ASVS V10 Communications

From OWASP
Jump to: navigation, search
  1. V10: Communications Verification Requirements
    1. Control Objective

Ensure that a verified application satisfies the following high level requirements:

  • That TLS is used where sensitive data is transmitted.
  • That strong algorithms and ciphers are used at all times.


    1. Security Verification Requirements

| # | Description | L1 | L2 | L3 | Since | | --- | --- | --- | --- | -- | -- | | **10.1** | Verify that a path can be built from a trusted CA to each Transport Layer Security (TLS) server certificate, and that each server certificate is valid. | ✓ | ✓ | ✓ | 1.0 | | **10.1** | Verify that TLS is used for all connections (including both external and backend connections) that are authenticated or that involve sensitive data or functions, and does not fall back to insecure or unencrypted protocols. Ensure the strongest alternative is the preferred algorithm. | ✓ | ✓ | ✓ | 3.0 | | **10.1** | Verify that backend TLS connection failures are logged. | | | ✓ | 1.0 | | **10.1** | Verify that certificate paths are built and verified for all client certificates using configured trust anchors and revocation information. | | | ✓ | 1.0 | | **10.1** | Verify that all connections to external systems that involve sensitive information or functions are authenticated. | | ✓ | ✓ | 1.0 | | **10.1** | Verify that there is a single standard TLS implementation that is used by the application that is configured to operate in an approved mode of operation. | | | ✓ | 1.0 | | **10.1** | Verify that TLS certificate public key pinning (HPKP) is implemented with production and backup public keys. For more information, please see the references below. | | ✓ | ✓ | 3.0.1 | | **10.1** | Verify that HTTP Strict Transport Security headers are included on all requests and for all subdomains, such as Strict-Transport-Security: max-age=15724800; includeSubdomains | ✓ | ✓ | ✓ | 3.0 | | **10.1** | Verify that production website URL has been submitted to preloaded list of Strict Transport Security domains maintained by web browser vendors. Please see the references below. | | | ✓ | 3.0 | | **10.1** | Verify that perfect forward secrecy is configured to mitigate passive attackers recording traffic. | ✓ | ✓ | ✓ | 3.1 | | **10.1** | Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured. | ✓ | ✓ | ✓ | 3.0 | | **10.1** | Verify that only strong algorithms, ciphers, and protocols are used, through all the certificate hierarchy, including root and intermediary certificates of your selected certifying authority. | ✓ | ✓ | ✓ | 3.0 | | **10.1** | Verify that the TLS settings are in line with current leading practice, particularly as common configurations, ciphers, and algorithms become insecure. | ✓ | ✓ | ✓ | 3.0 |


    1. References

For more information, see also: