General Data Protection

V8.1.1

Verify the application protects sensitive data from being cached in server components such as load balancers and application caches.

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 524

V8.1.2

Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 524

V8.1.3

Verify the application minimizes the number of parameters in a request, such as hidden fields, Ajax variables, cookies and header values.

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 233

V8.1.4

Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application.

Level 1 required: False

Level 2 required: True

Level 3 required: True

CWE: 770

V8.1.5

Verify that regular backups of important data are performed and that test restoration of data is performed.

Level 1 required: False

Level 2 required: False

Level 3 required: True

CWE: 19

V8.1.6

Verify that backups are stored securely to prevent data from being stolen or corrupted.

Level 1 required: False

Level 2 required: False

Level 3 required: True

CWE: 19

Disclaimer:

Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.

View source on GitHub