You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: document/1.0/05-TASVS-CODE.md
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -42,10 +42,10 @@ To ensure that the application's source code is developed and maintained in a ma
42
42
| TASVS-CODE-5.2 | Check for design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm. AKA "deceptive patterns". See https://www.deceptive.design/types for examples. | X | X | X |
43
43
| TASVS-CODE-5.3 | Is the thick client only using workflows that do not violate common security advice? | X | X | X |
44
44
| TASVS-CODE-5.4 | Verify that the attack surface is reduced by sandboxing or encapsulating third party libraries to expose only the required behaviour into the application. | X | X | X |
45
-
| TASVS-CODE-5.5 | Check that import files cannot be abused. | X | X | X |
45
+
| TASVS-CODE-5.5 | Check that any imported files cannot be utilized to attack the thick client. | X | X | X |
46
46
| TASVS-CODE-5.6 | If the thick client registers a URL handler / protocol handler, verify that it can't trigger dangerous action or introduces common vulnerabilities (memory corruption, command and argument injection, etc.). | X | X | X |
47
47
| TASVS-CODE-6 | Client Side - Fuzzing. ||||
48
-
| TASVS-CODE-6.1 | Perform "dumb fuzzing" of the application with randomised input to try to cause a crash. |X| X | X |
48
+
| TASVS-CODE-6.1 | Perform "dumb fuzzing" of the application with randomised input to try to cause a crash. || X | X |
49
49
| TASVS-CODE-6.2 | Perform "smart fuzzing". Intelligently generate test cases that maximize code coverage and explore complex program states to increasing the likelihood of finding vulnerabilities over "dumb fuzzing". ||| X |
50
50
| TASVS-CODE-7 | Client Side - Secure Coding
51
51
Practices. | | | |
@@ -93,7 +93,7 @@ Exceptions that are thrown and not properly handled can lead to security vulnera
93
93
94
94
### TASVS-CODE-3.3 - Perform binary static analysis. (verify that the binaries are compiled with the latest compiler, examine compilation settings and validates binary signing).
95
95
96
-
#### what is binary static analysis?
96
+
#### What is binary static analysis?
97
97
98
98
Binary static analysis is used to verify that the thick client binaries are compiled with the latest compiler and that the compilation settings are appropriate for security. This can help to identify security vulnerabilities in the thick client that may be introduced during the compilation process.
99
99
@@ -549,9 +549,9 @@ public class Program
549
549
In this example, the `Sandbox` class is used to encapsulate the `ThirdPartyLibrary` and prevent it from accessing code outside of the sandbox.
550
550
551
551
552
-
### TASVS-CODE-5.5 - Check that import files cannot be abused.
552
+
### TASVS-CODE-5.5 - Check that any imported files cannot be utilized to attack the thick client.
553
553
554
-
To prevent attackers from exploiting vulnerabilities in import files to compromise the thick client, it is important to ensure that import files cannot be abused. This can be done by validating and sanitizing import files before using them. For example, if the thick client imports data from a CSV file, the file should be validated and sanitized.
554
+
To prevent attackers from exploiting vulnerabilities in imported files to compromise the thick client, validation and sanitizing of any files should occur before using them. For example, if the thick client imports data from a CSV file, the file should be validated and sanitized.
555
555
556
556
### TASVS-CODE-5.6 - If the thick client registers a URL handler / protocol handler, verify that it can't trigger dangerous action or introduces common vulnerabilities (memory corruption, command and argument injection, etc.).
Copy file name to clipboardExpand all lines: document/1.0/07-TASVS-CRYPTO.md
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -12,12 +12,12 @@ Ensure that all cryptographic operations, including communication, storage, and
12
12
| TASVS-CRYPTO-1.1 | The TLS settings are in line with current best practices. | X | X | X |
13
13
| TASVS-CRYPTO-2 | Storage ||||
14
14
| TASVS-CRYPTO-2.1 | The thick client doesn't re-use the same cryptographic key for multiple purposes. | X | X | X |
15
-
| TASVS-CRYPTO-2.2 | All random values are generated using a sufficiently secure random number generator. |X| X | X |
15
+
| TASVS-CRYPTO-2.2 | All random values are generated using a sufficiently secure random number generator. || X | X |
16
16
| TASVS-CRYPTO-2.3 | The thick client does not use cryptographic protocols or algorithms that are widely considered deprecated for security purposes. | X | X | X |
17
17
| TASVS-CRYPTO-2.4 | The thick client does not rely on symmetric cryptography with hardcoded keys as a sole method of encryption. | X | X | X |
18
18
| TASVS-CRYPTO-3 | General ||||
19
19
| TASVS-CRYPTO-3.1 | Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable Padding Oracle attacks. | X | X | X |
20
-
| TASVS-CRYPTO-3.2 | Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. |X| X | X |
20
+
| TASVS-CRYPTO-3.2 | Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography. || X | X |
0 commit comments