Versions Compared

Old Version 12

changes.mady.by.user Matthias Rohr

Saved on

compared with

New Version 13

changes.mady.by.user Matthias Rohr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OWASP Top Ten 2017

Relevant TSS-WEB Requirement

Coverage

A1- Injection

Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see ​8.4 Output Validation (Encoding & Escaping)).

Secondary: restrictive input validation (see 8.2 Input Validation)Full

A2 - Broken Authentication

Use of secure and strong authentication mechanisms (see 8.5 User Authentication and Registration) and session management hardening (see ​8.10 8 Hardening of Session Management).Full

A3 - Sensitive Data Exposure

Application server hardening (see ​3. Operational Requirements, restrictive error handling (see ​8.12 10 Error Handling & Logging) as well as data protection measures (see ​8.13 11 Data Security & Cryptography ).

Full

A4 - XML External Entities (XXE)

Primary: Harden XML parser (see ​8.2 Input Validation)Full

A5 - Broken Access Control

Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section ​8.11 9 Access Controls).Full

A6 - Security Misconfiguration

Perform server hardening (see ​3. Operational Requirements)Full

A7 - Cross-Site Scripting (XSS)

Primary:

Context sensitive output validation (see ​8.4 Output Validation (Encoding & Escaping) ), ideally implemented implicitly by a Web framework.

Secondary:

Use of security headers (see ​8.15 12 Client-Side Securityas well as ​Appendix A: Requirements for HTTP Security Header and restrictive input validation (see ​8.2 Input Validation).

Special Cases:

Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see ​8.15 12 Client-Side Security). The same applies to Web frameworks that provide similar APIs (see section ​8.4 Output Validation (Encoding & Escaping)).

Full

A8 - Insecure Deserialization

Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​4. Protection of Source and Program CodeSensitive Development and Deployment Artefacts).

Secondary: Perform strict input validation (see ​8.2 Input Validation)

Full

A9 - Using Components with Known Vulnerabilities

Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​4. Protection of Source and Program CodeFullSensitive Development and Deployment Artefacts).

A10 - Insufficient Logging & Monitoring

See ​8.12 10 Error Handling & LoggingFull