OWASP ASVS
Definition
The OWASP Application Security Verification Standard (ASVS) is a framework for testing the security of web applications. It provides a comprehensive list of security requirements and controls that can be used to design, build, and verify secure applications. ASVS is organized into multiple levels, allowing organizations to choose the depth of security verification based on their risk profile and application needs.
Secure Settings Example
# Example of a secure configuration for a web application using OWASP ASVS guidelines
security:
headers:
contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none';"
authentication:
passwordPolicy:
minLength: 12
requireNumbers: true
requireSpecialCharacters: true
sessionManagement:
secureCookies: true
httpOnlyCookies: true
sameSiteCookies: "Strict"
Insecure Settings Example
# Example of an insecure configuration that violates OWASP ASVS guidelines
security:
headers:
contentSecurityPolicy: "default-src *; script-src *; object-src *;"
authentication:
passwordPolicy:
minLength: 6
requireNumbers: false
requireSpecialCharacters: false
sessionManagement:
secureCookies: false
httpOnlyCookies: false
sameSiteCookies: "None"