![Page 1: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/1.jpg)
IN5280 Security by Design
OWASP
![Page 2: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/2.jpg)
Newsbites
![Page 3: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/3.jpg)
![Page 4: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/4.jpg)
![Page 5: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/5.jpg)
![Page 6: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/6.jpg)
Application Security Verification Standard (ASVS)
Software Assurance Maturity Model (SAMM)
Top TenTesting Guide
Zed Attack Proxy Juice Shop
![Page 7: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/7.jpg)
WEB MOBILE CONTROLS
![Page 8: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/8.jpg)
![Page 9: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/9.jpg)
OWASP Risk Rating Methodology
![Page 10: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/10.jpg)
![Page 11: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/11.jpg)
![Page 12: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/12.jpg)
A1: Injection
SQL injection
Command injection
Code injection
Buffer overflow
Preventing injection requires keeping data separate from commands and queries.
![Page 13: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/13.jpg)
A2: Broken authentication
Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
Do not ship or deploy with any default credentials, particularly for admin users.
![Page 14: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/14.jpg)
A3: Sensitive data eposure
Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
Don’t store sensitive data unnecessarily. Discard it as soon as possible
![Page 15: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/15.jpg)
A4: XML External Entities
Developer training is essential to identify and mitigate XX.Whenever possible, use less complex data formats.Patch or upgrade all XML processors and libraries in use.
![Page 16: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/16.jpg)
A5: Broken Access Control
Access control is only effective if enforced in trusted server-side code or server-less API, where the attacker cannot modify the access control check or metadata.With the exception of public resources, deny by default.Implement access control mechanisms once and re-use them throughout the application.
![Page 17: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/17.jpg)
A6: Security Misconfiguration
Secure installation processes should be implemented, including: - A repeatable hardening process - A minimal platform without any unnecessary features, components- A task to review and update the configurations- A segmented application architecture- An automated process to verify the effectiveness of the configurations and settings in all environment
![Page 18: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/18.jpg)
A7: Cross-site scripting (XSS)
Preventing XSS requires separation of untrusted data from active browser contentUsing frameworks that automatically escape XSS by designEscaping untrusted HTTP request data based on the context in the HTML output
![Page 19: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/19.jpg)
A8: Insecure Deserialization
Applications and APIs will be vulnerable if they deserialize hostile or tampered objects suppliedby an attacker.The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types.
![Page 20: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/20.jpg)
A9: Using components with known vulnerabilities
There should be a patch management process in place to:• Remove unused dependencies, unnecessary features, components, files, and documentation.• Continuously inventory the versions of client-side and server-side components and their dependencies using tools• Only obtain components from official sources over secure links• Monitor for libraries and components that are unmaintained or do not create security patches for older versions
![Page 21: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/21.jpg)
A10: Insufficient logging & monitoring
• Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient detail• Ensure that logs are generated in a format that can be easily consumed • Ensure high-value transactions have an audit trail with integrity controls• Establish effective monitoring and alerting • Establish or adopt an incident response and recovery plan
![Page 22: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/22.jpg)
OWASP Mobile Top 10 (2016)
![Page 23: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/23.jpg)
OWASP Mobile Top 10 (part 2)
![Page 24: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/24.jpg)
What’s nextfor developers?
![Page 25: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/25.jpg)
The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project.
They are ordered by order of importance, with control number 1 being the most important.
Written by developers – for developers.
![Page 26: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/26.jpg)
OWASP Top Ten Proactive Controls (2018)
![Page 27: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/27.jpg)
![Page 28: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/28.jpg)
ASVS is a community-driven effort to create a framework of security requirements and controls that focus on defining the functional andnon-functional security controls required when designing, developing and testing modern web applications and web services.
![Page 29: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/29.jpg)
ASVS has two main goals:• to help organizations develop and maintain secure applications.• to allow security service vendors, security tools vendors, and consumers to align their requirements andofferings.
![Page 30: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/30.jpg)
Application Security Verification Levels
• The Application Security Verification Standard defines three security verification levels, with each level increasing in depth.
• ASVS Level 1 is for low assurance levels, and is completely penetration testable
• ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps
• ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.
• Each ASVS level contains a list of security requirements. Each of these requirements can also be mapped to security-specific features and capabilities that must be built into software by developers.
![Page 31: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/31.jpg)
Application Security Verification Levels
![Page 32: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/32.jpg)
ASVS Requirements
• V1: Architecture, Design and Threat Modeling Requirements
• V2: Authentication Verification Requirements
• V3: Session Management Verification Requirements
• V4: Access Control Verification Requirements
• V5: Validation, Sanitization and Encoding Verification Requirements
• V6: Stored Cryptography Verification Requirements
• V7: Error Handling and Logging Verification Requirements
• V8: Data Protection Verification Requirements
• V9: Communications Verification Requirements
• V10: Malicious Code Verification Requirements
• V11: Business Logic Verification Requirements
• V12: File and Resources Verification Requirements
• V13: API and Web Service Verification Requirements
• V14: Configuration Verification Requirements
![Page 33: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/33.jpg)
V1: Architecture, Design and Threat Modeling Requirements• V1.1 Secure Software Development Lifecycle Requirements
• V1.2 Authentication Architectural Requirements
• V1.3 Session Management Architectural Requirements (placeholder)
• V1.4 Access Control Architectural Requirements
• V1.5 Input and Output Architectural Requirements
• V1.6 Cryptographic Architectural Requirements
• V1.7 Errors, Logging and Auditing Architectural Requirements
• V1.8 Data Protection and Privacy Architectural Requirements
• V1.9 Communications Architectural Requirements
• V1.10 Malicious Software Architectural Requirements
• V1.11 Business Logic Architectural Requirements
• V1.12 Secure File Upload Architectural Requirements
• V1.13 API Architectural Requirements (placeholder)
• V1.14 Configuration Architectural Requirements
![Page 34: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/34.jpg)
V1.1 Secure Software Development Lifecycle Requirements
![Page 35: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/35.jpg)
V1.11 Business Logic Architectural Requirements
• No L1 requirements in V1
• Only one L3 requirement
![Page 36: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/36.jpg)
V2: Authentication Verification Requirements• V2.1 Password Security Requirements
• V2.2 General Authenticator Requirements
• V2.3 Authenticator Lifecycle Requirements
• V2.4 Credential Storage Requirements
• V2.5 Credential Recovery Requirements
• V2.6 Look-up Secret Verifier Requirements
• V2.7 Out of Band Verifier Requirements
• V2.8 Single or Multi Factor One Time Verifier Requirements
• V2.9 Cryptographic Software and Devices Verifier Requirements
• V2.10 Service Authentication Requirements
• References: NIST 800-63 - Modern, evidence-based authentication standard
![Page 37: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/37.jpg)
V2.1 Password Security Requirements
.
.
.
![Page 38: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/38.jpg)
V2.5 Credential Recovery Requirements
![Page 39: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/39.jpg)
V3: Session Management VerificationRequirements• V3.1 Fundamental Session Management Requirements
• V3.2 Session Binding Requirements
• V3.3 Session Logout and Timeout Requirements
• V3.4 Cookie-based Session Management
• V3.5 Token-based Session Management
• V3.6 Re-authentication from a Federation or Assertion
• V3.7 Defenses Against Session Management Exploits
![Page 40: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/40.jpg)
V3.1 Fundamental Session Management Requirements
![Page 41: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/41.jpg)
V3.3 Session Logout and Timeout Requirements
![Page 42: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/42.jpg)
V3.7 Defenses Against Session Management Exploits
![Page 43: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/43.jpg)
V4: Access Control Verification Requirements
• V4.1 General Access Control Design
• V4.2 Operation Level Access Control
• V4.3 Other Access Control Considerations
![Page 44: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/44.jpg)
V4.1 General Access Control Design
![Page 45: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/45.jpg)
V5: Validation, Sanitization and Encoding Verification Requirements• V5.1 Input Validation Requirements
• V5.2 Sanitization and Sandboxing Requirements
• V5.3 Output encoding and Injection Prevention Requirements
• V5.4 Memory, String, and Unmanaged Code Requirements
• V5.5 Deserialization Prevention Requirements
![Page 46: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/46.jpg)
V5.1 Input Validation Requirements
![Page 47: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/47.jpg)
V6: Stored Cryptography Verification Requirements
• V6.1 Data Classification
• V6.2 Algorithms
• V6.3 Random Values
• V6.4 Secret Management
![Page 48: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/48.jpg)
V6.1 Data Classification
![Page 49: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/49.jpg)
V6.4 Secret Management
• Although this section is not easily penetration tested, developers should consider this entire section as mandatory even though L1 is missing from most of the items.
![Page 50: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/50.jpg)
V7: Error Handling and Logging Verification Requirements• V7.1 Log Content Requirements
• V7.2 Log Processing Requirements
• V7.3 Log Protection Requirements
• V7.4 Error Handling
![Page 51: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/51.jpg)
V7.1 Log Content Requirements
Logging sensitive information is dangerous - the logs become classified themselves, which means they need to beencrypted, become subject to retention policies, and must be disclosed in security audits. Ensure only necessaryinformation is kept in logs, and certainly no payment, credentials (including session tokens), sensitive or personallyidentifiable information.
![Page 52: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/52.jpg)
V7.4 Error Handling
The purpose of error handling is to allow the application to provide security relevant events for monitoring, triage and escalation. The purpose is not to create logs. When logging security related events, ensure that there is a purpose to the log, and that it can be distinguished by SIEM or analysis software.
![Page 53: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/53.jpg)
V8: Data Protection Verification Requirements
• V8.1 General Data Protection
• V8.2 Client-side Data Protection
• V8.3 Sensitive Private Data
![Page 54: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/54.jpg)
V8.1 General Data Protection
![Page 55: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/55.jpg)
V9: Communications VerificationRequirements• V9.1 Communications Security Requirements
• V9.2 Server Communications Security Requirements
![Page 56: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/56.jpg)
V9.1 Communications Security Requirements
![Page 57: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/57.jpg)
V9.2 Server Communications Security Requirements
Server communications are more than just HTTP. Secure connections to and from other systems, such asmonitoring systems, management tools, remote access and ssh, middleware, database, mainframes, partner orexternal source systems — must be in place. All of these must be encrypted to prevent "hard on the outside,trivially easy to intercept on the inside".
![Page 58: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/58.jpg)
V10: Malicious Code VerificationRequirements• V10.1 Code Integrity Controls
• V10.2 Malicious Code Search
• V10.3 Deployed Application Integrity Controls
![Page 59: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/59.jpg)
V10.1 Code Integrity Controls
The best defense against malicious code is "trust, but verify". Introducing unauthorized or malicious code into codeis often a criminal offence in many jurisdictions. Policies and procedures should make sanctions regardingmalicious code clear.Lead developers should regularly review code check-ins, particularly those that might access time, I/O, or networkfunctions.
![Page 60: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/60.jpg)
V10.3 Deployed Application Integrity Controls
Once an application is deployed, malicious code can still be inserted. Applications need to protect themselvesagainst common attacks, such as executing unsigned code from untrusted sources and sub-domain takeovers.
![Page 61: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/61.jpg)
V11: Business Logic Verification Requirements
• V11.1 Business Logic Security Requirements
• Business logic security is so individual to every application that no one checklist will ever apply.
• Business logic security must be designed in to protect against likely external threats - it cannot be added using web application firewalls or secure communications.
• We recommend the use of threat modelling during design sprints, for example using the OWASP Cornucopia or similar tools.
![Page 62: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/62.jpg)
OWASP Cornucopia
https://youtu.be/i5Y0akWj31k
![Page 63: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/63.jpg)
V12: File and Resources Verification Requirements• V12.1 File Upload Requirements
• V12.2 File Integrity Requirements
• V12.3 File execution Requirements
• V12.4 File Storage Requirements
• V12.5 File Download Requirements
• V12.6 SSRF Protection Requirements
![Page 64: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/64.jpg)
V12.1 File Upload Requirements
![Page 65: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/65.jpg)
V12.4 File Storage Requirements
![Page 66: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/66.jpg)
V13: API and Web Service Verification Requirements• V13.1 Generic Web Service Security Verification Requirements
• V13.2 RESTful Web Service Verification Requirements
• V13.3 SOAP Web Service Verification Requirements
• V13.4 GraphQL and other Web Service Data Layer Security Requirements
![Page 67: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/67.jpg)
V13.1 Generic Web Service Security Verification Requirements
![Page 68: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/68.jpg)
V14: Configuration Verification Requirements• V14.1 Build
• V14.2 Dependency
• V14.3 Unintended Security Disclosure Requirements
• V14.4 HTTP Security Headers Requirements
• V14.5 Validate HTTP Request Header Requirements
Ensure that a verified application has:• A secure, repeatable, automatable build environment.• Hardened third party library, dependency and configuration management such that out of date or insecurecomponents are not included by the application.• A secure-by-default configuration, such that administrators and users have to weaken the default securityposture.Configuration of the application out of the box should be safe to be on the Internet, which means a safe out of thebox configuration.
![Page 69: IN5280 Security by Design - Universitetet i oslo · Testing Guide Zed Attack Proxy Juice Shop. WEB MOBILE CONTROLS. OWASP Risk Rating Methodology. A1: Injection SQL injection Command](https://reader033.vdocument.in/reader033/viewer/2022041621/5e3f4e06fb7ecc7d01216dc3/html5/thumbnails/69.jpg)
V14.2 Dependency