2. One Time Verifier
232. Require equipment identity
2_8_5. One Time Verifier
377. Store logs based on valid regulation
2_8_6. One Time Verifier
141. Force re-authentication
2_9_1. Cryptographic Verifier
145. Protect system cryptographic keys
2_9_3. Cryptographic Verifier
224. Use secure cryptographic mechanisms
2_10_1. Service Authentication
122. Validate credential ownership
228. Authenticate using standard protocols
236. Establish authentication time
264. Request authentication
319. Make authentication options equally secure
334. Avoid knowledge-based authentication
362. Assign MFA mechanisms to a single account
2_10_2. Service Authentication
142. Change system default credentials
2_10_3. Service Authentication
134. Store passwords with salt
2_10_4. Service Authentication
156. Source code without sensitive information
3_2_3. Session Binding
029. Cookies with security attributes
3_3_1. Session Termination
030. Avoid object reutilization
3_3_3. Session Termination
028. Allow users to log out
141. Force re-authentication
3_3_4. Session Termination
028. Allow users to log out
3_4_1. Cookie-based Session Management
029. Cookies with security attributes
3_4_2. Cookie-based Session Management
029. Cookies with security attributes
3_4_3. Cookie-based Session Management
029. Cookies with security attributes
3_5_1. Token-based Session Management
173. Discard unsafe inputs
3_5_2. Token-based Session Management
357. Use stateless session tokens
3_5_3. Token-based Session Management
357. Use stateless session tokens
3_7_1. Defenses Against Session Management Exploits
319. Make authentication options equally secure
4_1_1. General Access Control Design
096. Set user's required privileges
341. Use the principle of deny by default
4_1_2. General Access Control Design
026. Encrypt client-side session information
096. Set user's required privileges
4_1_3. General Access Control Design
186. Use the principle of least privilege
4_1_5. General Access Control Design
359. Avoid using generic exceptions
4_2_2. Operation Level Access Control
030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
4_3_1. Other Access Control Considerations
122. Validate credential ownership
153. Out of band transactions
176. Restrict system objects
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
266. Disable insecure functionalities
319. Make authentication options equally secure
328. Request MFA for critical systems
4_3_2. Other Access Control Considerations
176. Restrict system objects
266. Disable insecure functionalities
4_3_3. Other Access Control Considerations
176. Restrict system objects
186. Use the principle of least privilege
341. Use the principle of deny by default
5_1_1. Input Validation
342. Validate request parameters
5_1_2. Input Validation
237. Ascertain human interaction
327. Set a rate limit
5_1_3. Input Validation
342. Validate request parameters
5_1_4. Input Validation
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_1_5. Input Validation
324. Control redirects
5_2_3. Sanitization and Sandboxing
115. Filter malicious emails
118. Inspect attachments
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_2_4. Sanitization and Sandboxing
344. Avoid dynamic code execution
5_2_5. Sanitization and Sandboxing
173. Discard unsafe inputs
176. Restrict system objects
265. Restrict access to critical processes
266. Disable insecure functionalities
5_2_6. Sanitization and Sandboxing
173. Discard unsafe inputs
324. Control redirects
5_2_7. Sanitization and Sandboxing
173. Discard unsafe inputs
320. Avoid client-side control enforcement
5_3_1. Output Encoding and Injection Prevention
160. Encode system outputs
5_3_2. Output Encoding and Injection Prevention
044. Define an explicit charset
5_3_3. Output Encoding and Injection Prevention
173. Discard unsafe inputs
342. Validate request parameters
5_3_4. Output Encoding and Injection Prevention
169. Use parameterized queries
5_3_6. Output Encoding and Injection Prevention
173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
5_3_7. Output Encoding and Injection Prevention
173. Discard unsafe inputs
5_3_8. Output Encoding and Injection Prevention
173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
5_3_9. Output Encoding and Injection Prevention
348. Use consistent encoding
5_3_10. Output Encoding and Injection Prevention
173. Discard unsafe inputs
5_5_1. Deserialization Prevention
321. Avoid deserializing untrusted data
5_5_2. Deserialization Prevention
157. Use the strict mode
6_1_1. Data Classification
185. Encrypt sensitive information
6_1_2. Data Classification
185. Encrypt sensitive information
6_1_3. Data Classification
185. Encrypt sensitive information
6_2_1. Algorithms
148. Set minimum size of asymmetric encryption
6_2_2. Algorithms
147. Use pre-existent mechanisms
6_2_3. Algorithms
346. Use initialization vectors once
6_2_4. Algorithms
223. Uniform distribution in random numbers
6_2_5. Algorithms
148. Set minimum size of asymmetric encryption
150. Set minimum size for hash functions
6_2_6. Algorithms
346. Use initialization vectors once
6_2_7. Algorithms
148. Set minimum size of asymmetric encryption
149. Set minimum size of symmetric encryption
150. Set minimum size for hash functions
181. Transmit data using secure protocols
6_2_8. Algorithms
224. Use secure cryptographic mechanisms
6_3_1. Random Values
223. Uniform distribution in random numbers
6_3_2. Random Values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_3_3. Random Values
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
6_4_2. Secret Management
156. Source code without sensitive information
380. Define a password management tool
7_1_1. Log Content
083. Avoid logging sensitive data
7_1_2. Log Content
377. Store logs based on valid regulation
7_1_3. Log Content
075. Record exceptional events in logs
7_3_1. Log Protection
080. Prevent log modification
173. Discard unsafe inputs
7_3_3. Log Protection
080. Prevent log modification
8_1_1. General Data Protection
266. Disable insecure functionalities
8_1_3. General Data Protection
173. Discard unsafe inputs
320. Avoid client-side control enforcement
8_1_6. General Data Protection
046. Manage the integrity of critical files
185. Encrypt sensitive information
8_2_1. Client-side Data Protection
329. Keep client-side storage without sensitive data
375. Remove sensitive data from client-side applications
8_2_2. Client-side Data Protection
329. Keep client-side storage without sensitive data
339. Avoid storing sensitive files in the web root
8_3_1. Sensitive Private Data
349. Include HTTP security headers
8_3_2. Sensitive Private Data
317. Allow erasure requests
8_3_3. Sensitive Private Data
189. Specify the purpose of data collection
8_3_5. Sensitive Private Data
323. Exclude unverifiable files
8_3_6. Sensitive Private Data
350. Enable memory protection mechanisms
8_3_8. Sensitive Private Data
360. Remove unnecessary sensitive information
9_1_2. Client Communication Security
181. Transmit data using secure protocols
336. Disable insecure TLS versions
9_1_3. Client Communication Security
336. Disable insecure TLS versions
9_2_1. Server Communication Security
091. Use internally signed certificates
092. Use externally signed certificates
9_2_4. Server Communication Security
088. Request client certificates
089. Limit validity of certificates
090. Use valid certificates
9_2_5. Server Communication Security
075. Record exceptional events in logs
079. Record exact occurrence time of events
10_1_1. Code Integrity
155. Application free of malicious code
10_2_3. Malicious Code Search
154. Eliminate backdoors
10_2_4. Malicious Code Search
262. Verify third-party components
10_2_5. Malicious Code Search
262. Verify third-party components
10_3_2. Application Integrity
178. Use digital signatures
262. Verify third-party components
330. Verify Subresource Integrity
10_3_3. Application Integrity
266. Disable insecure functionalities
11_1_4. Business Logic Security
039. Define maximum file size
043. Define an explicit content type
072. Set maximum response time
327. Set a rate limit
12_4_1. File Storage
339. Avoid storing sensitive files in the web root
12_4_2. File Storage
118. Inspect attachments
13_1_1. Generic Web Service Security
348. Use consistent encoding
13_1_3. Generic Web Service Security
261. Avoid exposing sensitive information
13_1_4. Generic Web Service Security
095. Define users with privileges
177. Avoid caching and temporary files
320. Avoid client-side control enforcement
341. Use the principle of deny by default
13_2_1. RESTful Web Service
342. Validate request parameters
14_1_1. Build and Deploy
051. Store source code in a repository
062. Define standard configurations
158. Use a secure programming language
14_1_4. Build and Deploy
062. Define standard configurations
14_1_5. Build and Deploy
228. Authenticate using standard protocols
229. Request access credentials
235. Define credential interface
264. Request authentication
14_2_1. Dependency
302. Declare dependencies explicitly
14_3_2. Unintended Security Disclosure
078. Disable debugging events
14_5_2. HTTP Request Header Validation
129. Validate previous passwords
free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.

Last updated on