breakpilot-compliance/backend-compliance/compliance/data/frameworks/owasp_asvs.json

{
  "framework_id": "OWASP_ASVS",
  "display_name": "OWASP Application Security Verification Standard 4.0",
  "license": {
    "type": "cc_by_sa_4",
    "rag_allowed": true,
    "use_as_metadata": true
  },
  "domains": [
    {
      "domain_id": "V1",
      "title": "Architecture, Design and Threat Modeling",
      "aliases": ["architecture", "architektur", "design", "threat modeling", "bedrohungsmodellierung"],
      "keywords": ["architektur", "design", "threat model", "bedrohung", "modellierung"],
      "subcontrols": [
        {
          "subcontrol_id": "V1.1",
          "title": "Secure Software Development Lifecycle",
          "statement": "Ein sicherer Softwareentwicklungs-Lebenszyklus (SSDLC) muss definiert und angewendet werden.",
          "keywords": ["sdlc", "lifecycle", "lebenszyklus", "entwicklung"],
          "action_hint": "implement",
          "object_hint": "Sicherer Entwicklungs-Lebenszyklus",
          "object_class": "process"
        },
        {
          "subcontrol_id": "V1.2",
          "title": "Authentication Architecture",
          "statement": "Die Authentifizierungsarchitektur muss dokumentiert und regelmaessig ueberprueft werden.",
          "keywords": ["authentication", "authentifizierung", "architektur"],
          "action_hint": "document",
          "object_hint": "Authentifizierungsarchitektur",
          "object_class": "policy"
        },
        {
          "subcontrol_id": "V1.4",
          "title": "Access Control Architecture",
          "statement": "Die Zugriffskontrollarchitektur muss dokumentiert und zentral durchgesetzt werden.",
          "keywords": ["access control", "zugriffskontrolle", "architektur"],
          "action_hint": "document",
          "object_hint": "Zugriffskontrollarchitektur",
          "object_class": "policy"
        },
        {
          "subcontrol_id": "V1.5",
          "title": "Input and Output Architecture",
          "statement": "Eingabe- und Ausgabevalidierung muss architektonisch verankert und durchgaengig angewendet werden.",
          "keywords": ["input", "output", "eingabe", "ausgabe", "validierung"],
          "action_hint": "implement",
          "object_hint": "Ein-/Ausgabevalidierung",
          "object_class": "technical_control"
        },
        {
          "subcontrol_id": "V1.6",
          "title": "Cryptographic Architecture",
          "statement": "Kryptographische Mechanismen muessen architektonisch definiert und standardisiert sein.",
          "keywords": ["crypto", "kryptographie", "verschluesselung"],
          "action_hint": "define",
          "object_hint": "Kryptographie-Architektur",
          "object_class": "cryptographic_control"
        }
      ]
    },
    {
      "domain_id": "V2",
      "title": "Authentication",
      "aliases": ["authentication", "authentifizierung", "anmeldung", "login"],
      "keywords": ["authentication", "authentifizierung", "passwort", "login", "anmeldung", "credential"],
      "subcontrols": [
        {
          "subcontrol_id": "V2.1",
          "title": "Password Security",
          "statement": "Passwortrichtlinien muessen Mindestlaenge, Komplexitaet und Sperrmechanismen definieren.",
          "keywords": ["passwort", "password", "laenge", "komplexitaet"],
          "action_hint": "define",
          "object_hint": "Passwortrichtlinie",
          "object_class": "policy"
        },
        {
          "subcontrol_id": "V2.2",
          "title": "General Authenticator Security",
          "statement": "Authentifizierungsmittel muessen sicher gespeichert und uebertragen werden.",
          "keywords": ["authenticator", "credential", "speicherung"],
          "action_hint": "implement",
          "object_hint": "Sichere Credential-Verwaltung",
          "object_class": "technical_control"
        },
        {
          "subcontrol_id": "V2.7",
          "title": "Out-of-Band Verification",
          "statement": "Out-of-Band-Verifikationsmechanismen muessen sicher implementiert werden.",
          "keywords": ["oob", "out-of-band", "sms", "push"],
          "action_hint": "implement",
          "object_hint": "Out-of-Band-Verifikation",
          "object_class": "technical_control"
        },
        {
          "subcontrol_id": "V2.8",
          "title": "Multi-Factor Authentication",
          "statement": "Multi-Faktor-Authentifizierung muss fuer sicherheitskritische Funktionen verfuegbar sein.",
          "keywords": ["mfa", "multi-faktor", "totp", "fido"],
          "action_hint": "implement",
          "object_hint": "Multi-Faktor-Authentifizierung",
          "object_class": "technical_control"
        }
      ]
    },
    {
      "domain_id": "V3",
      "title": "Session Management",
      "aliases": ["session", "sitzung", "session management", "sitzungsverwaltung"],
      "keywords": ["session", "sitzung", "token", "cookie", "timeout"],
      "subcontrols": [
        {
          "subcontrol_id": "V3.1",
          "title": "Session Management Security",
          "statement": "Sitzungstoken muessen sicher erzeugt, uebertragen und invalidiert werden.",
          "keywords": ["token", "sitzung", "sicherheit"],
          "action_hint": "implement",
          "object_hint": "Sichere Sitzungsverwaltung",
          "object_class": "technical_control"
        },
        {
          "subcontrol_id": "V3.3",
          "title": "Session Termination",
          "statement": "Sitzungen muessen nach Inaktivitaet und bei Abmeldung zuverlaessig beendet werden.",
          "keywords": ["termination", "timeout", "abmeldung", "beenden"],
          "action_hint": "configure",
          "object_hint": "Sitzungstimeout",
          "object_class": "configuration"
        },
        {
          "subcontrol_id": "V3.5",
          "title": "Token-Based Session Management",
          "statement": "Tokenbasierte Sitzungsmechanismen muessen gegen Diebstahl und Replay geschuetzt sein.",
          "keywords": ["jwt", "token", "replay", "diebstahl"],
          "action_hint": "implement",
          "object_hint": "Token-Schutz",
          "object_class": "technical_control"
        }
      ]
    },
    {
      "domain_id": "V5",
      "title": "Validation, Sanitization and Encoding",
      "aliases": ["validation", "validierung", "sanitization", "encoding", "eingabevalidierung"],
      "keywords": ["validierung", "sanitization", "encoding", "xss", "injection", "eingabe"],
      "subcontrols": [
        {
          "subcontrol_id": "V5.1",
          "title": "Input Validation",
          "statement": "Alle Eingabedaten muessen serverseitig validiert werden.",
          "keywords": ["input", "eingabe", "validierung", "serverseitig"],
          "action_hint": "implement",
          "object_hint": "Eingabevalidierung",
          "object_class": "technical_control"
        },
        {
          "subcontrol_id": "V5.2",
          "title": "Sanitization and Sandboxing",
          "statement": "Eingaben muessen bereinigt und in sicherer Umgebung verarbeitet werden.",
          "keywords": ["sanitization", "bereinigung", "sandbox"],
          "action_hint": "implement",
          "object_hint": "Eingabebereinigung",
          "object_class": "technical_control"
        },
        {
          "subcontrol_id": "V5.3",
          "title": "Output Encoding and Injection Prevention",
          "statement": "Ausgaben muessen kontextabhaengig kodiert werden, um Injection-Angriffe zu verhindern.",
          "keywords": ["output", "encoding", "injection", "xss", "sql"],
          "action_hint": "implement",
          "object_hint": "Ausgabe-Encoding",
          "object_class": "technical_control"
        }
      ]
    },
    {
      "domain_id": "V6",
      "title": "Stored Cryptography",
      "aliases": ["cryptography", "kryptographie", "verschluesselung", "stored cryptography"],
      "keywords": ["kryptographie", "verschluesselung", "hashing", "schluessel", "key management"],
      "subcontrols": [
        {
          "subcontrol_id": "V6.1",
          "title": "Data Classification",
          "statement": "Daten muessen klassifiziert und entsprechend ihrer Schutzklasse behandelt werden.",
          "keywords": ["klassifizierung", "classification", "schutzklasse"],
          "action_hint": "define",
          "object_hint": "Datenklassifizierung",
          "object_class": "data"
        },
        {
          "subcontrol_id": "V6.2",
          "title": "Algorithms",
          "statement": "Nur zugelassene und aktuelle kryptographische Algorithmen duerfen verwendet werden.",
          "keywords": ["algorithmus", "algorithm", "aes", "rsa"],
          "action_hint": "configure",
          "object_hint": "Kryptographische Algorithmen",
          "object_class": "cryptographic_control"
        },
        {
          "subcontrol_id": "V6.4",
          "title": "Secret Management",
          "statement": "Geheimnisse (Schluessel, Passwoerter, Tokens) muessen in einem Secret-Management-System verwaltet werden.",
          "keywords": ["secret", "geheimnis", "vault", "key management"],
          "action_hint": "maintain",
          "object_hint": "Secret-Management",
          "object_class": "cryptographic_control"
        }
      ]
    },
    {
      "domain_id": "V8",
      "title": "Data Protection",
      "aliases": ["data protection", "datenschutz", "datenverarbeitung"],
      "keywords": ["datenschutz", "data protection", "pii", "personenbezogen", "privacy"],
      "subcontrols": [
        {
          "subcontrol_id": "V8.1",
          "title": "General Data Protection",
          "statement": "Personenbezogene Daten muessen gemaess Datenschutzanforderungen geschuetzt werden.",
          "keywords": ["personenbezogen", "pii", "datenschutz"],
          "action_hint": "implement",
          "object_hint": "Datenschutzmassnahmen",
          "object_class": "data"
        },
        {
          "subcontrol_id": "V8.2",
          "title": "Client-Side Data Protection",
          "statement": "Clientseitig gespeicherte sensible Daten muessen geschuetzt und minimiert werden.",
          "keywords": ["client", "browser", "localstorage", "cookie"],
          "action_hint": "implement",
          "object_hint": "Clientseitiger Datenschutz",
          "object_class": "technical_control"
        },
        {
          "subcontrol_id": "V8.3",
          "title": "Sensitive Private Data",
          "statement": "Sensible Daten muessen bei Speicherung und Verarbeitung besonders geschuetzt werden.",
          "keywords": ["sensibel", "vertraulich", "speicherung"],
          "action_hint": "encrypt",
          "object_hint": "Verschluesselung sensibler Daten",
          "object_class": "data"
        }
      ]
    },
    {
      "domain_id": "V9",
      "title": "Communication",
      "aliases": ["communication", "kommunikation", "tls", "transport"],
      "keywords": ["tls", "ssl", "https", "transport", "kommunikation", "verschluesselung"],
      "subcontrols": [
        {
          "subcontrol_id": "V9.1",
          "title": "Client Communication Security",
          "statement": "Alle Client-Server-Kommunikation muss ueber TLS verschluesselt werden.",
          "keywords": ["tls", "https", "client", "server"],
          "action_hint": "encrypt",
          "object_hint": "TLS-Transportverschluesselung",
          "object_class": "cryptographic_control"
        },
        {
          "subcontrol_id": "V9.2",
          "title": "Server Communication Security",
          "statement": "Server-zu-Server-Kommunikation muss authentifiziert und verschluesselt erfolgen.",
          "keywords": ["server", "mtls", "backend"],
          "action_hint": "encrypt",
          "object_hint": "Server-Kommunikationsverschluesselung",
          "object_class": "cryptographic_control"
        }
      ]
    },
    {
      "domain_id": "V13",
      "title": "API and Web Service",
      "aliases": ["api", "web service", "rest", "graphql", "webservice"],
      "keywords": ["api", "rest", "graphql", "webservice", "endpoint", "schnittstelle"],
      "subcontrols": [
        {
          "subcontrol_id": "V13.1",
          "title": "Generic Web Service Security",
          "statement": "Web-Services muessen gegen gaengige Angriffe abgesichert werden.",
          "keywords": ["web service", "sicherheit", "angriff"],
          "action_hint": "implement",
          "object_hint": "Web-Service-Absicherung",
          "object_class": "interface"
        },
        {
          "subcontrol_id": "V13.2",
          "title": "RESTful Web Service",
          "statement": "REST-APIs muessen Input-Validierung, Rate Limiting und sichere Authentifizierung implementieren.",
          "keywords": ["rest", "api", "rate limiting", "input"],
          "action_hint": "implement",
          "object_hint": "REST-API-Absicherung",
          "object_class": "interface"
        },
        {
          "subcontrol_id": "V13.4",
          "title": "GraphQL and Web Services",
          "statement": "GraphQL-Endpoints muessen gegen Query-Complexity-Angriffe und Introspection geschuetzt werden.",
          "keywords": ["graphql", "query", "complexity", "introspection"],
          "action_hint": "configure",
          "object_hint": "GraphQL-Absicherung",
          "object_class": "interface"
        }
      ]
    },
    {
      "domain_id": "V14",
      "title": "Configuration",
      "aliases": ["configuration", "konfiguration", "hardening", "haertung"],
      "keywords": ["konfiguration", "hardening", "haertung", "header", "deployment"],
      "subcontrols": [
        {
          "subcontrol_id": "V14.1",
          "title": "Build and Deploy",
          "statement": "Build- und Deployment-Prozesse muessen sicher konfiguriert und reproduzierbar sein.",
          "keywords": ["build", "deploy", "ci/cd", "pipeline"],
          "action_hint": "configure",
          "object_hint": "Sichere Build-Pipeline",
          "object_class": "configuration"
        },
        {
          "subcontrol_id": "V14.2",
          "title": "Dependency Management",
          "statement": "Abhaengigkeiten muessen auf Schwachstellen geprueft und aktuell gehalten werden.",
          "keywords": ["dependency", "abhaengigkeit", "sca", "sbom"],
          "action_hint": "maintain",
          "object_hint": "Abhaengigkeitsverwaltung",
          "object_class": "system"
        },
        {
          "subcontrol_id": "V14.3",
          "title": "Unintended Security Disclosure",
          "statement": "Fehlermeldungen und Debug-Informationen duerfen keine sicherheitsrelevanten Details preisgeben.",
          "keywords": ["disclosure", "fehlermeldung", "debug", "information leakage"],
          "action_hint": "configure",
          "object_hint": "Fehlerbehandlung",
          "object_class": "configuration"
        },
        {
          "subcontrol_id": "V14.4",
          "title": "HTTP Security Headers",
          "statement": "HTTP-Sicherheitsheader muessen korrekt konfiguriert sein.",
          "keywords": ["header", "csp", "hsts", "x-frame"],
          "action_hint": "configure",
          "object_hint": "HTTP-Sicherheitsheader",
          "object_class": "configuration"
        }
      ]
    }
  ]
}