Level 3 controls

Level 3 contains 278 controls listed below:

01-architecture-design-and-threat-modeling

01-secure-software-development-lifecycle

  • V1.1.1 Verify the use of a secure software development li ...
  • V1.1.2 Verify the use of threat modeling for every design ...
  • V1.1.3 All user stories and features contain functional s ...
  • V1.1.4 Verify documentation and justification of all the ...
  • V1.1.5 Verify definition and security analysis of the app ...
  • V1.1.6 Verify implementation of centralized, simple (econ ...
  • V1.1.7 Verify availability of a secure coding checklist, ...

02-authentication-architecture

  • V1.2.1 Verify the use of unique or special low-privilege ...
  • V1.2.2 Communications between application components, inc ...
  • V1.2.3 The application uses a single vetted authenticatio ...
  • V1.2.4 All authentication pathways and identity managemen ...

04-access-control-architecture

  • V1.4.1 Trusted enforcement points, such as access control ...
  • V1.4.4 Verify the application uses a single and well-vett ...
  • V1.4.5 Attribute or feature-based access control is used ...

05-input-and-output-architecture

  • V1.5.1 Input and output requirements clearly define how t ...
  • V1.5.2 Serialization is not used when communicating with ...
  • V1.5.3 Input validation is enforced on a trusted service ...
  • V1.5.4 Output encoding occurs close to or by the interpre ...

06-cryptographic-architecture

  • V1.6.1 There is an explicit policy for management of cryp ...
  • V1.6.2 Consumers of cryptographic services protect key ma ...
  • V1.6.3 All keys and passwords are replaceable and are par ...
  • V1.6.4 The architecture treats client-side secrets--such ...

07-errors-logging-and-auditing-architecture

  • V1.7.1 A common logging format and approach is used acros ...
  • V1.7.2 Logs are securely transmitted to a preferably remo ...

08-data-protection-and-privacy-architecture

  • V1.8.1 All sensitive data is identified and classified in ...
  • V1.8.2 All protection levels have an associated set of pr ...

09-communications-architecture

  • V1.9.1 Verify the application encrypts communications bet ...
  • V1.9.2 Application components verify the authenticity of ...

10-malicious-software-architecture

  • V1.10.1 A source code control system is in use, with proce ...

11-business-logic-architecture

  • V1.11.1 Verify the definition and documentation of all app ...
  • V1.11.2 All high-value business logic flows, including aut ...
  • V1.11.3 All high-value business logic flows, including aut ...

12-secure-file-upload-architecture

  • V1.12.2 User-uploaded files - if required to be displayed ...

14-configuration-architecture

  • V1.14.1 Verify the segregation of components of differing ...
  • V1.14.2 Binary signatures, trusted connections, and verifi ...
  • V1.14.3 The build pipeline warns of out-of-date or insecur ...
  • V1.14.4 The build pipeline contains a build step to automa ...
  • V1.14.5 Application deployments adequately sandbox, contai ...
  • V1.14.6 Verify the application does not use unsupported, i ...

02-authentication

01-password-security

  • V2.1.1 User set passwords are at least 12 characters in l ...
  • V2.1.2 Passwords of at least 64 characters are permitted, ...
  • V2.1.3 Password truncation is not performed. however, con ...
  • V2.1.4 Any printable unicode character, including languag ...
  • V2.1.5 Verify users can change their password. ...
  • V2.1.6 Password change functionality requires the user's ...
  • V2.1.7 Passwords submitted during account registration, l ...
  • V2.1.8 A password strength meter is provided to help user ...
  • V2.1.9 There are no password composition rules limiting t ...
  • V2.1.10 There are no periodic credential rotation or passw ...
  • V2.1.11 "paste" functionality, browser password helpers, a ...
  • V2.1.12 The user can choose to either temporarily view the ...

02-general-authenticator-security

  • V2.2.1 Anti-automation controls are effective at mitigati ...
  • V2.2.2 The use of weak authenticators (such as sms and em ...
  • V2.2.3 Secure notifications are sent to users after updat ...
  • V2.2.4 Verify impersonation resistance against phishing, ...
  • V2.2.5 Where a credential service provider (csp) and the ...
  • V2.2.6 Verify replay resistance through the mandated use ...
  • V2.2.7 Verify intent to authenticate by requiring the ent ...

03-authenticator-lifecycle

  • V2.3.1 Verify system generated initial passwords or activ ...
  • V2.3.2 Enrollment and use of user-provided authentication ...
  • V2.3.3 Renewal instructions are sent with sufficient time ...

04-credential-storage

  • V2.4.1 Passwords are stored in a form that is resistant t ...
  • V2.4.2 The salt is at least 32 bits in length and be chos ...
  • V2.4.3 If pbkdf2 is used, the iteration count should be a ...
  • V2.4.4 If bcrypt is used, the work factor should be as la ...
  • V2.4.5 An additional iteration of a key derivation functi ...

05-credential-recovery

  • V2.5.1 A system generated initial activation or recovery ...
  • V2.5.2 Verify password hints or knowledge-based authentic ...
  • V2.5.3 Verify password credential recovery does not revea ...
  • V2.5.4 Verify shared or default accounts are not present ...
  • V2.5.5 If an authentication factor is changed or replaced ...
  • V2.5.6 Verify forgotten password, and other recovery path ...
  • V2.5.7 If otp or multi-factor authentication factors are ...

06-look-up-secret-verifier

  • V2.6.1 Lookup secrets can be used only once. ...
  • V2.6.2 Lookup secrets have sufficient randomness (112 bit ...
  • V2.6.3 Lookup secrets are resistant to offline attacks, s ...

07-out-of-band-verifier

  • V2.7.1 Clear text out of band (nist "restricted") authent ...
  • V2.7.2 The out of band verifier expires out of band authe ...
  • V2.7.3 The out of band verifier authentication requests, ...
  • V2.7.4 The out of band authenticator and verifier communi ...
  • V2.7.5 The out of band verifier retains only a hashed ver ...
  • V2.7.6 The initial authentication code is generated by a ...

08-one-time-verifier

  • V2.8.1 Time-based otps have a defined lifetime before exp ...
  • V2.8.2 Symmetric keys used to verify submitted otps are h ...
  • V2.8.3 Approved cryptographic algorithms are used in the ...
  • V2.8.4 Time-based otp can be used only once within the va ...
  • V2.8.5 If a time-based multi-factor otp token is re-used ...
  • V2.8.6 Verify physical single-factor otp generator can be ...
  • V2.8.7 Biometric authenticators are limited to use only a ...

09-cryptographic-verifier

  • V2.9.1 Cryptographic keys used in verification are stored ...
  • V2.9.2 The challenge nonce is at least 64 bits in length, ...
  • V2.9.3 Approved cryptographic algorithms are used in the ...

10-service-authentication

  • V2.10.1 Intra-service secrets do not rely on unchanging cr ...
  • V2.10.2 If passwords are required for service authenticati ...
  • V2.10.3 Passwords are stored with sufficient protection to ...
  • V2.10.4 Verify passwords, integrations with databases and ...

03-session-management

01-fundamental-session-management-security

  • V3.1.1 Verify the application never reveals session token ...

02-session-binding

  • V3.2.1 Verify the application generates a new session tok ...
  • V3.2.2 Session tokens possess at least 64 bits of entropy ...
  • V3.2.3 Verify the application only stores session tokens ...
  • V3.2.4 Session tokens are generated using approved crypto ...

03-session-termination

  • V3.3.1 Logout and expiration invalidate the session token ...
  • V3.3.2 If authenticators permit users to remain logged in ...
  • V3.3.3 The application gives the option to terminate all ...
  • V3.3.4 Users are able to view and (having re-entered logi ...
  • V3.4.1 Cookie-based session tokens have the 'secure' attr ...
  • V3.4.2 Cookie-based session tokens have the 'httponly' at ...
  • V3.4.3 Cookie-based session tokens utilize the 'samesite' ...
  • V3.4.4 Cookie-based session tokens use the "__host-" pref ...
  • V3.4.5 If the application is published under a domain nam ...

05-token-based-session-management

  • V3.5.1 Verify the application allows users to revoke oaut ...
  • V3.5.2 Verify the application uses session tokens rather ...
  • V3.5.3 Stateless session tokens use digital signatures, e ...

06-federated-re-authentication

  • V3.6.1 Relying parties (rps) specify the maximum authenti ...
  • V3.6.2 Credential service providers (csps) inform relying ...

07-defenses-against-session-management-exploits

  • V3.7.1 Verify the application ensures a full, valid login ...

04-access-control

01-general-access-control-design

  • V4.1.1 The application enforces access control rules on a ...
  • V4.1.2 All user and data attributes and policy informatio ...
  • V4.1.3 The principle of least privilege exists - users sh ...
  • V4.1.5 Access controls fail securely including when an ex ...

02-operation-level-access-control

  • V4.2.1 Sensitive data and apis are protected against inse ...
  • V4.2.2 The application or framework enforces a strong ant ...

03-other-access-control-considerations

  • V4.3.1 Verify administrative interfaces use appropriate m ...
  • V4.3.2 Directory browsing is disabled unless deliberately ...
  • V4.3.3 Verify the application has additional authorizatio ...

05-validation-sanitization-and-encoding

01-input-validation

  • V5.1.1 The application has defenses against http paramete ...
  • V5.1.2 Frameworks protect against mass parameter assignme ...
  • V5.1.3 All input (html form fields, rest requests, url pa ...
  • V5.1.4 Structured data is strongly typed and validated ag ...
  • V5.1.5 Url redirects and forwards only allow destinations ...

02-sanitization-and-sandboxing

  • V5.2.1 All untrusted html input from wysiwyg editors or s ...
  • V5.2.2 Unstructured data is sanitized to enforce safety m ...
  • V5.2.3 The application sanitizes user input before passin ...
  • V5.2.4 The application avoids the use of eval() or other ...
  • V5.2.5 The application protects against template injectio ...
  • V5.2.6 The application protects against ssrf attacks, by ...
  • V5.2.7 The application sanitizes, disables, or sandboxes ...
  • V5.2.8 The application sanitizes, disables, or sandboxes ...

03-output-encoding-and-injection-prevention

  • V5.3.1 Output encoding is relevant for the interpreter an ...
  • V5.3.2 Output encoding preserves the user's chosen charac ...
  • V5.3.3 Context-aware, preferably automated - or at worst, ...
  • V5.3.4 Data selection or database queries (e.g. sql, hql, ...
  • V5.3.5 Where parameterized or safer mechanisms are not pr ...
  • V5.3.6 The application protects against json injection at ...
  • V5.3.7 The application protects against ldap injection vu ...
  • V5.3.8 The application protects against os command inject ...
  • V5.3.9 The application protects against local file inclus ...
  • V5.3.10 The application protects against xpath injection o ...

04-memory-string-and-unmanaged-code

  • V5.4.1 The application uses memory-safe string, safer mem ...
  • V5.4.2 Format strings do not take potentially hostile inp ...
  • V5.4.3 Sign, range, and input validation techniques are u ...

05-deserialization-prevention

  • V5.5.1 Serialized objects use integrity checks or are enc ...
  • V5.5.2 The application correctly restricts xml parsers to ...
  • V5.5.3 Deserialization of untrusted data is avoided or is ...
  • V5.5.4 When parsing json in browsers or javascript-based ...

06-stored-cryptography

01-data-classification

  • V6.1.1 Regulated private data is stored encrypted while a ...
  • V6.1.2 Regulated health data is stored encrypted while at ...
  • V6.1.3 Regulated financial data is stored encrypted while ...

02-algorithms

  • V6.2.1 All cryptographic modules fail securely, and error ...
  • V6.2.2 Industry proven or government approved cryptograph ...
  • V6.2.3 Encryption initialization vector, cipher configura ...
  • V6.2.4 Random number, encryption or hashing algorithms, k ...
  • V6.2.5 Known insecure block modes (i.e. ecb, etc.), paddi ...
  • V6.2.6 Nonces, initialization vectors, and other single u ...
  • V6.2.7 Encrypted data is authenticated via signatures, au ...
  • V6.2.8 All cryptographic operations are constant-time, wi ...

03-random-values

  • V6.3.1 All random numbers, random file names, random guid ...
  • V6.3.2 Random guids are created using the guid v4 algorit ...
  • V6.3.3 Random numbers are created with proper entropy eve ...

04-secret-management

  • V6.4.1 A secrets management solution such as a key vault ...
  • V6.4.2 Key material is not exposed to the application but ...

07-error-handling-and-logging

01-log-content

  • V7.1.1 The application does not log credentials or paymen ...
  • V7.1.2 The application does not log other sensitive data ...
  • V7.1.3 The application logs security relevant events incl ...
  • V7.1.4 Each log event includes necessary information that ...

02-log-processing

  • V7.2.1 All authentication decisions are logged, without s ...
  • V7.2.2 All access control decisions can be logged and all ...

03-log-protection

  • V7.3.1 All logging components appropriately encode data t ...
  • V7.3.3 Security logs are protected from unauthorized acce ...
  • V7.3.4 Time sources are synchronized to the correct time ...

04-error-handling

  • V7.4.1 A generic message is shown when an unexpected or s ...
  • V7.4.2 Exception handling (or a functional equivalent) is ...
  • V7.4.3 A "last resort" error handler is defined which wil ...

08-data-protection

01-general-data-protection

  • V8.1.1 Verify the application protects sensitive data fro ...
  • V8.1.2 All cached or temporary copies of sensitive data s ...
  • V8.1.3 Verify the application minimizes the number of par ...
  • V8.1.4 Verify the application can detect and alert on abn ...
  • V8.1.5 Regular backups of important data are performed an ...
  • V8.1.6 Backups are stored securely to prevent data from b ...

02-client-side-data-protection

  • V8.2.1 Verify the application sets sufficient anti-cachin ...
  • V8.2.2 Data stored in browser storage (such as localstora ...
  • V8.2.3 Authenticated data is cleared from client storage, ...

03-sensitive-private-data

  • V8.3.1 Sensitive data is sent to the server in the http m ...
  • V8.3.2 Users have a method to remove or export their data ...
  • V8.3.3 Users are provided clear language regarding collec ...
  • V8.3.4 All sensitive data created and processed by the ap ...
  • V8.3.5 Verify accessing sensitive data is audited (withou ...
  • V8.3.6 Sensitive information contained in memory is overw ...
  • V8.3.7 Sensitive or private information that is required ...
  • V8.3.8 Sensitive personal information is subject to data ...

09-communication

01-client-communication-security

  • V9.1.1 Tls is used for all client connectivity, and does ...
  • V9.1.2 Verify using up to date tls testing tools that onl ...
  • V9.1.3 Only the latest recommended versions of the tls pr ...

02-server-communication-security

  • V9.2.1 Connections to and from the server use trusted tls ...
  • V9.2.2 Encrypted communications such as tls is used for a ...
  • V9.2.3 All encrypted connections to external systems that ...
  • V9.2.4 Proper certification revocation, such as online ce ...
  • V9.2.5 Backend tls connection failures are logged. ...

10-malicious-code

01-code-integrity

  • V10.1.1 A code analysis tool is in use that can detect pot ...
  • V10.2.1 The application source code and third party librar ...
  • V10.2.2 The application does not ask for unnecessary or ex ...
  • V10.2.3 The application source code and third party librar ...
  • V10.2.4 The application source code and third party librar ...
  • V10.2.5 The application source code and third party librar ...
  • V10.2.6 The application source code and third party librar ...

03-application-integrity

  • V10.3.1 If the application has a client or server auto-upd ...
  • V10.3.2 The application employs integrity protections, suc ...
  • V10.3.3 The application has protection from subdomain take ...

11-business-logic

01-business-logic-security

  • V11.1.1 The application will only process business logic f ...
  • V11.1.2 The application will only process business logic f ...
  • V11.1.3 Verify the application has appropriate limits for ...
  • V11.1.4 The application has anti-automation controls to pr ...
  • V11.1.5 Verify the application has business logic limits o ...
  • V11.1.6 The application does not suffer from "time of chec ...
  • V11.1.7 The application monitors for unusual events or act ...
  • V11.1.8 The application has configurable alerting when aut ...

12-files-and-resources

01-file-upload

  • V12.1.1 The application will not accept large files that c ...
  • V12.1.2 The application checks compressed files (e.g. zip, ...
  • V12.1.3 A file size quota and maximum number of files per ...

02-file-integrity

  • V12.2.1 Files obtained from untrusted sources are validate ...

03-file-execution

  • V12.3.1 User-submitted filename metadata is not used direc ...
  • V12.3.2 User-submitted filename metadata is validated or i ...
  • V12.3.3 User-submitted filename metadata is validated or i ...
  • V12.3.4 The application protects against reflective file d ...
  • V12.3.5 Untrusted file metadata is not used directly with ...
  • V12.3.6 The application does not include and execute funct ...

04-file-storage

  • V12.4.1 Files obtained from untrusted sources are stored o ...
  • V12.4.2 Files obtained from untrusted sources are scanned ...

05-file-download

  • V12.5.1 The web tier is configured to serve only files wit ...
  • V12.5.2 Direct requests to uploaded files will never be ex ...

06-ssrf-protection

  • V12.6.1 The web or application server is configured with a ...

13-api-and-web-service

01-generic-web-service-security

  • V13.1.1 All application components use the same encodings ...
  • V13.1.3 Verify api urls do not expose sensitive informatio ...
  • V13.1.4 Authorization decisions are made at both the uri, ...
  • V13.1.5 Requests containing unexpected or missing content ...

02-restful-web-service

  • V13.2.1 Enabled restful http methods are a valid choice fo ...
  • V13.2.2 Json schema validation is in place and verified be ...
  • V13.2.3 Restful web services that utilize cookies are prot ...
  • V13.2.5 Rest services explicitly check the incoming conten ...
  • V13.2.6 The message headers and payload are trustworthy an ...

03-soap-web-service

  • V13.3.1 Xsd schema validation takes place to ensure a prop ...
  • V13.3.2 The message payload is signed using ws-security to ...

04-graphql

  • V13.4.1 A query allow list or a combination of depth limit ...
  • V13.4.2 Graphql or other data layer authorization logic sh ...

14-configuration

01-build-and-deploy

  • V14.1.1 The application build and deployment processes are ...
  • V14.1.2 Compiler flags are configured to enable all availa ...
  • V14.1.3 Server configuration is hardened as per the recomm ...
  • V14.1.4 The application, configuration, and all dependenci ...
  • V14.1.5 Authorized administrators can verify the integrity ...

02-dependency

  • V14.2.1 All components are up to date, preferably using a ...
  • V14.2.2 All unneeded features, documentation, sample appli ...
  • V14.2.3 If application assets, such as javascript librarie ...
  • V14.2.4 Third party components come from pre-defined, trus ...
  • V14.2.5 A software bill of materials (sbom) is maintained ...
  • V14.2.6 The attack surface is reduced by sandboxing or enc ...

03-unintended-security-disclosure

  • V14.3.2 Web or application server and application framewor ...
  • V14.3.3 The http headers or any part of the http response ...

04-http-security-headers

  • V14.4.1 Every http response contains a content-type header ...
  • V14.4.2 All api responses contain a content-disposition: a ...
  • V14.4.3 A content security policy (csp) response header is ...
  • V14.4.4 All responses contain a x-content-type-options: no ...
  • V14.4.5 A strict-transport-security header is included on ...
  • V14.4.6 A suitable referrer-policy header is included to a ...
  • V14.4.7 The content of a web application cannot be embedde ...

05-http-request-header-validation

  • V14.5.1 The application server only accepts the http metho ...
  • V14.5.2 The supplied origin header is not used for authent ...
  • V14.5.3 The cross-origin resource sharing (cors) access-co ...
  • V14.5.4 Http headers added by a trusted proxy or sso devic ...
Github logo View source on GitHub

Loading comments 0%

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.