ASVS V9 Data Protection

V9: Data Protection Verification Requirements

Control Objective

There are three key elements to sound data protection: Confidentiality, Integrity and Availability (CIA). This standard assumes that data protection is enforced on a trusted system, such as a server, which has been hardened and has sufficient protections.

Applications have to assume that all user devices are compromised in some way. Where an application transmits or stores sensitive information on insecure devices, such as shared computers, phones and tablets, the application is responsible for ensuring data stored on these devices is encrypted and cannot be easily illicitly obtained, altered or disclosed.

Ensure that a verified application satisfies the following high level data protection requirements:


 * Confidentiality: Data should be protected from unauthorised observation or disclosure both in transit and when stored.
 * Integrity: Data should be protected being maliciously created, altered or deleted by unauthorized attackers.
 * Availability: Data should be available to authorized users as required


 * 1) Security Verification Requirements

References:

For more information, see also:


 * [Consider using Security Headers website to check security and anti-caching headers](https://securityheaders.io)
 * [OWASP Secure Headers project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)
 * [User Privacy Protection Cheat Sheet](https://www.owasp.org/index.php/User_Privacy_Protection_Cheat_Sheet)