{ "framework_id": "OWASP_ASVS", "display_name": "OWASP Application Security Verification Standard 4.0", "license": { "type": "cc_by_sa_4", "rag_allowed": true, "use_as_metadata": true }, "domains": [ { "domain_id": "V1", "title": "Architecture, Design and Threat Modeling", "aliases": ["architecture", "architektur", "design", "threat modeling", "bedrohungsmodellierung"], "keywords": ["architektur", "design", "threat model", "bedrohung", "modellierung"], "subcontrols": [ { "subcontrol_id": "V1.1", "title": "Secure Software Development Lifecycle", "statement": "Ein sicherer Softwareentwicklungs-Lebenszyklus (SSDLC) muss definiert und angewendet werden.", "keywords": ["sdlc", "lifecycle", "lebenszyklus", "entwicklung"], "action_hint": "implement", "object_hint": "Sicherer Entwicklungs-Lebenszyklus", "object_class": "process" }, { "subcontrol_id": "V1.2", "title": "Authentication Architecture", "statement": "Die Authentifizierungsarchitektur muss dokumentiert und regelmaessig ueberprueft werden.", "keywords": ["authentication", "authentifizierung", "architektur"], "action_hint": "document", "object_hint": "Authentifizierungsarchitektur", "object_class": "policy" }, { "subcontrol_id": "V1.4", "title": "Access Control Architecture", "statement": "Die Zugriffskontrollarchitektur muss dokumentiert und zentral durchgesetzt werden.", "keywords": ["access control", "zugriffskontrolle", "architektur"], "action_hint": "document", "object_hint": "Zugriffskontrollarchitektur", "object_class": "policy" }, { "subcontrol_id": "V1.5", "title": "Input and Output Architecture", "statement": "Eingabe- und Ausgabevalidierung muss architektonisch verankert und durchgaengig angewendet werden.", "keywords": ["input", "output", "eingabe", "ausgabe", "validierung"], "action_hint": "implement", "object_hint": "Ein-/Ausgabevalidierung", "object_class": "technical_control" }, { "subcontrol_id": "V1.6", "title": "Cryptographic Architecture", "statement": "Kryptographische Mechanismen muessen architektonisch definiert und standardisiert sein.", "keywords": ["crypto", "kryptographie", "verschluesselung"], "action_hint": "define", "object_hint": "Kryptographie-Architektur", "object_class": "cryptographic_control" } ] }, { "domain_id": "V2", "title": "Authentication", "aliases": ["authentication", "authentifizierung", "anmeldung", "login"], "keywords": ["authentication", "authentifizierung", "passwort", "login", "anmeldung", "credential"], "subcontrols": [ { "subcontrol_id": "V2.1", "title": "Password Security", "statement": "Passwortrichtlinien muessen Mindestlaenge, Komplexitaet und Sperrmechanismen definieren.", "keywords": ["passwort", "password", "laenge", "komplexitaet"], "action_hint": "define", "object_hint": "Passwortrichtlinie", "object_class": "policy" }, { "subcontrol_id": "V2.2", "title": "General Authenticator Security", "statement": "Authentifizierungsmittel muessen sicher gespeichert und uebertragen werden.", "keywords": ["authenticator", "credential", "speicherung"], "action_hint": "implement", "object_hint": "Sichere Credential-Verwaltung", "object_class": "technical_control" }, { "subcontrol_id": "V2.7", "title": "Out-of-Band Verification", "statement": "Out-of-Band-Verifikationsmechanismen muessen sicher implementiert werden.", "keywords": ["oob", "out-of-band", "sms", "push"], "action_hint": "implement", "object_hint": "Out-of-Band-Verifikation", "object_class": "technical_control" }, { "subcontrol_id": "V2.8", "title": "Multi-Factor Authentication", "statement": "Multi-Faktor-Authentifizierung muss fuer sicherheitskritische Funktionen verfuegbar sein.", "keywords": ["mfa", "multi-faktor", "totp", "fido"], "action_hint": "implement", "object_hint": "Multi-Faktor-Authentifizierung", "object_class": "technical_control" } ] }, { "domain_id": "V3", "title": "Session Management", "aliases": ["session", "sitzung", "session management", "sitzungsverwaltung"], "keywords": ["session", "sitzung", "token", "cookie", "timeout"], "subcontrols": [ { "subcontrol_id": "V3.1", "title": "Session Management Security", "statement": "Sitzungstoken muessen sicher erzeugt, uebertragen und invalidiert werden.", "keywords": ["token", "sitzung", "sicherheit"], "action_hint": "implement", "object_hint": "Sichere Sitzungsverwaltung", "object_class": "technical_control" }, { "subcontrol_id": "V3.3", "title": "Session Termination", "statement": "Sitzungen muessen nach Inaktivitaet und bei Abmeldung zuverlaessig beendet werden.", "keywords": ["termination", "timeout", "abmeldung", "beenden"], "action_hint": "configure", "object_hint": "Sitzungstimeout", "object_class": "configuration" }, { "subcontrol_id": "V3.5", "title": "Token-Based Session Management", "statement": "Tokenbasierte Sitzungsmechanismen muessen gegen Diebstahl und Replay geschuetzt sein.", "keywords": ["jwt", "token", "replay", "diebstahl"], "action_hint": "implement", "object_hint": "Token-Schutz", "object_class": "technical_control" } ] }, { "domain_id": "V5", "title": "Validation, Sanitization and Encoding", "aliases": ["validation", "validierung", "sanitization", "encoding", "eingabevalidierung"], "keywords": ["validierung", "sanitization", "encoding", "xss", "injection", "eingabe"], "subcontrols": [ { "subcontrol_id": "V5.1", "title": "Input Validation", "statement": "Alle Eingabedaten muessen serverseitig validiert werden.", "keywords": ["input", "eingabe", "validierung", "serverseitig"], "action_hint": "implement", "object_hint": "Eingabevalidierung", "object_class": "technical_control" }, { "subcontrol_id": "V5.2", "title": "Sanitization and Sandboxing", "statement": "Eingaben muessen bereinigt und in sicherer Umgebung verarbeitet werden.", "keywords": ["sanitization", "bereinigung", "sandbox"], "action_hint": "implement", "object_hint": "Eingabebereinigung", "object_class": "technical_control" }, { "subcontrol_id": "V5.3", "title": "Output Encoding and Injection Prevention", "statement": "Ausgaben muessen kontextabhaengig kodiert werden, um Injection-Angriffe zu verhindern.", "keywords": ["output", "encoding", "injection", "xss", "sql"], "action_hint": "implement", "object_hint": "Ausgabe-Encoding", "object_class": "technical_control" } ] }, { "domain_id": "V6", "title": "Stored Cryptography", "aliases": ["cryptography", "kryptographie", "verschluesselung", "stored cryptography"], "keywords": ["kryptographie", "verschluesselung", "hashing", "schluessel", "key management"], "subcontrols": [ { "subcontrol_id": "V6.1", "title": "Data Classification", "statement": "Daten muessen klassifiziert und entsprechend ihrer Schutzklasse behandelt werden.", "keywords": ["klassifizierung", "classification", "schutzklasse"], "action_hint": "define", "object_hint": "Datenklassifizierung", "object_class": "data" }, { "subcontrol_id": "V6.2", "title": "Algorithms", "statement": "Nur zugelassene und aktuelle kryptographische Algorithmen duerfen verwendet werden.", "keywords": ["algorithmus", "algorithm", "aes", "rsa"], "action_hint": "configure", "object_hint": "Kryptographische Algorithmen", "object_class": "cryptographic_control" }, { "subcontrol_id": "V6.4", "title": "Secret Management", "statement": "Geheimnisse (Schluessel, Passwoerter, Tokens) muessen in einem Secret-Management-System verwaltet werden.", "keywords": ["secret", "geheimnis", "vault", "key management"], "action_hint": "maintain", "object_hint": "Secret-Management", "object_class": "cryptographic_control" } ] }, { "domain_id": "V8", "title": "Data Protection", "aliases": ["data protection", "datenschutz", "datenverarbeitung"], "keywords": ["datenschutz", "data protection", "pii", "personenbezogen", "privacy"], "subcontrols": [ { "subcontrol_id": "V8.1", "title": "General Data Protection", "statement": "Personenbezogene Daten muessen gemaess Datenschutzanforderungen geschuetzt werden.", "keywords": ["personenbezogen", "pii", "datenschutz"], "action_hint": "implement", "object_hint": "Datenschutzmassnahmen", "object_class": "data" }, { "subcontrol_id": "V8.2", "title": "Client-Side Data Protection", "statement": "Clientseitig gespeicherte sensible Daten muessen geschuetzt und minimiert werden.", "keywords": ["client", "browser", "localstorage", "cookie"], "action_hint": "implement", "object_hint": "Clientseitiger Datenschutz", "object_class": "technical_control" }, { "subcontrol_id": "V8.3", "title": "Sensitive Private Data", "statement": "Sensible Daten muessen bei Speicherung und Verarbeitung besonders geschuetzt werden.", "keywords": ["sensibel", "vertraulich", "speicherung"], "action_hint": "encrypt", "object_hint": "Verschluesselung sensibler Daten", "object_class": "data" } ] }, { "domain_id": "V9", "title": "Communication", "aliases": ["communication", "kommunikation", "tls", "transport"], "keywords": ["tls", "ssl", "https", "transport", "kommunikation", "verschluesselung"], "subcontrols": [ { "subcontrol_id": "V9.1", "title": "Client Communication Security", "statement": "Alle Client-Server-Kommunikation muss ueber TLS verschluesselt werden.", "keywords": ["tls", "https", "client", "server"], "action_hint": "encrypt", "object_hint": "TLS-Transportverschluesselung", "object_class": "cryptographic_control" }, { "subcontrol_id": "V9.2", "title": "Server Communication Security", "statement": "Server-zu-Server-Kommunikation muss authentifiziert und verschluesselt erfolgen.", "keywords": ["server", "mtls", "backend"], "action_hint": "encrypt", "object_hint": "Server-Kommunikationsverschluesselung", "object_class": "cryptographic_control" } ] }, { "domain_id": "V13", "title": "API and Web Service", "aliases": ["api", "web service", "rest", "graphql", "webservice"], "keywords": ["api", "rest", "graphql", "webservice", "endpoint", "schnittstelle"], "subcontrols": [ { "subcontrol_id": "V13.1", "title": "Generic Web Service Security", "statement": "Web-Services muessen gegen gaengige Angriffe abgesichert werden.", "keywords": ["web service", "sicherheit", "angriff"], "action_hint": "implement", "object_hint": "Web-Service-Absicherung", "object_class": "interface" }, { "subcontrol_id": "V13.2", "title": "RESTful Web Service", "statement": "REST-APIs muessen Input-Validierung, Rate Limiting und sichere Authentifizierung implementieren.", "keywords": ["rest", "api", "rate limiting", "input"], "action_hint": "implement", "object_hint": "REST-API-Absicherung", "object_class": "interface" }, { "subcontrol_id": "V13.4", "title": "GraphQL and Web Services", "statement": "GraphQL-Endpoints muessen gegen Query-Complexity-Angriffe und Introspection geschuetzt werden.", "keywords": ["graphql", "query", "complexity", "introspection"], "action_hint": "configure", "object_hint": "GraphQL-Absicherung", "object_class": "interface" } ] }, { "domain_id": "V14", "title": "Configuration", "aliases": ["configuration", "konfiguration", "hardening", "haertung"], "keywords": ["konfiguration", "hardening", "haertung", "header", "deployment"], "subcontrols": [ { "subcontrol_id": "V14.1", "title": "Build and Deploy", "statement": "Build- und Deployment-Prozesse muessen sicher konfiguriert und reproduzierbar sein.", "keywords": ["build", "deploy", "ci/cd", "pipeline"], "action_hint": "configure", "object_hint": "Sichere Build-Pipeline", "object_class": "configuration" }, { "subcontrol_id": "V14.2", "title": "Dependency Management", "statement": "Abhaengigkeiten muessen auf Schwachstellen geprueft und aktuell gehalten werden.", "keywords": ["dependency", "abhaengigkeit", "sca", "sbom"], "action_hint": "maintain", "object_hint": "Abhaengigkeitsverwaltung", "object_class": "system" }, { "subcontrol_id": "V14.3", "title": "Unintended Security Disclosure", "statement": "Fehlermeldungen und Debug-Informationen duerfen keine sicherheitsrelevanten Details preisgeben.", "keywords": ["disclosure", "fehlermeldung", "debug", "information leakage"], "action_hint": "configure", "object_hint": "Fehlerbehandlung", "object_class": "configuration" }, { "subcontrol_id": "V14.4", "title": "HTTP Security Headers", "statement": "HTTP-Sicherheitsheader muessen korrekt konfiguriert sein.", "keywords": ["header", "csp", "hsts", "x-frame"], "action_hint": "configure", "object_hint": "HTTP-Sicherheitsheader", "object_class": "configuration" } ] } ] }