ASVS
ASVS copied to clipboard
OWASP
Application Security Verification Standard
Spin-off from #2088 / the discussion over 14.2.6 and/or 14.2.8 comes from #1425. Current requirements: | # | Description | L1 | L2 | L3 | CWE | | :---:...
In V4 we have sections: * V4.1 General Access Control Design * V4.2 Operation Level Access Control Can we have clear ruleset, why those are separate and by what conditions...
Note: This is referenced as 4.3.7 in #2033 but has updated numbering This requirement addresses two parts: there should not be any objects that don't have their access undefined, but...
Note: this is referenced as 4.1.10 in #2033, but I updating the numbering to account for the skipped requirements. I propose the addition of a new requirement that addresses the...
From the initial OAuth we have requirement: | # | Description | L1 | L2 | L3 | | :---: | :--- | :---: | :---: | :---: | |...
TLDR from #1063: * We have changed the scope and removed requirements that are not clear about the application, such as software lifecycle, code beauty, etc. * We collect documentation...
In the context of OpenID Connect, I was wondering whether a requirement mandating that user identities from different IdPs are properly separated i.e. that a IdP cannot spoof a user...
Following from #2113 and related to #2076, I propose the following update for 3.3.5: | # | Description | L1 | L2 | L3 | CWE | [NIST §](https://pages.nist.gov/800-63-3/sp800-63b.html) |...
The FAPI 2.0 profile have this [requirement](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#name-general-requirements): > Authorization Servers[...] if using DPoP, shall support "Authorization Code Binding to DPoP Key" (as required by Section 10.1 of [[RFC9449](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#RFC9449)]); with this...
Should be add a requirement about the risk of manipulation of the RAR authorization_details parameter? See the [security considerations](https://datatracker.ietf.org/doc/html/rfc9396#name-security-considerations) from the RAR specification (emphasis mine): > The authorization_details parameter is...