ASVS 5.0 Requirements
V1 Encoding and Sanitization
| Requirement | Level | Section | Description |
|---|---|---|---|
| 1.1.1 | 2 | V1.1 Encoding and Sanitization Architecture | Verify that input is decoded or unescaped into a canonical form only once, it is only decoded whe... |
| 1.1.2 | 2 | V1.1 Encoding and Sanitization Architecture | Verify that the application performs output encoding and escaping either as a final step before b... |
| 1.2.1 | 1 | V1.2 Injection Prevention | Verify that output encoding for an HTTP response, HTML document, or XML document is relevant for ... |
| 1.2.2 | 1 | V1.2 Injection Prevention | Verify that when dynamically building URLs, untrusted data is encoded according to its context (e... |
| 1.2.3 | 1 | V1.2 Injection Prevention | Verify that output encoding or escaping is used when dynamically building JavaScript content (inc... |
| 1.2.4 | 1 | V1.2 Injection Prevention | Verify that data selection or database queries (e.g., SQL, HQL, NoSQL, Cypher) use parameterized ... |
| 1.2.5 | 1 | V1.2 Injection Prevention | Verify that the application protects against OS command injection and that operating system calls... |
| 1.2.6 | 2 | V1.2 Injection Prevention | Verify that the application protects against LDAP injection vulnerabilities, or that specific sec... |
| 1.2.7 | 2 | V1.2 Injection Prevention | Verify that the application is protected against XPath injection attacks by using query parameter... |
| 1.2.8 | 2 | V1.2 Injection Prevention | Verify that LaTeX processors are configured securely (such as not using the "--shell-escape" flag... |
| 1.2.9 | 2 | V1.2 Injection Prevention | Verify that the application escapes special characters in regular expressions (typically using a ... |
| 1.2.10 | 3 | V1.2 Injection Prevention | Verify that the application is protected against CSV and Formula Injection. The application must ... |
| 1.3.1 | 1 | V1.3 Sanitization | Verify that all untrusted HTML input from WYSIWYG editors or similar is sanitized using a well-kn... |
| 1.3.2 | 1 | V1.3 Sanitization | Verify that the application avoids the use of eval() or other dynamic code execution features suc... |
| 1.3.3 | 2 | V1.3 Sanitization | Verify that data being passed to a potentially dangerous context is sanitized beforehand to enfor... |
| 1.3.4 | 2 | V1.3 Sanitization | Verify that user-supplied Scalable Vector Graphics (SVG) scriptable content is validated or sanit... |
| 1.3.5 | 2 | V1.3 Sanitization | Verify that the application sanitizes or disables user-supplied scriptable or expression template... |
| 1.3.6 | 2 | V1.3 Sanitization | Verify that the application protects against Server-side Request Forgery (SSRF) attacks, by valid... |
| 1.3.7 | 2 | V1.3 Sanitization | Verify that the application protects against template injection attacks by not allowing templates... |
| 1.3.8 | 2 | V1.3 Sanitization | Verify that the application appropriately sanitizes untrusted input before use in Java Naming and... |
| 1.3.9 | 2 | V1.3 Sanitization | Verify that the application sanitizes content before it is sent to memcache to prevent injection ... |
| 1.3.10 | 2 | V1.3 Sanitization | Verify that format strings which might resolve in an unexpected or malicious way when used are sa... |
| 1.3.11 | 2 | V1.3 Sanitization | Verify that the application sanitizes user input before passing to mail systems to protect agains... |
| 1.3.12 | 3 | V1.3 Sanitization | Verify that regular expressions are free from elements causing exponential backtracking, and ensu... |
| 1.4.1 | 2 | V1.4 Memory, String, and Unmanaged Code | Verify that the application uses memory-safe string, safer memory copy and pointer arithmetic to ... |
| 1.4.2 | 2 | V1.4 Memory, String, and Unmanaged Code | Verify that sign, range, and input validation techniques are used to prevent integer overflows. |
| 1.4.3 | 2 | V1.4 Memory, String, and Unmanaged Code | Verify that dynamically allocated memory and resources are released, and that references or point... |
| 1.5.1 | 1 | V1.5 Safe Deserialization | Verify that the application configures XML parsers to use a restrictive configuration and that un... |
| 1.5.2 | 2 | V1.5 Safe Deserialization | Verify that deserialization of untrusted data enforces safe input handling, such as using an allo... |
| 1.5.3 | 3 | V1.5 Safe Deserialization | Verify that different parsers used in the application for the same data type (e.g., JSON parsers,... |
V2 Validation and Business Logic
| Requirement | Level | Section | Description |
|---|---|---|---|
| 2.1.1 | 1 | V2.1 Validation and Business Logic Documentation | Verify that the application's documentation defines input validation rules for how to check the v... |
| 2.1.2 | 2 | V2.1 Validation and Business Logic Documentation | Verify that the application's documentation defines how to validate the logical and contextual co... |
| 2.1.3 | 2 | V2.1 Validation and Business Logic Documentation | Verify that expectations for business logic limits and validations are documented, including both... |
| 2.2.1 | 1 | V2.2 Input Validation | Verify that input is validated to enforce business or functional expectations for that input. Thi... |
| 2.2.2 | 1 | V2.2 Input Validation | Verify that the application is designed to enforce input validation at a trusted service layer. W... |
| 2.2.3 | 2 | V2.2 Input Validation | Verify that the application ensures that combinations of related data items are reasonable accord... |
| 2.3.1 | 1 | V2.3 Business Logic Security | Verify that the application will only process business logic flows for the same user in the expec... |
| 2.3.2 | 2 | V2.3 Business Logic Security | Verify that business logic limits are implemented per the application's documentation to avoid bu... |
| 2.3.3 | 2 | V2.3 Business Logic Security | Verify that transactions are being used at the business logic level such that either a business l... |
| 2.3.4 | 2 | V2.3 Business Logic Security | Verify that business logic level locking mechanisms are used to ensure that limited quantity reso... |
| 2.3.5 | 3 | V2.3 Business Logic Security | Verify that high-value business logic flows require multi-user approval to prevent unauthorized o... |
| 2.4.1 | 2 | V2.4 Anti-automation | Verify that anti-automation controls are in place to protect against excessive calls to applicati... |
| 2.4.2 | 3 | V2.4 Anti-automation | Verify that business logic flows require realistic human timing, preventing excessively rapid tra... |
V3 Web Frontend Security
| Requirement | Level | Section | Description |
|---|---|---|---|
| 3.1.1 | 3 | V3.1 Web Frontend Security Documentation | Verify that application documentation states the expected security features that browsers using t... |
| 3.2.1 | 1 | V3.2 Unintended Content Interpretation | Verify that security controls are in place to prevent browsers from rendering content or function... |
| 3.2.2 | 1 | V3.2 Unintended Content Interpretation | Verify that content intended to be displayed as text, rather than rendered as HTML, is handled us... |
| 3.2.3 | 3 | V3.2 Unintended Content Interpretation | Verify that the application avoids DOM clobbering when using client-side JavaScript by employing ... |
| 3.3.1 | 1 | V3.3 Cookie Setup | Verify that cookies have the 'Secure' attribute set, and if the '__Host-' prefix is not used for... |
| 3.3.2 | 2 | V3.3 Cookie Setup | Verify that each cookie's 'SameSite' attribute value is set according to the purpose of the cooki... |
| 3.3.3 | 2 | V3.3 Cookie Setup | Verify that cookies have the '__Host-' prefix for the cookie name unless they are explicitly desi... |
| 3.3.4 | 2 | V3.3 Cookie Setup | Verify that if the value of a cookie is not meant to be accessible to client-side scripts (such a... |
| 3.3.5 | 3 | V3.3 Cookie Setup | Verify that when the application writes a cookie, the cookie name and value length combined are n... |
| 3.4.1 | 1 | V3.4 Browser Security Mechanism Headers | Verify that a Strict-Transport-Security header field is included on all responses to enforce an H... |
| 3.4.2 | 1 | V3.4 Browser Security Mechanism Headers | Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header field is ... |
| 3.4.3 | 2 | V3.4 Browser Security Mechanism Headers | Verify that HTTP responses include a Content-Security-Policy response header field which defines ... |
| 3.4.4 | 2 | V3.4 Browser Security Mechanism Headers | Verify that all HTTP responses contain an 'X-Content-Type-Options: nosniff' header field. This in... |
| 3.4.5 | 2 | V3.4 Browser Security Mechanism Headers | Verify that the application sets a referrer policy to prevent leakage of technically sensitive da... |
| 3.4.6 | 2 | V3.4 Browser Security Mechanism Headers | Verify that the web application uses the frame-ancestors directive of the Content-Security-Policy... |
| 3.4.7 | 3 | V3.4 Browser Security Mechanism Headers | Verify that the Content-Security-Policy header field specifies a location to report violations. |
| 3.4.8 | 3 | V3.4 Browser Security Mechanism Headers | Verify that all HTTP responses that initiate a document rendering (such as responses with Content... |
| 3.5.1 | 1 | V3.5 Browser Origin Separation | Verify that, if the application does not rely on the CORS preflight mechanism to prevent disallow... |
| 3.5.2 | 1 | V3.5 Browser Origin Separation | Verify that, if the application relies on the CORS preflight mechanism to prevent disallowed cros... |
| 3.5.3 | 1 | V3.5 Browser Origin Separation | Verify that HTTP requests to sensitive functionality use appropriate HTTP methods such as POST, P... |
| 3.5.4 | 2 | V3.5 Browser Origin Separation | Verify that separate applications are hosted on different hostnames to leverage the restrictions ... |
| 3.5.5 | 2 | V3.5 Browser Origin Separation | Verify that messages received by the postMessage interface are discarded if the origin of the mes... |
| 3.5.6 | 3 | V3.5 Browser Origin Separation | Verify that JSONP functionality is not enabled anywhere across the application to avoid Cross-Sit... |
| 3.5.7 | 3 | V3.5 Browser Origin Separation | Verify that data requiring authorization is not included in script resource responses, like JavaS... |
| 3.5.8 | 3 | V3.5 Browser Origin Separation | Verify that authenticated resources (such as images, videos, scripts, and other documents) can be... |
| 3.6.1 | 3 | V3.6 External Resource Integrity | Verify that client-side assets, such as JavaScript libraries, CSS, or web fonts, are only hosted ... |
| 3.7.1 | 2 | V3.7 Other Browser Security Considerations | Verify that the application only uses client-side technologies which are still supported and cons... |
| 3.7.2 | 2 | V3.7 Other Browser Security Considerations | Verify that the application will only automatically redirect the user to a different hostname or ... |
| 3.7.3 | 3 | V3.7 Other Browser Security Considerations | Verify that the application shows a notification when the user is being redirected to a URL outsi... |
| 3.7.4 | 3 | V3.7 Other Browser Security Considerations | Verify that the application's top-level domain (e.g., site.tld) is added to the public preload li... |
| 3.7.5 | 3 | V3.7 Other Browser Security Considerations | Verify that the application behaves as documented (such as warning the user or blocking access) i... |
V4 API and Web Service
| Requirement | Level | Section | Description |
|---|---|---|---|
| 4.1.1 | 1 | V4.1 Generic Web Service Security | Verify that every HTTP response with a message body contains a Content-Type header field that mat... |
| 4.1.2 | 2 | V4.1 Generic Web Service Security | Verify that only user-facing endpoints (intended for manual web-browser access) automatically red... |
| 4.1.3 | 2 | V4.1 Generic Web Service Security | Verify that any HTTP header field used by the application and set by an intermediary layer, such ... |
| 4.1.4 | 3 | V4.1 Generic Web Service Security | Verify that only HTTP methods that are explicitly supported by the application or its API (includ... |
| 4.1.5 | 3 | V4.1 Generic Web Service Security | Verify that per-message digital signatures are used to provide additional assurance on top of tra... |
| 4.2.1 | 2 | V4.2 HTTP Message Structure Validation | Verify that all application components (including load balancers, firewalls, and application serv... |
| 4.2.2 | 3 | V4.2 HTTP Message Structure Validation | Verify that when generating HTTP messages, the Content-Length header field does not conflict with... |
| 4.2.3 | 3 | V4.2 HTTP Message Structure Validation | Verify that the application does not send nor accept HTTP/2 or HTTP/3 messages with connection-sp... |
| 4.2.4 | 3 | V4.2 HTTP Message Structure Validation | Verify that the application only accepts HTTP/2 and HTTP/3 requests where the header fields and v... |
| 4.2.5 | 3 | V4.2 HTTP Message Structure Validation | Verify that, if the application (backend or frontend) builds and sends requests, it uses validati... |
| 4.3.1 | 2 | V4.3 GraphQL | Verify that a query allowlist, depth limiting, amount limiting, or query cost analysis is used to... |
| 4.3.2 | 2 | V4.3 GraphQL | Verify that GraphQL introspection queries are disabled in the production environment unless the G... |
| 4.4.1 | 1 | V4.4 WebSocket | Verify that WebSocket over TLS (WSS) is used for all WebSocket connections. |
| 4.4.2 | 2 | V4.4 WebSocket | Verify that, during the initial HTTP WebSocket handshake, the Origin header field is checked agai... |
| 4.4.3 | 2 | V4.4 WebSocket | Verify that, if the application's standard session management cannot be used, dedicated tokens ar... |
| 4.4.4 | 2 | V4.4 WebSocket | Verify that dedicated WebSocket session management tokens are initially obtained or validated thr... |
V5 File Handling
| Requirement | Level | Section | Description |
|---|---|---|---|
| 5.1.1 | 2 | V5.1 File Handling Documentation | Verify that the documentation defines the permitted file types, expected file extensions, and max... |
| 5.2.1 | 1 | V5.2 File Upload and Content | Verify that the application will only accept files of a size which it can process without causing... |
| 5.2.2 | 1 | V5.2 File Upload and Content | Verify that when the application accepts a file, either on its own or within an archive such as a... |
| 5.2.3 | 2 | V5.2 File Upload and Content | Verify that the application checks compressed files (e.g., zip, gz, docx, odt) against maximum al... |
| 5.2.4 | 3 | V5.2 File Upload and Content | Verify that a file size quota and maximum number of files per user are enforced to ensure that a ... |
| 5.2.5 | 3 | V5.2 File Upload and Content | Verify that the application does not allow uploading compressed files containing symlinks unless ... |
| 5.2.6 | 3 | V5.2 File Upload and Content | Verify that the application rejects uploaded images with a pixel size larger than the maximum all... |
| 5.3.1 | 1 | V5.3 File Storage | Verify that files uploaded or generated by untrusted input and stored in a public folder, are not... |
| 5.3.2 | 1 | V5.3 File Storage | Verify that when the application creates file paths for file operations, instead of user-submitte... |
| 5.3.3 | 3 | V5.3 File Storage | Verify that server-side file processing, such as file decompression, ignores user-provided path i... |
| 5.4.1 | 2 | V5.4 File Download | Verify that the application validates or ignores user-submitted filenames, including in a JSON, J... |
| 5.4.2 | 2 | V5.4 File Download | Verify that file names served (e.g., in HTTP response header fields or email attachments) are enc... |
| 5.4.3 | 2 | V5.4 File Download | Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent se... |
V6 Authentication
| Requirement | Level | Section | Description |
|---|---|---|---|
| 6.1.1 | 1 | V6.1 Authentication Documentation | Verify that application documentation defines how controls such as rate limiting, anti-automation... |
| 6.1.2 | 2 | V6.1 Authentication Documentation | Verify that a list of context-specific words is documented in order to prevent their use in passw... |
| 6.1.3 | 2 | V6.1 Authentication Documentation | Verify that, if the application includes multiple authentication pathways, these are all document... |
| 6.2.1 | 1 | V6.2 Password Security | Verify that user set passwords are at least 8 characters in length although a minimum of 15 chara... |
| 6.2.2 | 1 | V6.2 Password Security | Verify that users can change their password. |
| 6.2.3 | 1 | V6.2 Password Security | Verify that password change functionality requires the user's current and new password. |
| 6.2.4 | 1 | V6.2 Password Security | Verify that passwords submitted during account registration or password change are checked agains... |
| 6.2.5 | 1 | V6.2 Password Security | Verify that passwords of any composition can be used, without rules limiting the type of characte... |
| 6.2.6 | 1 | V6.2 Password Security | Verify that password input fields use type=password to mask the entry. Applications may allow the... |
| 6.2.7 | 1 | V6.2 Password Security | Verify that "paste" functionality, browser password helpers, and external password managers are p... |
| 6.2.8 | 1 | V6.2 Password Security | Verify that the application verifies the user's password exactly as received from the user, witho... |
| 6.2.9 | 2 | V6.2 Password Security | Verify that passwords of at least 64 characters are permitted. |
| 6.2.10 | 2 | V6.2 Password Security | Verify that a user's password stays valid until it is discovered to be compromised or the user ro... |
| 6.2.11 | 2 | V6.2 Password Security | Verify that the documented list of context specific words is used to prevent easy to guess passwo... |
| 6.2.12 | 2 | V6.2 Password Security | Verify that passwords submitted during account registration or password changes are checked again... |
| 6.3.1 | 1 | V6.3 General Authentication Security | Verify that controls to prevent attacks such as credential stuffing and password brute force are ... |
| 6.3.2 | 1 | V6.3 General Authentication Security | Verify that default user accounts (e.g., "root", "admin", or "sa") are not present in the applica... |
| 6.3.3 | 2 | V6.3 General Authentication Security | Verify that either a multi-factor authentication mechanism or a combination of single-factor auth... |
| 6.3.4 | 2 | V6.3 General Authentication Security | Verify that, if the application includes multiple authentication pathways, there are no undocumen... |
| 6.3.5 | 3 | V6.3 General Authentication Security | Verify that users are notified of suspicious authentication attempts (successful or unsuccessful)... |
| 6.3.6 | 3 | V6.3 General Authentication Security | Verify that email is not used as either a single-factor or multi-factor authentication mechanism. |
| 6.3.7 | 3 | V6.3 General Authentication Security | Verify that users are notified after updates to authentication details, such as credential resets... |
| 6.3.8 | 3 | V6.3 General Authentication Security | Verify that valid users cannot be deduced from failed authentication challenges, such as by basin... |
| 6.4.1 | 1 | V6.4 Authentication Factor Lifecycle and Recovery | Verify that system generated initial passwords or activation codes are securely randomly generate... |
| 6.4.2 | 1 | V6.4 Authentication Factor Lifecycle and Recovery | Verify that password hints or knowledge-based authentication (so-called "secret questions") are n... |
| 6.4.3 | 2 | V6.4 Authentication Factor Lifecycle and Recovery | Verify that a secure process for resetting a forgotten password is implemented, that does not byp... |
| 6.4.4 | 2 | V6.4 Authentication Factor Lifecycle and Recovery | Verify that if a multi-factor authentication factor is lost, evidence of identity proofing is per... |
| 6.4.5 | 3 | V6.4 Authentication Factor Lifecycle and Recovery | Verify that renewal instructions for authentication mechanisms which expire are sent with enough ... |
| 6.4.6 | 3 | V6.4 Authentication Factor Lifecycle and Recovery | Verify that administrative users can initiate the password reset process for the user, but that t... |
| 6.5.1 | 2 | V6.5 General Multi-factor authentication requirements | Verify that lookup secrets, out-of-band authentication requests or codes, and time-based one-time... |
| 6.5.2 | 2 | V6.5 General Multi-factor authentication requirements | Verify that, when being stored in the application's backend, lookup secrets with less than 112 bi... |
| 6.5.3 | 2 | V6.5 General Multi-factor authentication requirements | Verify that lookup secrets, out-of-band authentication code, and time-based one-time password see... |
| 6.5.4 | 2 | V6.5 General Multi-factor authentication requirements | Verify that lookup secrets and out-of-band authentication codes have a minimum of 20 bits of entr... |
| 6.5.5 | 2 | V6.5 General Multi-factor authentication requirements | Verify that out-of-band authentication requests, codes, or tokens, as well as time-based one-time... |
| 6.5.6 | 3 | V6.5 General Multi-factor authentication requirements | Verify that any authentication factor (including physical devices) can be revoked in case of thef... |
| 6.5.7 | 3 | V6.5 General Multi-factor authentication requirements | Verify that biometric authentication mechanisms are only used as secondary factors together with ... |
| 6.5.8 | 3 | V6.5 General Multi-factor authentication requirements | Verify that time-based one-time passwords (TOTPs) are checked based on a time source from a trust... |
| 6.6.1 | 2 | V6.6 Out-of-Band authentication mechanisms | Verify that authentication mechanisms using the Public Switched Telephone Network (PSTN) to deliv... |
| 6.6.2 | 2 | V6.6 Out-of-Band authentication mechanisms | Verify that out-of-band authentication requests, codes, or tokens are bound to the original authe... |
| 6.6.3 | 2 | V6.6 Out-of-Band authentication mechanisms | Verify that a code based out-of-band authentication mechanism is protected against brute force at... |
| 6.6.4 | 3 | V6.6 Out-of-Band authentication mechanisms | Verify that, where push notifications are used for multi-factor authentication, rate limiting is ... |
| 6.7.1 | 3 | V6.7 Cryptographic authentication mechanism | Verify that the certificates used to verify cryptographic authentication assertions are stored in... |
| 6.7.2 | 3 | V6.7 Cryptographic authentication mechanism | Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique... |
| 6.8.1 | 2 | V6.8 Authentication with an Identity Provider | Verify that, if the application supports multiple identity providers (IdPs), the user's identity ... |
| 6.8.2 | 2 | V6.8 Authentication with an Identity Provider | Verify that the presence and integrity of digital signatures on authentication assertions (for ex... |
| 6.8.3 | 2 | V6.8 Authentication with an Identity Provider | Verify that SAML assertions are uniquely processed and used only once within the validity period ... |
| 6.8.4 | 2 | V6.8 Authentication with an Identity Provider | Verify that, if an application uses a separate Identity Provider (IdP) and expects specific authe... |
V7 Session Management
| Requirement | Level | Section | Description |
|---|---|---|---|
| 7.1.1 | 2 | V7.1 Session Management Documentation | Verify that the user's session inactivity timeout and absolute maximum session lifetime are docum... |
| 7.1.2 | 2 | V7.1 Session Management Documentation | Verify that the documentation defines how many concurrent (parallel) sessions are allowed for one... |
| 7.1.3 | 2 | V7.1 Session Management Documentation | Verify that all systems that create and manage user sessions as part of a federated identity mana... |
| 7.2.1 | 1 | V7.2 Fundamental Session Management Security | Verify that the application performs all session token verification using a trusted, backend serv... |
| 7.2.2 | 1 | V7.2 Fundamental Session Management Security | Verify that the application uses either self-contained or reference tokens that are dynamically g... |
| 7.2.3 | 1 | V7.2 Fundamental Session Management Security | Verify that if reference tokens are used to represent user sessions, they are unique and generate... |
| 7.2.4 | 1 | V7.2 Fundamental Session Management Security | Verify that the application generates a new session token on user authentication, including re-au... |
| 7.3.1 | 2 | V7.3 Session Timeout | Verify that there is an inactivity timeout such that re-authentication is enforced according to r... |
| 7.3.2 | 2 | V7.3 Session Timeout | Verify that there is an absolute maximum session lifetime such that re-authentication is enforced... |
| 7.4.1 | 1 | V7.4 Session Termination | Verify that when session termination is triggered (such as logout or expiration), the application... |
| 7.4.2 | 1 | V7.4 Session Termination | Verify that the application terminates all active sessions when a user account is disabled or del... |
| 7.4.3 | 2 | V7.4 Session Termination | Verify that the application gives the option to terminate all other active sessions after a succe... |
| 7.4.4 | 2 | V7.4 Session Termination | Verify that all pages that require authentication have easy and visible access to logout function... |
| 7.4.5 | 2 | V7.4 Session Termination | Verify that application administrators are able to terminate active sessions for an individual us... |
| 7.5.1 | 2 | V7.5 Defenses Against Session Abuse | Verify that the application requires full re-authentication before allowing modifications to sens... |
| 7.5.2 | 2 | V7.5 Defenses Against Session Abuse | Verify that users are able to view and (having authenticated again with at least one factor) term... |
| 7.5.3 | 3 | V7.5 Defenses Against Session Abuse | Verify that the application requires further authentication with at least one factor or secondary... |
| 7.6.1 | 2 | V7.6 Federated Re-authentication | Verify that session lifetime and termination between Relying Parties (RPs) and Identity Providers... |
| 7.6.2 | 2 | V7.6 Federated Re-authentication | Verify that creation of a session requires either the user's consent or an explicit action, preve... |
V8 Authorization
| Requirement | Level | Section | Description |
|---|---|---|---|
| 8.1.1 | 1 | V8.1 Authorization Documentation | Verify that authorization documentation defines rules for restricting function-level and data-spe... |
| 8.1.2 | 2 | V8.1 Authorization Documentation | Verify that authorization documentation defines rules for field-level access restrictions (both r... |
| 8.1.3 | 3 | V8.1 Authorization Documentation | Verify that the application's documentation defines the environmental and contextual attributes (... |
| 8.1.4 | 3 | V8.1 Authorization Documentation | Verify that authentication and authorization documentation defines how environmental and contextu... |
| 8.2.1 | 1 | V8.2 General Authorization Design | Verify that the application ensures that function-level access is restricted to consumers with ex... |
| 8.2.2 | 1 | V8.2 General Authorization Design | Verify that the application ensures that data-specific access is restricted to consumers with exp... |
| 8.2.3 | 2 | V8.2 General Authorization Design | Verify that the application ensures that field-level access is restricted to consumers with expli... |
| 8.2.4 | 3 | V8.2 General Authorization Design | Verify that adaptive security controls based on a consumer's environmental and contextual attribu... |
| 8.3.1 | 1 | V8.3 Operation Level Authorization | Verify that the application enforces authorization rules at a trusted service layer and doesn't r... |
| 8.3.2 | 3 | V8.3 Operation Level Authorization | Verify that changes to values on which authorization decisions are made are applied immediately. ... |
| 8.3.3 | 3 | V8.3 Operation Level Authorization | Verify that access to an object is based on the originating subject's (e.g. consumer's) permissio... |
| 8.4.1 | 2 | V8.4 Other Authorization Considerations | Verify that multi-tenant applications use cross-tenant controls to ensure consumer operations wil... |
| 8.4.2 | 3 | V8.4 Other Authorization Considerations | Verify that access to administrative interfaces incorporates multiple layers of security, includi... |
V9 Self-contained Tokens
| Requirement | Level | Section | Description |
|---|---|---|---|
| 9.1.1 | 1 | V9.1 Token source and integrity | Verify that self-contained tokens are validated using their digital signature or MAC to protect a... |
| 9.1.2 | 1 | V9.1 Token source and integrity | Verify that only algorithms on an allowlist can be used to create and verify self-contained token... |
| 9.1.3 | 1 | V9.1 Token source and integrity | Verify that key material that is used to validate self-contained tokens is from trusted pre-confi... |
| 9.2.1 | 1 | V9.2 Token content | Verify that, if a validity time span is present in the token data, the token and its content are ... |
| 9.2.2 | 2 | V9.2 Token content | Verify that the service receiving a token validates the token to be the correct type and is meant... |
| 9.2.3 | 2 | V9.2 Token content | Verify that the service only accepts tokens which are intended for use with that service (audienc... |
| 9.2.4 | 2 | V9.2 Token content | Verify that, if a token issuer uses the same private key for issuing tokens to different audience... |
V10 OAuth and OIDC
| Requirement | Level | Section | Description |
|---|---|---|---|
| 10.1.1 | 2 | V10.1 Generic OAuth and OIDC Security | Verify that tokens are only sent to components that strictly need them. For example, when using a... |
| 10.1.2 | 2 | V10.1 Generic OAuth and OIDC Security | Verify that the client only accepts values from the authorization server (such as the authorizati... |
| 10.2.1 | 2 | V10.2 OAuth Client | Verify that, if the code flow is used, the OAuth client has protection against browser-based requ... |
| 10.2.2 | 2 | V10.2 OAuth Client | Verify that, if the OAuth client can interact with more than one authorization server, it has a d... |
| 10.2.3 | 3 | V10.2 OAuth Client | Verify that the OAuth client only requests the required scopes (or other authorization parameters... |
| 10.3.1 | 2 | V10.3 OAuth Resource Server | Verify that the resource server only accepts access tokens that are intended for use with that se... |
| 10.3.2 | 2 | V10.3 OAuth Resource Server | Verify that the resource server enforces authorization decisions based on claims from the access ... |
| 10.3.3 | 2 | V10.3 OAuth Resource Server | Verify that if an access control decision requires identifying a unique user from an access token... |
| 10.3.4 | 2 | V10.3 OAuth Resource Server | Verify that, if the resource server requires specific authentication strength, methods, or recent... |
| 10.3.5 | 3 | V10.3 OAuth Resource Server | Verify that the resource server prevents the use of stolen access tokens or replay of access toke... |
| 10.4.1 | 1 | V10.4 OAuth Authorization Server | Verify that the authorization server validates redirect URIs based on a client-specific allowlist... |
| 10.4.2 | 1 | V10.4 OAuth Authorization Server | Verify that, if the authorization server returns the authorization code in the authorization resp... |
| 10.4.3 | 1 | V10.4 OAuth Authorization Server | Verify that the authorization code is short-lived. The maximum lifetime can be up to 10 minutes f... |
| 10.4.4 | 1 | V10.4 OAuth Authorization Server | Verify that for a given client, the authorization server only allows the usage of grants that thi... |
| 10.4.5 | 1 | V10.4 OAuth Authorization Server | Verify that the authorization server mitigates refresh token replay attacks for public clients, p... |
| 10.4.6 | 2 | V10.4 OAuth Authorization Server | Verify that, if the code grant is used, the authorization server mitigates authorization code int... |
| 10.4.7 | 2 | V10.4 OAuth Authorization Server | Verify that if the authorization server supports unauthenticated dynamic client registration, it ... |
| 10.4.8 | 2 | V10.4 OAuth Authorization Server | Verify that refresh tokens have an absolute expiration, including if sliding refresh token expira... |
| 10.4.9 | 2 | V10.4 OAuth Authorization Server | Verify that refresh tokens and reference access tokens can be revoked by an authorized user using... |
| 10.4.10 | 2 | V10.4 OAuth Authorization Server | Verify that confidential client is authenticated for client-to-authorized server backchannel requ... |
| 10.4.11 | 2 | V10.4 OAuth Authorization Server | Verify that the authorization server configuration only assigns the required scopes to the OAuth ... |
| 10.4.12 | 3 | V10.4 OAuth Authorization Server | Verify that for a given client, the authorization server only allows the 'response_mode' value th... |
| 10.4.13 | 3 | V10.4 OAuth Authorization Server | Verify that grant type 'code' is always used together with pushed authorization requests (PAR). |
| 10.4.14 | 3 | V10.4 OAuth Authorization Server | Verify that the authorization server issues only sender-constrained (Proof-of-Possession) access ... |
| 10.4.15 | 3 | V10.4 OAuth Authorization Server | Verify that, for a server-side client (which is not executed on the end-user device), the authori... |
| 10.4.16 | 3 | V10.4 OAuth Authorization Server | Verify that the client is confidential and the authorization server requires the use of strong cl... |
| 10.5.1 | 2 | V10.5 OIDC Client | Verify that the client (as the relying party) mitigates ID Token replay attacks. For example, by ... |
| 10.5.2 | 2 | V10.5 OIDC Client | Verify that the client uniquely identifies the user from ID Token claims, usually the 'sub' claim... |
| 10.5.3 | 2 | V10.5 OIDC Client | Verify that the client rejects attempts by a malicious authorization server to impersonate anothe... |
| 10.5.4 | 2 | V10.5 OIDC Client | Verify that the client validates that the ID Token is intended to be used for that client (audien... |
| 10.5.5 | 2 | V10.5 OIDC Client | Verify that, when using OIDC back-channel logout, the relying party mitigates denial of service t... |
| 10.6.1 | 2 | V10.6 OpenID Provider | Verify that the OpenID Provider only allows values 'code', 'ciba', 'id_token', or 'id_token code'... |
| 10.6.2 | 2 | V10.6 OpenID Provider | Verify that the OpenID Provider mitigates denial of service through forced logout. By obtaining e... |
| 10.7.1 | 2 | V10.7 Consent Management | Verify that the authorization server ensures that the user consents to each authorization request... |
| 10.7.2 | 2 | V10.7 Consent Management | Verify that when the authorization server prompts for user consent, it presents sufficient and cl... |
| 10.7.3 | 2 | V10.7 Consent Management | Verify that the user can review, modify, and revoke consents which the user has granted through t... |
V11 Cryptography
| Requirement | Level | Section | Description |
|---|---|---|---|
| 11.1.1 | 2 | V11.1 Cryptographic Inventory and Documentation | Verify that there is a documented policy for management of cryptographic keys and a cryptographic... |
| 11.1.2 | 2 | V11.1 Cryptographic Inventory and Documentation | Verify that a cryptographic inventory is performed, maintained, regularly updated, and includes a... |
| 11.1.3 | 3 | V11.1 Cryptographic Inventory and Documentation | Verify that cryptographic discovery mechanisms are employed to identify all instances of cryptogr... |
| 11.1.4 | 3 | V11.1 Cryptographic Inventory and Documentation | Verify that a cryptographic inventory is maintained. This must include a documented plan that out... |
| 11.2.1 | 2 | V11.2 Secure Cryptography Implementation | Verify that industry-validated implementations (including libraries and hardware-accelerated impl... |
| 11.2.2 | 2 | V11.2 Secure Cryptography Implementation | Verify that the application is designed with crypto agility such that random number, authenticate... |
| 11.2.3 | 2 | V11.2 Secure Cryptography Implementation | Verify that all cryptographic primitives utilize a minimum of 128-bits of security based on the a... |
| 11.2.4 | 3 | V11.2 Secure Cryptography Implementation | Verify that all cryptographic operations are constant-time, with no 'short-circuit' operations in... |
| 11.2.5 | 3 | V11.2 Secure Cryptography Implementation | Verify that all cryptographic modules fail securely, and errors are handled in a way that does no... |
| 11.3.1 | 1 | V11.3 Encryption Algorithms | Verify that insecure block modes (e.g., ECB) and weak padding schemes (e.g., PKCS#1 v1.5) are not... |
| 11.3.2 | 1 | V11.3 Encryption Algorithms | Verify that only approved ciphers and modes such as AES with GCM are used. |
| 11.3.3 | 2 | V11.3 Encryption Algorithms | Verify that encrypted data is protected against unauthorized modification preferably by using an ... |
| 11.3.4 | 3 | V11.3 Encryption Algorithms | Verify that nonces, initialization vectors, and other single-use numbers are not used for more th... |
| 11.3.5 | 3 | V11.3 Encryption Algorithms | Verify that any combination of an encryption algorithm and a MAC algorithm is operating in encryp... |
| 11.4.1 | 1 | V11.4 Hashing and Hash-based Functions | Verify that only approved hash functions are used for general cryptographic use cases, including ... |
| 11.4.2 | 2 | V11.4 Hashing and Hash-based Functions | Verify that passwords are stored using an approved, computationally intensive, key derivation fun... |
| 11.4.3 | 2 | V11.4 Hashing and Hash-based Functions | Verify that hash functions used in digital signatures, as part of data authentication or data int... |
| 11.4.4 | 2 | V11.4 Hashing and Hash-based Functions | Verify that the application uses approved key derivation functions with key stretching parameters... |
| 11.5.1 | 2 | V11.5 Random Values | Verify that all random numbers and strings which are intended to be non-guessable must be generat... |
| 11.5.2 | 3 | V11.5 Random Values | Verify that the random number generation mechanism in use is designed to work securely, even unde... |
| 11.6.1 | 2 | V11.6 Public Key Cryptography | Verify that only approved cryptographic algorithms and modes of operation are used for key genera... |
| 11.6.2 | 3 | V11.6 Public Key Cryptography | Verify that approved cryptographic algorithms are used for key exchange (such as Diffie-Hellman) ... |
| 11.7.1 | 3 | V11.7 In-Use Data Cryptography | Verify that full memory encryption is in use that protects sensitive data while it is in use, pre... |
| 11.7.2 | 3 | V11.7 In-Use Data Cryptography | Verify that data minimization ensures the minimal amount of data is exposed during processing, an... |
V12 Secure Communication
| Requirement | Level | Section | Description |
|---|---|---|---|
| 12.1.1 | 1 | V12.1 General TLS Security Guidance | Verify that only the latest recommended versions of the TLS protocol are enabled, such as TLS 1.2... |
| 12.1.2 | 2 | V12.1 General TLS Security Guidance | Verify that only recommended cipher suites are enabled, with the strongest cipher suites set as p... |
| 12.1.3 | 2 | V12.1 General TLS Security Guidance | Verify that the application validates that mTLS client certificates are trusted before using the ... |
| 12.1.4 | 3 | V12.1 General TLS Security Guidance | Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) St... |
| 12.1.5 | 3 | V12.1 General TLS Security Guidance | Verify that Encrypted Client Hello (ECH) is enabled in the application's TLS settings to prevent ... |
| 12.2.1 | 1 | V12.2 HTTPS Communication with External Facing Services | Verify that TLS is used for all connectivity between a client and external facing, HTTP-based ser... |
| 12.2.2 | 1 | V12.2 HTTPS Communication with External Facing Services | Verify that external facing services use publicly trusted TLS certificates. |
| 12.3.1 | 2 | V12.3 General Service to Service Communication Security | Verify that an encrypted protocol such as TLS is used for all inbound and outbound connections to... |
| 12.3.2 | 2 | V12.3 General Service to Service Communication Security | Verify that TLS clients validate certificates received before communicating with a TLS server. |
| 12.3.3 | 2 | V12.3 General Service to Service Communication Security | Verify that TLS or another appropriate transport encryption mechanism used for all connectivity b... |
| 12.3.4 | 2 | V12.3 General Service to Service Communication Security | Verify that TLS connections between internal services use trusted certificates. Where internally ... |
| 12.3.5 | 3 | V12.3 General Service to Service Communication Security | Verify that services communicating internally within a system (intra-service communications) use ... |
V13 Configuration
| Requirement | Level | Section | Description |
|---|---|---|---|
| 13.1.1 | 2 | V13.1 Configuration Documentation | Verify that all communication needs for the application are documented. This must include externa... |
| 13.1.2 | 3 | V13.1 Configuration Documentation | Verify that for each service the application uses, the documentation defines the maximum number o... |
| 13.1.3 | 3 | V13.1 Configuration Documentation | Verify that the application documentation defines resource‑management strategies for every extern... |
| 13.1.4 | 3 | V13.1 Configuration Documentation | Verify that the application's documentation defines the secrets that are critical for the securit... |
| 13.2.1 | 2 | V13.2 Backend Communication Configuration | Verify that communications between backend application components that don't support the applicat... |
| 13.2.2 | 2 | V13.2 Backend Communication Configuration | Verify that communications between backend application components, including local or operating s... |
| 13.2.3 | 2 | V13.2 Backend Communication Configuration | Verify that if a credential has to be used for service authentication, the credential being used ... |
| 13.2.4 | 2 | V13.2 Backend Communication Configuration | Verify that an allowlist is used to define the external resources or systems with which the appli... |
| 13.2.5 | 2 | V13.2 Backend Communication Configuration | Verify that the web or application server is configured with an allowlist of resources or systems... |
| 13.2.6 | 3 | V13.2 Backend Communication Configuration | Verify that where the application connects to separate services, it follows the documented config... |
| 13.3.1 | 2 | V13.3 Secret Management | Verify that a secrets management solution, such as a key vault, is used to securely create, store... |
| 13.3.2 | 2 | V13.3 Secret Management | Verify that access to secret assets adheres to the principle of least privilege. |
| 13.3.3 | 3 | V13.3 Secret Management | Verify that all cryptographic operations are performed using an isolated security module (such as... |
| 13.3.4 | 3 | V13.3 Secret Management | Verify that secrets are configured to expire and be rotated based on the application's documentat... |
| 13.4.1 | 1 | V13.4 Unintended Information Leakage | Verify that the application is deployed either without any source control metadata, including the... |
| 13.4.2 | 2 | V13.4 Unintended Information Leakage | Verify that debug modes are disabled for all components in production environments to prevent exp... |
| 13.4.3 | 2 | V13.4 Unintended Information Leakage | Verify that web servers do not expose directory listings to clients unless explicitly intended. |
| 13.4.4 | 2 | V13.4 Unintended Information Leakage | Verify that using the HTTP TRACE method is not supported in production environments, to avoid pot... |
| 13.4.5 | 2 | V13.4 Unintended Information Leakage | Verify that documentation (such as for internal APIs) and monitoring endpoints are not exposed un... |
| 13.4.6 | 3 | V13.4 Unintended Information Leakage | Verify that the application does not expose detailed version information of backend components. |
| 13.4.7 | 3 | V13.4 Unintended Information Leakage | Verify that the web tier is configured to only serve files with specific file extensions to preve... |
V14 Data Protection
| Requirement | Level | Section | Description |
|---|---|---|---|
| 14.1.1 | 2 | V14.1 Data Protection Documentation | Verify that all sensitive data created and processed by the application has been identified and c... |
| 14.1.2 | 2 | V14.1 Data Protection Documentation | Verify that all sensitive data protection levels have a documented set of protection requirements... |
| 14.2.1 | 1 | V14.2 General Data Protection | Verify that sensitive data is only sent to the server in the HTTP message body or header fields, ... |
| 14.2.2 | 2 | V14.2 General Data Protection | Verify that the application prevents sensitive data from being cached in server components, such ... |
| 14.2.3 | 2 | V14.2 General Data Protection | Verify that defined sensitive data is not sent to untrusted parties (e.g., user trackers) to prev... |
| 14.2.4 | 2 | V14.2 General Data Protection | Verify that controls around sensitive data related to encryption, integrity verification, retenti... |
| 14.2.5 | 3 | V14.2 General Data Protection | Verify that caching mechanisms are configured to only cache responses which have the expected con... |
| 14.2.6 | 3 | V14.2 General Data Protection | Verify that the application only returns the minimum required sensitive data for the application'... |
| 14.2.7 | 3 | V14.2 General Data Protection | Verify that sensitive information is subject to data retention classification, ensuring that outd... |
| 14.2.8 | 3 | V14.2 General Data Protection | Verify that sensitive information is removed from the metadata of user-submitted files unless sto... |
| 14.3.1 | 1 | V14.3 Client-side Data Protection | Verify that authenticated data is cleared from client storage, such as the browser DOM, after the... |
| 14.3.2 | 2 | V14.3 Client-side Data Protection | Verify that the application sets sufficient anti-caching HTTP response header fields (i.e., Cache... |
| 14.3.3 | 2 | V14.3 Client-side Data Protection | Verify that data stored in browser storage (such as localStorage, sessionStorage, IndexedDB, or c... |
V15 Secure Coding and Architecture
| Requirement | Level | Section | Description |
|---|---|---|---|
| 15.1.1 | 1 | V15.1 Secure Coding and Architecture Documentation | Verify that application documentation defines risk based remediation time frames for 3rd party co... |
| 15.1.2 | 2 | V15.1 Secure Coding and Architecture Documentation | Verify that an inventory catalog, such as software bill of materials (SBOM), is maintained of all... |
| 15.1.3 | 2 | V15.1 Secure Coding and Architecture Documentation | Verify that the application documentation identifies functionality which is time-consuming or res... |
| 15.1.4 | 3 | V15.1 Secure Coding and Architecture Documentation | Verify that application documentation highlights third-party libraries which are considered to be... |
| 15.1.5 | 3 | V15.1 Secure Coding and Architecture Documentation | Verify that application documentation highlights parts of the application where "dangerous functi... |
| 15.2.1 | 1 | V15.2 Security Architecture and Dependencies | Verify that the application only contains components which have not breached the documented updat... |
| 15.2.2 | 2 | V15.2 Security Architecture and Dependencies | Verify that the application has implemented defenses against loss of availability due to function... |
| 15.2.3 | 2 | V15.2 Security Architecture and Dependencies | Verify that the production environment only includes functionality that is required for the appli... |
| 15.2.4 | 3 | V15.2 Security Architecture and Dependencies | Verify that third-party components and all of their transitive dependencies are included from the... |
| 15.2.5 | 3 | V15.2 Security Architecture and Dependencies | Verify that the application implements additional protections around parts of the application whi... |
| 15.3.1 | 1 | V15.3 Defensive Coding | Verify that the application only returns the required subset of fields from a data object. For ex... |
| 15.3.2 | 2 | V15.3 Defensive Coding | Verify that where the application backend makes calls to external URLs, it is configured to not f... |
| 15.3.3 | 2 | V15.3 Defensive Coding | Verify that the application has countermeasures to protect against mass assignment attacks by lim... |
| 15.3.4 | 2 | V15.3 Defensive Coding | Verify that all proxying and middleware components transfer the user's original IP address correc... |
| 15.3.5 | 2 | V15.3 Defensive Coding | Verify that the application explicitly ensures that variables are of the correct type and perform... |
| 15.3.6 | 2 | V15.3 Defensive Coding | Verify that JavaScript code is written in a way that prevents prototype pollution, for example, b... |
| 15.3.7 | 2 | V15.3 Defensive Coding | Verify that the application has defenses against HTTP parameter pollution attacks, particularly i... |
| 15.4.1 | 3 | V15.4 Safe Concurrency | Verify that shared objects in multi-threaded code (such as caches, files, or in-memory objects ac... |
| 15.4.2 | 3 | V15.4 Safe Concurrency | Verify that checks on a resource's state, such as its existence or permissions, and the actions t... |
| 15.4.3 | 3 | V15.4 Safe Concurrency | Verify that locks are used consistently to avoid threads getting stuck, whether by waiting on eac... |
| 15.4.4 | 3 | V15.4 Safe Concurrency | Verify that resource allocation policies prevent thread starvation by ensuring fair access to res... |
V16 Security Logging and Error Handling
| Requirement | Level | Section | Description |
|---|---|---|---|
| 16.1.1 | 2 | V16.1 Security Logging Documentation | Verify that an inventory exists documenting the logging performed at each layer of the applicatio... |
| 16.2.1 | 2 | V16.2 General Logging | Verify that each log entry includes necessary metadata (such as when, where, who, what) that woul... |
| 16.2.2 | 2 | V16.2 General Logging | Verify that time sources for all logging components are synchronized, and that timestamps in secu... |
| 16.2.3 | 2 | V16.2 General Logging | Verify that the application only stores or broadcasts logs to the files and services that are doc... |
| 16.2.4 | 2 | V16.2 General Logging | Verify that logs can be read and correlated by the log processor that is in use, preferably by us... |
| 16.2.5 | 2 | V16.2 General Logging | Verify that when logging sensitive data, the application enforces logging based on the data's pro... |
| 16.3.1 | 2 | V16.3 Security Events | Verify that all authentication operations are logged, including successful and unsuccessful attem... |
| 16.3.2 | 2 | V16.3 Security Events | Verify that failed authorization attempts are logged. For L3, this must include logging all autho... |
| 16.3.3 | 2 | V16.3 Security Events | Verify that the application logs the security events that are defined in the documentation and al... |
| 16.3.4 | 2 | V16.3 Security Events | Verify that the application logs unexpected errors and security control failures such as backend ... |
| 16.4.1 | 2 | V16.4 Log Protection | Verify that all logging components appropriately encode data to prevent log injection. |
| 16.4.2 | 2 | V16.4 Log Protection | Verify that logs are protected from unauthorized access and cannot be modified. |
| 16.4.3 | 2 | V16.4 Log Protection | Verify that logs are securely transmitted to a logically separate system for analysis, detection,... |
| 16.5.1 | 2 | V16.5 Error Handling | Verify that a generic message is returned to the consumer when an unexpected or security-sensitiv... |
| 16.5.2 | 2 | V16.5 Error Handling | Verify that the application continues to operate securely when external resource access fails, fo... |
| 16.5.3 | 2 | V16.5 Error Handling | Verify that the application fails gracefully and securely, including when an exception occurs, pr... |
| 16.5.4 | 3 | V16.5 Error Handling | Verify that a "last resort" error handler is defined which will catch all unhandled exceptions. T... |
V17 WebRTC
| Requirement | Level | Section | Description |
|---|---|---|---|
| 17.1.1 | 2 | V17.1 TURN Server | Verify that the Traversal Using Relays around NAT (TURN) service only allows access to IP address... |
| 17.1.2 | 3 | V17.1 TURN Server | Verify that the Traversal Using Relays around NAT (TURN) service is not susceptible to resource e... |
| 17.2.1 | 2 | V17.2 Media | Verify that the key for the Datagram Transport Layer Security (DTLS) certificate is managed and p... |
| 17.2.2 | 2 | V17.2 Media | Verify that the media server is configured to use and support approved Datagram Transport Layer S... |
| 17.2.3 | 2 | V17.2 Media | Verify that Secure Real-time Transport Protocol (SRTP) authentication is checked at the media ser... |
| 17.2.4 | 2 | V17.2 Media | Verify that the media server is able to continue processing incoming media traffic when encounter... |
| 17.2.5 | 3 | V17.2 Media | Verify that the media server is able to continue processing incoming media traffic during a flood... |
| 17.2.6 | 3 | V17.2 Media | Verify that the media server is not susceptible to the "ClientHello" Race Condition vulnerability... |
| 17.2.7 | 3 | V17.2 Media | Verify that any audio or video recording mechanisms associated with the media server are able to ... |
| 17.2.8 | 3 | V17.2 Media | Verify that the Datagram Transport Layer Security (DTLS) certificate is checked against the Sessi... |
| 17.3.1 | 2 | V17.3 Signaling | Verify that the signaling server is able to continue processing legitimate incoming signaling mes... |
| 17.3.2 | 2 | V17.3 Signaling | Verify that the signaling server is able to continue processing legitimate signaling messages whe... |