OWASP Application Security Verification Standard 3.0.1中文翻译

目录 SOLUTION

心血来潮,计划翻译一下ASVS,加强理解,也便于后期翻阅。

ASVS 3.0.1总共有19大类检查项,暂只翻译检查项即表格中的内容,乱序更新。

已整理至GitBook:https://www.gitbook.com/book/m4skm0b/owasp_asvs_zh-cn/details

PS:Markdown解决一切格式强迫症问题!

V1:Architecture, design and threat modelling-安全架构

Control objective:

Ensure that a verified application satisfies the following high level requirements:确认一个经验证的应用程序满足以下级别要求:

• At level 1, components of the application are identified and have a reason for being in the app 级别一,应用程序的组件是确定的,且有存在的原因。
• At level 2, the architecture has been defined and the code adheres to the architecture级别二,架构已被定义,且代码均遵守架构规定。
• At level 3, the architecture and design is in place, in use, and effective级别三,架构和设计已经完善,并且已经有效地使用。

Requirements:

#

Description

1

2

3

Since

1.1

Verify that all application components are identified and are known to be needed.

验证所有应用程序组件是已知的且必须的。

ü

ü

ü

1.0

1.2

Verify that all components, such as libraries, modules, and external systems, that are not part of the application but that the application relies on to operate are identified.

验证所有不是应用程序的一部分,但应用程序依赖于它的组件,如类库、模块和外部系统,是已经确定的。

 

ü

ü

1.0

1.3

Verify that a high-level architecture for the application has been defined.

验证应用程序的上层架构已经被明确定义。

 

ü

ü

1.0

1.4

Verify that all application components are defined in terms of the business functions and/or security functions they provide.

验证所有应用程序组件发挥了其业务功能和安全功能。

 

 

ü

1.0

1.5

Verify that all components that are not part of the application but that the application relies on to operate are defined in terms of the functions, and/or security functions, they provide.

验证所有那些不是应用程序的一部分,但应用程序依赖于它的组件,发挥了其业务功能和安全功能。

 

 

ü

1.0

1.6

Verify that a threat model for the target application has been produced and covers off risks associated with Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE).

验证目标应用程序已经确立了威胁模型,并且根据威胁模型如STRIDE,对该应用进行过风险排查。

 

 

ü

1.0

1.7

Verify all security controls (including libraries that call external security services) have a centralized implementation.

验证所有安全机制(包括类库调用外部安全服务)已经被统一实施。

 

ü

ü

3.0

1.8

Verify that components are segregated from each other via a defined security control, such as network segmentation, firewall rules, or cloud based security groups.

验证组件之间已经通过安全机制进行隔离,如网络分离、防火墙规则或基于云的安全组。

 

ü

ü

3.0

1.9

Verify the application has a clear separation between the data layer, controller layer and the display layer, such that security decisions can be enforced on trusted systems.

验证应用程序在数据层、控制层和展示层有清晰的分离,使得可以在可信系统上实施安全决策。

 

ü

ü

3.0

1.10

Verify that there is no sensitive business logic, secret keys or other proprietary information in client side code.

验证客户端代码中没有暴露敏感的业务逻辑、密钥或其它涉及权限的信息。

 

ü

ü

3.0

1.11

Verify that all application components, libraries, modules, frameworks, platform, and operating systems are free from known vulnerabilities.

验证所有应用程序组件、类库、模块、框架、平台和操作系统没有已知漏洞。

 

ü

ü

3.0.1

2 条评论

  • Alice
    2017-12-14

    楼主翻译的好棒,期待更新呢

    • BT
      2017-12-17

      好的,3.1出来了,直接翻3.1了

发表评论

电子邮件地址不会被公开。 必填项已用*标注