ASVS
ASVS copied to clipboard
OWASP
Application Security Verification Standard
[V1 Architecture, Design and Threat Modeling V11 Secure Software Development Lifecycle Requirement 1.1.8](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x10-V1-Architecture.md#v11-secure-software-development-lifecycle) states "_[ADDED] Verify availability of a publicly available security.txt file at the root or .well-known directory of...
> 5.2.6 Verify that the application protects against SSRF attacks, by validating or sanitizing untrusted data or HTTP file metadata, such as filenames and URL input fields, and uses allow...
Problem: there is no requirement which says, that API responses must be in JSON or XML format. If they are not, and those return some content of file for example,...
Initial discussion on requirement 3.4.5 in issue #978 . But I would solve it a bit different way and it deserves separate issue, as it is quite big change. Problems...
[2.10.1](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v210-service-authentication): > Verify that intra-service secrets do not rely on unchanging credentials such as passwords, API keys or shared accounts with privileged access. What does this mean? How should you...
2.4.4 recommends bcrypt wf 10 (thats ok) but does not mention the 72 byte limit
2.3.3
2.3.3 is not clear in terms of what we need to review for it. Please add more clarify to this requirement!!