Стандарт OWASP Application Security Verification Standard (ASVS) - это список требований к безопасности приложений и тестов, которые могут использоваться архитекторами ПО, разработчиками, тестировщиками, специалистами по защищённости приложений, продавцами инструментов и пользователями для разработки, сборки, тестирования и верификации защищённых приложений.
C/C++ диагностики
| V5001 | It is highly probable that the semicolon ';' is missing after 'return' keyword. | OWASP-11.1.1 |
| V5002 | An empty exception handler. Silent suppression of exceptions can hide the presence of bugs in source code during testing. | OWASP-7.4.2 |
| V5003 | The object was created but it is not being used. The 'throw' keyword could be missing. | OWASP-11.1.8 |
| V5004 | Consider inspecting the expression. Bit shifting of the 32-bit value with a subsequent expansion to the 64-bit type. | OWASP-5.4.3 |
| V5005 | A value is being subtracted from the unsigned variable. This can result in an overflow. In such a case, the comparison operation can potentially behave unexpectedly. | OWASP-5.4.3 |
| V5006 | More than N bits are required to store the value, but the expression evaluates to the T type which can only hold K bits. | OWASP-5.4.3 |
| V5007 | Consider inspecting the loop expression. It is possible that the 'i' variable should be incremented instead of the 'n' variable. | OWASP-5.4.3 |
| V5008 | Classes should always be derived from std::exception (and alike) as 'public'. | OWASP-7.4.2 |
| V5009 | Unchecked tainted data is used in expression. | OWASP-5.1.3, OWASP-5.2.2, OWASP-5.3.8, OWASP-5.4.2 |
| V5010 | The variable is incremented in the loop. Undefined behavior will occur in case of signed integer overflow. | OWASP-5.4.3 |
| V5011 | Possible overflow. Consider casting operands, not the result. | OWASP-5.4.3 |
| V5012 | Potentially unsafe double-checked locking. | OWASP-11.1.6, OWASP-1.11.3 |
Java диагностики
| V5301 | An exception handling block does not contain any code. | OWASP-7.4.2 |
| V5302 | Exception classes should be publicly accessible. | OWASP-7.4.2 |
| V5303 | The object was created but it is not being used. The 'throw' keyword could be missing. | OWASP-11.1.8 |
| V5304 | Unsafe double-checked locking. | OWASP-1.11.3 |
C# диагностики
| V5601 | Storing credentials inside source code can lead to security issues. | OWASP-2.10.4 |
| V5602 | The object was created but it is not being used. The 'throw' keyword could be missing. | OWASP-11.1.8 |
| V5603 | The original exception object was swallowed. Stack of original exception could be lost. | OWASP-11.1.8 |
| V5604 | Potentially unsafe double-checked locking. Use volatile variable(s) or synchronization primitives to avoid this. | OWASP-11.1.6, OWASP-1.11.3 |
| V5605 | Unsafe invocation of event, NullReferenceException is possible. Consider assigning event to a local variable before invoking it. | OWASP-1.11.3, OWASP-11.1.6 |
| V5606 | An exception handling block does not contain any code. | OWASP-7.4.2 |
| V5607 | Exception classes should be publicly accessible. | OWASP-7.4.2 |
Написать нам