Level 2 controls
Level 2 contains 259 controls listed below:
01-architecture-design-and-threat-modeling
01-secure-software-development-lifecycle
- V1.1.1 Verify the use of a secure software development li ...
- V1.1.2 Verify the use of threat modeling for every design ...
- V1.1.3 All user stories and features contain functional s ...
- V1.1.4 Verify documentation and justification of all the ...
- V1.1.5 Verify definition and security analysis of the app ...
- V1.1.6 Verify implementation of centralized, simple (econ ...
- V1.1.7 Verify availability of a secure coding checklist, ...
02-authentication-architecture
- V1.2.1 Verify the use of unique or special low-privilege ...
- V1.2.2 Communications between application components, inc ...
- V1.2.3 The application uses a single vetted authenticatio ...
- V1.2.4 All authentication pathways and identity managemen ...
04-access-control-architecture
- V1.4.1 Trusted enforcement points, such as access control ...
- V1.4.4 Verify the application uses a single and well-vett ...
- V1.4.5 Attribute or feature-based access control is used ...
05-input-and-output-architecture
- V1.5.1 Input and output requirements clearly define how t ...
- V1.5.2 Serialization is not used when communicating with ...
- V1.5.3 Input validation is enforced on a trusted service ...
- V1.5.4 Output encoding occurs close to or by the interpre ...
06-cryptographic-architecture
- V1.6.1 There is an explicit policy for management of cryp ...
- 1.6.2 Consumers of cryptographic services protect key ma ...
- V1.6.3 All keys and passwords are replaceable and are par ...
- V1.6.4 The architecture treats client-side secrets--such ...
07-errors-logging-and-auditing-architecture
- V1.7.1 A common logging format and approach is used acros ...
- V1.7.2 Logs are securely transmitted to a preferably remo ...
08-data-protection-and-privacy-architecture
- V1.8.1 All sensitive data is identified and classified in ...
- V1.8.2 All protection levels have an associated set of pr ...
09-communications-architecture
- V1.9.1 Verify the application encrypts communications bet ...
- V1.9.2 Application components verify the authenticity of ...
10-malicious-software-architecture
- V1.10.1 A source code control system is in use, with proce ...
11-business-logic-architecture
- V1.11.1 Verify the definition and documentation of all app ...
- V1.11.2 All high-value business logic flows, including aut ...
12-secure-file-upload-architecture
- V1.12.2 User-uploaded files - if required to be displayed ...
14-configuration-architecture
- V1.14.1 Verify the segregation of components of differing ...
- V1.14.2 Binary signatures, trusted connections, and verifi ...
- V1.14.3 The build pipeline warns of out-of-date or insecur ...
- V1.14.4 The build pipeline contains a build step to automa ...
- V1.14.5 Application deployments adequately sandbox, contai ...
- V1.14.6 Verify the application does not use unsupported, i ...
02-authentication
01-password-security
- V2.1.1 User set passwords are at least 12 characters in l ...
- V2.1.2 Passwords of at least 64 characters are permitted, ...
- V2.1.3 Password truncation is not performed. however, con ...
- V2.1.4 Any printable unicode character, including languag ...
- V2.1.5 Verify users can change their password. ...
- V2.1.6 Password change functionality requires the user's ...
- V2.1.7 Passwords submitted during account registration, l ...
- V2.1.8 A password strength meter is provided to help user ...
- V2.1.9 There are no password composition rules limiting t ...
- V2.1.10 There are no periodic credential rotation or passw ...
- V2.1.11 "paste" functionality, browser password helpers, a ...
- V2.1.12 The user can choose to either temporarily view the ...
02-general-authenticator-security
- V2.2.1 Anti-automation controls are effective at mitigati ...
- V2.2.2 The use of weak authenticators (such as sms and em ...
- V2.2.3 Secure notifications are sent to users after updat ...
03-authenticator-lifecycle
- V2.3.1 Verify system generated initial passwords or activ ...
- V2.3.2 Enrollment and use of user-provided authentication ...
- V2.3.3 Renewal instructions are sent with sufficient time ...
04-credential-storage
- V2.4.1 Passwords are stored in a form that is resistant t ...
- V2.4.2 The salt is at least 32 bits in length and be chos ...
- V2.4.3 If pbkdf2 is used, the iteration count should be a ...
- V2.4.4 If bcrypt is used, the work factor should be as la ...
- V2.4.5 An additional iteration of a key derivation functi ...
05-credential-recovery
- V2.5.1 A system generated initial activation or recovery ...
- V2.5.2 Verify password hints or knowledge-based authentic ...
- V2.5.3 Verify password credential recovery does not revea ...
- V2.5.4 Verify shared or default accounts are not present ...
- V2.5.5 If an authentication factor is changed or replaced ...
- V2.5.6 Verify forgotten password, and other recovery path ...
- V2.5.7 If otp or multi-factor authentication factors are ...
06-look-up-secret-verifier
- V2.6.1 Lookup secrets can be used only once. ...
- V2.6.2 Lookup secrets have sufficient randomness (112 bit ...
- V2.6.3 Lookup secrets are resistant to offline attacks, s ...
07-out-of-band-verifier
- V2.7.1 Clear text out of band (nist "restricted") authent ...
- V2.7.2 The out of band verifier expires out of band authe ...
- V2.7.3 The out of band verifier authentication requests, ...
- V2.7.4 The out of band authenticator and verifier communi ...
- V2.7.5 The out of band verifier retains only a hashed ver ...
- V2.7.6 The initial authentication code is generated by a ...
08-one-time-verifier
- V2.8.1 Time-based otps have a defined lifetime before exp ...
- V2.8.2 Symmetric keys used to verify submitted otps are h ...
- V2.8.3 Approved cryptographic algorithms are used in the ...
- V2.8.4 Time-based otp can be used only once within the va ...
- V2.8.5 If a time-based multi-factor otp token is re-used ...
- V2.8.6 Verify physical single-factor otp generator can be ...
- V2.8.7 Biometric authenticators are limited to use only a ...
09-cryptographic-verifier
- V2.9.1 Cryptographic keys used in verification are stored ...
- V2.9.2 The challenge nonce is at least 64 bits in length, ...
- V2.9.3 Approved cryptographic algorithms are used in the ...
10-service-authentication
- V2.10.1 Intra-service secrets do not rely on unchanging cr ...
- V2.10.2 If passwords are required for service authenticati ...
- V2.10.3 Passwords are stored with sufficient protection to ...
- V2.10.4 Verify passwords, integrations with databases and ...
03-session-management
01-fundamental-session-management-security
- V3.1.1 Verify the application never reveals session token ...
02-session-binding
- V3.2.1 Verify the application generates a new session tok ...
- V3.2.2 Session tokens possess at least 64 bits of entropy ...
- V3.2.3 Verify the application only stores session tokens ...
- V3.2.4 Session tokens are generated using approved crypto ...
03-session-termination
- V3.3.1 Logout and expiration invalidate the session token ...
- V3.3.2 If authenticators permit users to remain logged in ...
- V3.3.3 The application gives the option to terminate all ...
- V3.3.4 Users are able to view and (having re-entered logi ...
04-cookie-based-session-management
- V3.4.1 Cookie-based session tokens have the 'secure' attr ...
- V3.4.2 Cookie-based session tokens have the 'httponly' at ...
- V3.4.3 Cookie-based session tokens utilize the 'samesite' ...
- V3.4.4 Cookie-based session tokens use the "__host-" pref ...
- V3.4.5 If the application is published under a domain nam ...
05-token-based-session-management
- V3.5.1 Verify the application allows users to revoke oaut ...
- V3.5.2 Verify the application uses session tokens rather ...
- V3.5.3 Stateless session tokens use digital signatures, e ...
07-defenses-against-session-management-exploits
- V3.7.1 Verify the application ensures a full, valid login ...
04-access-control
01-general-access-control-design
- V4.1.1 The application enforces access control rules on a ...
- V4.1.2 All user and data attributes and policy informatio ...
- V4.1.3 The principle of least privilege exists - users sh ...
- V4.1.5 Access controls fail securely including when an ex ...
02-operation-level-access-control
- V4.2.1 Sensitive data and apis are protected against inse ...
- V4.2.2 The application or framework enforces a strong ant ...
03-other-access-control-considerations
- V4.3.1 Verify administrative interfaces use appropriate m ...
- V4.3.2 Directory browsing is disabled unless deliberately ...
- V4.3.3 Verify the application has additional authorizatio ...
5-validation-sanitization-and-encoding
01-input-validation
- V5.1.1 The application has defenses against http paramete ...
- V5.1.2 Frameworks protect against mass parameter assignme ...
- V5.1.3 All input (html form fields, rest requests, url pa ...
- V5.1.4 Structured data is strongly typed and validated ag ...
- V5.1.5 Url redirects and forwards only allow destinations ...
02-sanitization-and-sandboxing
- V5.2.1 All untrusted html input from wysiwyg editors or s ...
- V5.2.2 Unstructured data is sanitized to enforce safety m ...
- V5.2.3 The application sanitizes user input before passin ...
- V5.2.4 The application avoids the use of eval() or other ...
- V5.2.5 The application protects against template injectio ...
- V5.2.6 The application protects against ssrf attacks, by ...
- V5.2.7 The application sanitizes, disables, or sandboxes ...
- V5.2.8 The application sanitizes, disables, or sandboxes ...
03-output-encoding-and-injection-prevention
- V5.3.1 Output encoding is relevant for the interpreter an ...
- V5.3.2 Output encoding preserves the user's chosen charac ...
- V5.3.3 Context-aware, preferably automated - or at worst, ...
- V5.3.4 Data selection or database queries (e.g. sql, hql, ...
- V5.3.5 Where parameterized or safer mechanisms are not pr ...
- V5.3.6 The application protects against json injection at ...
- V5.3.7 The application protects against ldap injection vu ...
- V5.3.8 The application protects against os command inject ...
- V5.3.9 The application protects against local file inclus ...
- V5.3.10 The application protects against xpath injection o ...
04-memory-string-and-unmanaged-code
- V5.4.1 The application uses memory-safe string, safer mem ...
- V5.4.2 Format strings do not take potentially hostile inp ...
- V5.4.3 Sign, range, and input validation techniques are u ...
05-deserialization-prevention
- V5.5.1 Serialized objects use integrity checks or are enc ...
- V5.5.2 The application correctly restricts xml parsers to ...
- V5.5.3 Deserialization of untrusted data is avoided or is ...
- V5.5.4 When parsing json in browsers or javascript-based ...
06-stored-cryptography
01-data-classification
- V6.1.1 Regulated private data is stored encrypted while a ...
- V6.1.2 Regulated health data is stored encrypted while at ...
- V6.1.3 Regulated financial data is stored encrypted while ...
02-algorithms
- V6.2.1 All cryptographic modules fail securely, and error ...
- V6.2.2 Industry proven or government approved cryptograph ...
- V6.2.3 Encryption initialization vector, cipher configura ...
- V6.2.4 Random number, encryption or hashing algorithms, k ...
- V6.2.5 Known insecure block modes (i.e. ecb, etc.), paddi ...
- V6.2.6 Nonces, initialization vectors, and other single u ...
03-random-values
- V6.3.1 All random numbers, random file names, random guid ...
- V6.3.2 Random guids are created using the guid v4 algorit ...
04-secret-management
- V6.4.1 A secrets management solution such as a key vault ...
- V6.4.2 Key material is not exposed to the application but ...
07-error-handling-and-logging
01-log-content
- V7.1.1 The application does not log credentials or paymen ...
- V7.1.2 The application does not log other sensitive data ...
- V7.1.3 The application logs security relevant events incl ...
- V7.1.4 Each log event includes necessary information that ...
02-log-processing
- V7.2.1 All authentication decisions are logged, without s ...
- V7.2.2 All access control decisions can be logged and all ...
03-log-protection
- V7.3.1 All logging components appropriately encode data t ...
- V7.3.3 Security logs are protected from unauthorized acce ...
- V7.3.4 Time sources are synchronized to the correct time ...
04-error-handling
- V7.4.1 A generic message is shown when an unexpected or s ...
- V7.4.2 Exception handling (or a functional equivalent) is ...
- V7.4.3 A "last resort" error handler is defined which wil ...
08-data-protection
01-general-data-protection
- V8.1.1 Verify the application protects sensitive data fro ...
- V8.1.2 All cached or temporary copies of sensitive data s ...
- V8.1.3 Verify the application minimizes the number of par ...
- V8.1.4 Verify the application can detect and alert on abn ...
02-client-side-data-protection
- V8.2.1 Verify the application sets sufficient anti-cachin ...
- V8.2.2 Data stored in browser storage (such as localstora ...
- V8.2.3 Authenticated data is cleared from client storage, ...
03-sensitive-private-data
- V8.3.1 Sensitive data is sent to the server in the http m ...
- V8.3.2 Users have a method to remove or export their data ...
- V8.3.3 Users are provided clear language regarding collec ...
- V8.3.4 All sensitive data created and processed by the ap ...
- V8.3.5 Verify accessing sensitive data is audited (withou ...
- V8.3.6 Sensitive information contained in memory is overw ...
- V8.3.7 Sensitive or private information that is required ...
- V8.3.8 Sensitive personal information is subject to data ...
09-communication
01-client-communication-security
- V9.1.1 Tls is used for all client connectivity, and does ...
- V9.1.2 Verify using up to date tls testing tools that onl ...
- V9.1.3 Only the latest recommended versions of the tls pr ...
02-server-communication-security
- V9.2.1 Connections to and from the server use trusted tls ...
- V9.2.2 Encrypted communications such as tls is used for a ...
- V9.2.3 All encrypted connections to external systems that ...
- V9.2.4 Proper certification revocation, such as online ce ...
10-malicious-code
02-malicious-code-search
- V10.2.1 The application source code and third party librar ...
- V10.2.2 The application does not ask for unnecessary or ex ...
03-application-integrity
- V10.3.1 If the application has a client or server auto-upd ...
- V10.3.2 The application employs integrity protections, suc ...
- V10.3.3 The application has protection from subdomain take ...
11-business-logic
01-business-logic-security
- V11.1.1 The application will only process business logic f ...
- V11.1.2 The application will only process business logic f ...
- V11.1.3 Verify the application has appropriate limits for ...
- V11.1.4 The application has anti-automation controls to pr ...
- V11.1.5 Verify the application has business logic limits o ...
- V11.1.6 The application does not suffer from "time of chec ...
- V11.1.7 The application monitors for unusual events or act ...
- V11.1.8 The application has configurable alerting when aut ...
12-files-and-resources
01-file-upload
- V12.1.1 The application will not accept large files that c ...
- V12.1.2 The application checks compressed files (e.g. zip, ...
- V12.1.3 A file size quota and maximum number of files per ...
02-file-integrity
- V12.2.1 Files obtained from untrusted sources are validate ...
03-file-execution
- V12.3.1 User-submitted filename metadata is not used direc ...
- V12.3.2 User-submitted filename metadata is validated or i ...
- V12.3.3 User-submitted filename metadata is validated or i ...
- V12.3.4 The application protects against reflective file d ...
- V12.3.5 Untrusted file metadata is not used directly with ...
- V12.3.6 The application does not include and execute funct ...
04-file-storage
- V12.4.1 Files obtained from untrusted sources are stored o ...
- V12.4.2 Files obtained from untrusted sources are scanned ...
05-file-download
- V12.5.1 The web tier is configured to serve only files wit ...
- V12.5.2 Direct requests to uploaded files will never be ex ...
06-ssrf-protection
- V12.6.1 The web or application server is configured with a ...
13-api-and-web-service
01-generic-web-service-security
- V13.1.1 All application components use the same encodings ...
- V13.1.3 Verify api urls do not expose sensitive informatio ...
- V13.1.4 Authorization decisions are made at both the uri, ...
- V13.1.5 Requests containing unexpected or missing content ...
02-restful-web-service
- V13.2.1 Enabled restful http methods are a valid choice fo ...
- V13.2.2 Json schema validation is in place and verified be ...
- V13.2.3 Restful web services that utilize cookies are prot ...
- V13.2.5 Rest services explicitly check the incoming conten ...
- V13.2.6 The message headers and payload are trustworthy an ...
03-soap-web-service
- V13.3.1 Xsd schema validation takes place to ensure a prop ...
- V13.3.2 The message payload is signed using ws-security to ...
04-graphql
- V13.4.1 A query allow list or a combination of depth limit ...
- V13.4.2 Graphql or other data layer authorization logic sh ...
14-configuration
01-build-and-deploy
- V14.1.1 The application build and deployment processes are ...
- V14.1.2 Compiler flags are configured to enable all availa ...
- V14.1.3 Server configuration is hardened as per the recomm ...
- V14.1.4 The application, configuration, and all dependenci ...
02-dependency
- V14.2.1 All components are up to date, preferably using a ...
- V14.2.2 All unneeded features, documentation, sample appli ...
- V14.2.3 If application assets, such as javascript librarie ...
- V14.2.4 Third party components come from pre-defined, trus ...
- V14.2.5 A software bill of materials (sbom) is maintained ...
- V14.2.6 The attack surface is reduced by sandboxing or enc ...
03-unintended-security-disclosure
- V14.3.2 Web or application server and application framewor ...
- V14.3.3 The http headers or any part of the http response ...
04-http-security-headers
- V14.4.1 Every http response contains a content-type header ...
- V14.4.2 All api responses contain a content-disposition: a ...
- V14.4.3 A content security policy (csp) response header is ...
- V14.4.4 All responses contain a x-content-type-options: no ...
- V14.4.5 A strict-transport-security header is included on ...
- V14.4.6 A suitable referrer-policy header is included to a ...
- V14.4.7 The content of a web application cannot be embedde ...
