owasp-asvs-4.0.3.yaml

urn: urn:intuitem:risk:library:owasp-asvs-4.0.3
locale: en
ref_id: OWASP-ASVS-4.0.3
name: OWASP ASVS 4.0.3
description: OWASP Application Security Verification Standard. https://owasp.org/www-project-application-security-verification-standard/
copyright: CC BY-SA 3.0 - The OWASP Foundation
publication_date: 2024-04-07
version: 3
provider: OWASP
packager: intuitem
translations:
  fr:
    name: OWASP ASVS 4.0.3
    description: OWASP Application Security Verification Standard. https://owasp.org/www-project-application-security-verification-standard/
    copyright: CC BY-SA 3.0 - The OWASP Foundation
    provider: OWASP
objects:
  framework:
    urn: urn:intuitem:risk:framework:owasp-asvs-4.0.3
    ref_id: OWASP-ASVS-4.0.3
    name: OWASP ASVS 4.0.3
    description: 'OWASP Application Security Verification Standard '
    translations:
      fr:
        name: OWASP ASVS 4.0.3
        description: 'OWASP Application Security Verification Standard '
    implementation_groups_definition:
    - ref_id: L1
      name: Level 1
      description: First steps, automated, or whole of portfolio view
    - ref_id: L2
      name: Level 2
      description: Most applications
    - ref_id: L3
      name: Level 3
      description: High value, high assurance, or high safety
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      assessable: false
      depth: 1
      ref_id: V1
      name: Architecture, Design and Threat Modeling
      translations:
        fr:
          name: "Architecture, conception et exigences en mati\xE8re de mod\xE9lisation\
            \ des menaces"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.1
      name: Secure Software Development Lifecycle
      translations:
        fr:
          name: "Exigences relatives au cycle de vie du d\xE9veloppement de logiciels\
            \ s\xE9curis\xE9s"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      ref_id: V1.1.1
      description: Verify the use of a secure software development lifecycle that
        addresses security in all stages of development. ([C1](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier l'utilisation d'un cycle de d\xE9veloppement de\
            \ logiciel s\xE9curis\xE9 qui prend en compte la s\xE9curit\xE9 \xE0 tous\
            \ les stades du d\xE9veloppement. ([C1](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      ref_id: V1.1.2
      description: Verify the use of threat modeling for every design change or sprint
        planning to identify threats, plan for countermeasures, facilitate appropriate
        risk responses, and guide security testing.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier l'utilisation de la mod\xE9lisation des menaces\
            \ pour chaque modification de conception ou planification de sprint afin\
            \ d'identifier les menaces, de planifier les contre-mesures, de faciliter\
            \ les r\xE9ponses appropri\xE9es aux risques et d'orienter les tests de\
            \ s\xE9curit\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      ref_id: V1.1.3
      description: Verify that all user stories and features contain functional security
        constraints, such as "As a user, I should be able to view and edit my profile.
        I should not be able to view or edit anyone else's profile"
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les r\xE9cits utilisateurs et les fonctionnalit\xE9\
            s contiennent des contraintes de s\xE9curit\xE9 fonctionnelles, telles\
            \ que \"En tant qu'utilisateur, je devrais pouvoir consulter et modifier\
            \ mon profil. Je ne devrais pas pouvoir voir ou modifier le profil de\
            \ quelqu'un d'autre\""
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      ref_id: V1.1.4
      description: Verify documentation and justification of all the application's
        trust boundaries, components, and significant data flows.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier la documentation et la justification de toutes\
            \ les fronti\xE8res de confiance de la demande, de ses composantes et\
            \ des flux de donn\xE9es importants."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      ref_id: V1.1.5
      description: Verify definition and security analysis of the application's high-level
        architecture and all connected remote services. ([C1](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier la d\xE9finition et l'analyse de s\xE9curit\xE9\
            \ de l'architecture de haut niveau de l'application et de tous les services\
            \ \xE0 distance connect\xE9s. ([C1](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      ref_id: V1.1.6
      description: Verify implementation of centralized, simple (economy of design),
        vetted, secure, and reusable security controls to avoid duplicate, missing,
        ineffective, or insecure controls. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier la mise en \u0153uvre de contr\xF4les de s\xE9\
            curit\xE9 centralis\xE9s, simples (\xE9conomie de conception), v\xE9rifi\xE9\
            s, s\xE9curis\xE9s et r\xE9utilisables pour \xE9viter les contr\xF4les\
            \ en double, manquants, inefficaces ou peu s\xFBrs. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.1
      ref_id: V1.1.7
      description: Verify availability of a secure coding checklist, security requirements,
        guideline, or policy to all developers and testers.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que tous les d\xE9veloppeurs et testeurs disposent\
            \ d'une liste de contr\xF4le de codage s\xE9curis\xE9, d'exigences de\
            \ s\xE9curit\xE9, de lignes directrices ou de politiques."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.2
      name: Authentication Architecture
      translations:
        fr:
          name: Exigences architecturales d'authentification
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2
      ref_id: V1.2.1
      description: Verify the use of unique or special low-privilege operating system
        accounts for all application components, services, and servers. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les communications entre les composants de\
            \ l'application, y compris les API, les intergiciels et les couches de\
            \ donn\xE9es, sont authentifi\xE9es et utilisent des comptes utilisateurs\
            \ individuels. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2
      ref_id: V1.2.2
      description: Verify that communications between application components, including
        APIs, middleware and data layers, are authenticated. Components should have
        the least necessary privileges needed. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les communications entre les composants de\
            \ l'application, y compris les API, le middleware et les couches de donn\xE9\
            es, sont authentifi\xE9es. Les composants doivent avoir les privil\xE8\
            ges les moins n\xE9cessaires possibles. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2
      ref_id: V1.2.3
      description: Verify that the application uses a single vetted authentication
        mechanism that is known to be secure, can be extended to include strong authentication,
        and has sufficient logging and monitoring to detect account abuse or breaches.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que toutes les m\xE9thodes d'authentification\
            \ et les API de gestion de l'identit\xE9 mettent en \u0153uvre un contr\xF4\
            le de s\xE9curit\xE9 de l'authentification coh\xE9rent, de sorte qu'il\
            \ n'y ait pas d'alternatives plus faibles par rapport au risque de l'application."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.2
      ref_id: V1.2.4
      description: Verify that all authentication pathways and identity management
        APIs implement consistent authentication security control strength, such that
        there are no weaker alternatives per the risk of the application.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les voies d'authentification et les\
            \ API de gestion des identit\xE9s impl\xE9mentent une force de contr\xF4\
            le de s\xE9curit\xE9 d'authentification coh\xE9rente, de sorte qu'il n'y\
            \ ait pas d'alternative plus faible en fonction du risque de l'application."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.4
      name: Access Control Architecture
      translations:
        fr:
          name: "Exigences architecturales en mati\xE8re de contr\xF4le d'acc\xE8s"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.4
      ref_id: V1.4.1
      description: Verify that trusted enforcement points, such as access control
        gateways, servers, and serverless functions, enforce access controls. Never
        enforce access controls on the client.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que des points d'application de confiance tels\
            \ que les passerelles de contr\xF4le d'acc\xE8s, les serveurs et les fonctions\
            \ sans serveur font respecter les contr\xF4les d'acc\xE8s. N'imposez jamais\
            \ de contr\xF4les d'acc\xE8s au client."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.4.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.4
      ref_id: V1.4.4
      description: Verify the application uses a single and well-vetted access control
        mechanism for accessing protected data and resources. All requests must pass
        through this single mechanism to avoid copy and paste or insecure alternative
        paths. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application utilise un m\xE9canisme de contr\xF4\
            le d'acc\xE8s unique et bien contr\xF4l\xE9 pour acc\xE9der aux donn\xE9\
            es et ressources prot\xE9g\xE9es. Toutes les requ\xEAtes doivent passer\
            \ par ce m\xE9canisme unique pour \xE9viter les copier-coller ou les chemins\
            \ alternatifs non s\xE9curis\xE9s. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.4.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.4
      ref_id: V1.4.5
      description: Verify that attribute or feature-based access control is used whereby
        the code checks the user's authorization for a feature/data item rather than
        just their role. Permissions should still be allocated using roles. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le contr\xF4le d'acc\xE8s bas\xE9 sur les\
            \ attributs ou les caract\xE9ristiques est utilis\xE9, c'est-\xE0-dire\
            \ que le code v\xE9rifie l'autorisation de l'utilisateur pour une caract\xE9\
            ristique ou une donn\xE9e plut\xF4t que son seul r\xF4le. Les autorisations\
            \ doivent tout de m\xEAme \xEAtre attribu\xE9es \xE0 l'aide de r\xF4les.\
            \ ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.5
      name: Input and Output Architecture
      translations:
        fr:
          name: "Exigences architecturales d'entr\xE9e et de sortie"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5
      ref_id: V1.5.1
      description: Verify that input and output requirements clearly define how to
        handle and process data based on type, content, and applicable laws, regulations,
        and other policy compliance.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les exigences en mati\xE8re d'entr\xE9e et\
            \ de sortie d\xE9finissent clairement la mani\xE8re de traiter et d'exploiter\
            \ les donn\xE9es en fonction du type, du contenu et de la conformit\xE9\
            \ aux lois, r\xE8glements et autres politiques applicables. "
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5
      ref_id: V1.5.2
      description: Verify that serialization is not used when communicating with untrusted
        clients. If this is not possible, ensure that adequate integrity controls
        (and possibly encryption if sensitive data is sent) are enforced to prevent
        deserialization attacks including object injection.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la s\xE9rialisation n'est pas utilis\xE9e\
            \ lorsque vous communiquez avec des clients non fiables. Si cela n'est\
            \ pas possible, assurez-vous que des contr\xF4les d'int\xE9grit\xE9 ad\xE9\
            quats (et \xE9ventuellement un chiffrement si des donn\xE9es sensibles\
            \ sont envoy\xE9es) sont appliqu\xE9s pour emp\xEAcher les attaques de\
            \ d\xE9s\xE9rialisation, y compris l'injection d'objets."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5
      ref_id: V1.5.3
      description: Verify that input validation is enforced on a trusted service layer.
        ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la validation des entr\xE9es est appliqu\xE9\
            e sur une couche de service de confiance. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.5
      ref_id: V1.5.4
      description: Verify that output encoding occurs close to or by the interpreter
        for which it is intended. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'encodage de sortie se fait \xE0 proximit\xE9\
            \ ou par l'interpr\xE8te auquel il est destin\xE9. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.6
      name: Cryptographic Architecture
      translations:
        fr:
          name: "Exigences en mati\xE8re d'architecture cryptographique"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6
      ref_id: V1.6.1
      description: Verify that there is an explicit policy for management of cryptographic
        keys and that a cryptographic key lifecycle follows a key management standard
        such as NIST SP 800-57.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier qu'il existe une politique explicite de gestion\
            \ des cl\xE9s cryptographiques et que le cycle de vie d'une cl\xE9 cryptographique\
            \ suit une norme de gestion des cl\xE9s telle que NIST SP 800-57."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6
      ref_id: V1.6.2
      description: Verify that consumers of cryptographic services protect key material
        and other secrets by using key vaults or API based alternatives.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les consommateurs de services cryptographiques\
            \ prot\xE8gent les cl\xE9s et autres secrets en utilisant des coffres-forts\
            \ de cl\xE9s ou des alternatives bas\xE9es sur l'API."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6
      ref_id: V1.6.3
      description: Verify that all keys and passwords are replaceable and are part
        of a well-defined process to re-encrypt sensitive data.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les cl\xE9s et tous les mots de passe\
            \ sont rempla\xE7ables et font partie d'un processus bien d\xE9fini de\
            \ rechiffrement des donn\xE9es sensibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.6
      ref_id: V1.6.4
      description: Verify that the architecture treats client-side secrets--such as
        symmetric keys, passwords, or API tokens--as insecure and never uses them
        to protect or access sensitive data.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'architecture traite les secrets c\xF4t\xE9\
            \ client, tels que les cl\xE9s sym\xE9triques, les mots de passe ou les\
            \ jetons d'API, comme non s\xE9curis\xE9s et ne les utilise jamais pour\
            \ prot\xE9ger ou acc\xE9der \xE0 des donn\xE9es sensibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.7
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.7
      name: Errors, Logging and Auditing Architecture
      translations:
        fr:
          name: "Erreurs, enregistrement et v\xE9rification des exigences architecturales"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.7.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.7
      ref_id: V1.7.1
      description: Verify that a common logging format and approach is used across
        the system. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier qu'un format de journalisation communs soit utilis\xE9\
            s dans le syst\xE8me.  ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.7.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.7
      ref_id: V1.7.2
      description: Verify that logs are securely transmitted to a preferably remote
        system for analysis, detection, alerting, and escalation. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les journaux sont transmis de mani\xE8re s\xE9\
            curis\xE9e \xE0 un syst\xE8me de pr\xE9f\xE9rence distant pour analyse,\
            \ d\xE9tection, alerte et escalade. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.8
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.8
      name: Data Protection and Privacy Architecture
      translations:
        fr:
          name: "Exigences architecturales en mati\xE8re de protection des donn\xE9\
            es et de la vie priv\xE9e"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.8.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.8
      ref_id: V1.8.1
      description: Verify that all sensitive data is identified and classified into
        protection levels.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que toutes les donn\xE9es sensibles sont identifi\xE9\
            es et class\xE9es en niveaux de protection."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.8.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.8
      ref_id: V1.8.2
      description: Verify that all protection levels have an associated set of protection
        requirements, such as encryption requirements, integrity requirements, retention,
        privacy and other confidentiality requirements, and that these are applied
        in the architecture.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que tous les niveaux de protection sont associ\xE9\
            s \xE0 un ensemble d'exigences de protection, telles que des exigences\
            \ de chiffrement, d'int\xE9grit\xE9, de conservation, de respect de la\
            \ vie priv\xE9e et d'autres exigences de confidentialit\xE9, et que celles-ci\
            \ sont appliqu\xE9es dans l'architecture."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.9
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.9
      name: Communications Architecture
      translations:
        fr:
          name: "Exigences en mati\xE8re d'architecture des communications"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.9.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.9
      ref_id: V1.9.1
      description: Verify the application encrypts communications between components,
        particularly when these components are in different containers, systems, sites,
        or cloud providers. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application chiffre les communications entre\
            \ les composants, en particulier lorsque ces composants se trouvent dans\
            \ des conteneurs, syst\xE8mes, sites ou fournisseurs de cloud diff\xE9\
            rents. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.9.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.9
      ref_id: V1.9.2
      description: Verify that application components verify the authenticity of each
        side in a communication link to prevent person-in-the-middle attacks. For
        example, application components should validate TLS certificates and chains.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les composants de l'application v\xE9rifient\
            \ l'authenticit\xE9 de chaque partie d'un lien de communication afin de\
            \ pr\xE9venir les attaques de type \"man-in-the-middle\". Par exemple,\
            \ les composants d'application doivent valider les certificats et les\
            \ cha\xEEnes TLS."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.10
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.10
      name: Malicious Software Architecture
      translations:
        fr:
          name: "Exigences en mati\xE8re d'architecture des logiciels malveillants"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.10.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.10
      ref_id: V1.10.1
      description: Verify that a source code control system is in use, with procedures
        to ensure that check-ins are accompanied by issues or change tickets. The
        source code control system should have access control and identifiable users
        to allow traceability of any changes.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier qu'un syst\xE8me de contr\xF4le du code source\
            \ est utilis\xE9, avec des proc\xE9dures pour s'assurer que les enregistrements\
            \ sont accompagn\xE9s de tickets d'\xE9mission ou de modification. Le\
            \ syst\xE8me de contr\xF4le du code source doit disposer d'un contr\xF4\
            le d'acc\xE8s et d'utilisateurs identifiables pour permettre la tra\xE7\
            abilit\xE9 de toute modification."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.11
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.11
      name: Business Logic Architecture
      translations:
        fr:
          name: "Exigences en mati\xE8re d'architecture de la logique d'entreprise"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.11.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.11
      ref_id: V1.11.1
      description: Verify the definition and documentation of all application components
        in terms of the business or security functions they provide.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier la d\xE9finition et la documentation de tous les\
            \ composants de l'application en ce qui concerne la logique m\xE9tier\
            \ ou de s\xE9curit\xE9 qu'ils fournissent."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.11.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.11
      ref_id: V1.11.2
      description: Verify that all high-value business logic flows, including authentication,
        session management and access control, do not share unsynchronized state.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que tous les flux de logique m\xE9tier de grande\
            \ valeur, y compris l'authentification, la gestion de session et le contr\xF4\
            le d'acc\xE8s, ne partagent pas un \xE9tat non synchronis\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.11.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.11
      ref_id: V1.11.3
      description: Verify that all high-value business logic flows, including authentication,
        session management and access control are thread safe and resistant to time-of-check
        and time-of-use race conditions.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que tous les flux de logique m\xE9tier de grande\
            \ valeur, y compris l'authentification, la gestion de session et le contr\xF4\
            le d'acc\xE8s, sont s\xE9curis\xE9s et r\xE9sistants aux conditions de\
            \ concurrence (\"race condition\") au temps de contr\xF4le et au temps\
            \ d'utilisation."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.12
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.12
      name: Secure File Upload Architecture
      translations:
        fr:
          name: "T\xE9l\xE9chargement de fichiers s\xE9curis\xE9s Exigences architecturales"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.12.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.12
      ref_id: V1.12.2
      description: Verify that user-uploaded files - if required to be displayed or
        downloaded from the application - are served by either octet stream downloads,
        or from an unrelated domain, such as a cloud file storage bucket. Implement
        a suitable Content Security Policy (CSP) to reduce the risk from XSS vectors
        or other attacks from the uploaded file.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les fichiers envoy\xE9s par l'utilisateur\
            \ - s'ils doivent \xEAtre affich\xE9s ou t\xE9l\xE9charg\xE9s \xE0 partir\
            \ de l'application - sont servis par des t\xE9l\xE9chargements en flux\
            \ d'octets, ou \xE0 partir d'un domaine sans rapport, comme un compartiment\
            \ de stockage de fichiers en nuage. Mettre en \u0153uvre une politique\
            \ de s\xE9curit\xE9 du contenu (CSP) appropri\xE9e pour r\xE9duire le\
            \ risque de vecteurs XSS ou d'autres attaques provenant du fichier t\xE9\
            l\xE9charg\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1
      ref_id: V1.14
      name: Configuration Architecture
      translations:
        fr:
          name: Configuration des exigences architecturales
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14
      ref_id: V1.14.1
      description: Verify the segregation of components of differing trust levels
        through well-defined security controls, firewall rules, API gateways, reverse
        proxies, cloud-based security groups, or similar mechanisms.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez la s\xE9paration des composants de diff\xE9rents\
            \ niveaux de confiance via des contr\xF4les de s\xE9curit\xE9 bien d\xE9\
            finis, des r\xE8gles de pare-feu, des passerelles API, des proxys inverses,\
            \ des groupes de s\xE9curit\xE9 bas\xE9s sur le cloud ou des m\xE9canismes\
            \ similaires."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14
      ref_id: V1.14.2
      description: Verify that binary signatures, trusted connections, and verified
        endpoints are used to deploy binaries to remote devices.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les signatures binaires, les connexions de\
            \ confiance et les n\u0153uds v\xE9rifi\xE9s sont utilis\xE9s pour d\xE9\
            ployer des binaires sur des dispositifs distants."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14
      ref_id: V1.14.3
      description: Verify that the build pipeline warns of out-of-date or insecure
        components and takes appropriate actions.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que le pipeline de construction signale les composants\
            \ obsol\xE8tes ou peu s\xFBrs et prend les mesures appropri\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14
      ref_id: V1.14.4
      description: Verify that the build pipeline contains a build step to automatically
        build and verify the secure deployment of the application, particularly if
        the application infrastructure is software defined, such as cloud environment
        build scripts.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le pipeline de construction contient une \xE9\
            tape de g\xE9n\xE9ration pour g\xE9n\xE9rer automatiquement et v\xE9rifier\
            \ le d\xE9ploiement s\xE9curis\xE9 de l'application, en particulier si\
            \ l'infrastructure de l'application est d\xE9finie par logiciel, comme\
            \ les scripts de g\xE9n\xE9ration d'environnement cloud."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14
      ref_id: V1.14.5
      description: Verify that application deployments adequately sandbox, containerize
        and/or isolate at the network level to delay and deter attackers from attacking
        other applications, especially when they are performing sensitive or dangerous
        actions such as deserialization. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les d\xE9ploiements d'applications sont correctement\
            \ mis en bac \xE0 sable, conteneuris\xE9s et/ou isol\xE9s au niveau du\
            \ r\xE9seau pour retarder et dissuader les attaquants d'attaquer d'autres\
            \ applications, en particulier lorsqu'ils effectuent des actions sensibles\
            \ ou dangereuses telles que la d\xE9s\xE9rialisation. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v1.14
      ref_id: V1.14.6
      description: Verify the application does not use unsupported, insecure, or deprecated
        client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX,
        Silverlight, NACL, or client-side Java applets.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application n'utilise pas de technologies\
            \ c\xF4t\xE9 client non prises en charge, non s\xE9curis\xE9es ou obsol\xE8\
            tes telles que les plug-ins NSAPI, Flash, Shockwave, ActiveX, Silverlight,\
            \ NACL ou des applets Java c\xF4t\xE9 client."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      assessable: false
      depth: 1
      ref_id: V2
      name: Authentication
      translations:
        fr:
          name: Authentification
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.1
      name: Password Security
      translations:
        fr:
          name: "Exigences en mati\xE8re de s\xE9curit\xE9 des mots de passe"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.1
      description: Verify that user set passwords are at least 12 characters in length
        (after multiple spaces are combined). ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les mots de passe d\xE9finis par l'utilisateur\
            \ comportent au moins 12 caract\xE8res (apr\xE8s avoir combin\xE9 plusieurs\
            \ espaces). ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.2
      description: Verify that passwords of at least 64 characters are permitted,
        and that passwords of more than 128 characters are denied. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les mots de passe de 64 caract\xE8res ou plus\
            \ sont autoris\xE9s, mais pas au del\xE0 de 128 caract\xE8res. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.3
      description: Verify that password truncation is not performed. However, consecutive
        multiple spaces may be replaced by a single space. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le mot de passe n'est pas tronqu\xE9. Toutefois,\
            \ des espaces multiples cons\xE9cutifs peuvent \xEAtre remplac\xE9s par\
            \ un seul espace. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.4
      description: Verify that any printable Unicode character, including language
        neutral characters such as spaces and Emojis are permitted in passwords.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que tout caract\xE8re Unicode imprimable, y compris\
            \ les caract\xE8res neutres comme les espaces et les Emojis, sont autoris\xE9\
            s dans les mots de passe."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.5
      description: Verify users can change their password.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les utilisateurs peuvent changer leur mot\
            \ de passe."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.6
      description: Verify that password change functionality requires the user's current
        and new password.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la fonctionnalit\xE9 de changement de mot\
            \ de passe n\xE9cessite le mot de passe actuel et le nouveau mot de passe\
            \ de l'utilisateur."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.7
      description: Verify that passwords submitted during account registration, login,
        and password change are checked against a set of breached passwords either
        locally (such as the top 1,000 or 10,000 most common passwords which match
        the system's password policy) or using an external API. If using an API a
        zero knowledge proof or other mechanism should be used to ensure that the
        plain text password is not sent or used in verifying the breach status of
        the password. If the password is breached, the application must require the
        user to set a new non-breached password. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les mots de passe soumis lors de l'enregistrement\
            \ du compte, de la connexion et du changement de mot de passe sont compar\xE9\
            s \xE0 un ensemble de mots de passe viol\xE9s, soit localement (comme\
            \ les 1 000 ou 10 000 mots de passe les plus courants qui correspondent\
            \ \xE0 la politique de mot de passe du syst\xE8me), soit en utilisant\
            \ une API externe. En cas d'utilisation d'une API, une preuve de connaissance\
            \ nulle ou un autre m\xE9canisme doit \xEAtre utilis\xE9 pour garantir\
            \ que le mot de passe en texte clair n'est pas envoy\xE9 ou utilis\xE9\
            \ pour v\xE9rifier l'\xE9tat de violation du mot de passe. Si le mot de\
            \ passe est viol\xE9, l'application doit demander \xE0 l'utilisateur de\
            \ d\xE9finir un nouveau mot de passe non viol\xE9. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.8
      description: Verify that a password strength meter is provided to help users
        set a stronger password.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'un compteur de force de mot de passe est fourni\
            \ pour aider les utilisateurs \xE0 d\xE9finir un mot de passe plus fort."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.9
      description: Verify that there are no password composition rules limiting the
        type of characters permitted. There should be no requirement for upper or
        lower case or numbers or special characters. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'il n'existe pas de r\xE8gles de composition\
            \ des mots de passe limitant le type de caract\xE8res autoris\xE9s. Il\
            \ ne doit pas y avoir restrictions sur l'utilisation de majuscules ou\
            \ de minuscules, de chiffres ou de caract\xE8res sp\xE9ciaux. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.10
      description: Verify that there are no periodic credential rotation or password
        history requirements.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'il n'y a pas d'exigences en mati\xE8re de rotation\
            \ p\xE9riodique du mots de passe ou d'historique des mots de passe."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.11
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.11
      description: Verify that "paste" functionality, browser password helpers, and
        external password managers are permitted.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la fonction \"coller\", les aides de mot de\
            \ passe du navigateur et les gestionnaires de mots de passe externes sont\
            \ autoris\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1.12
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.1
      ref_id: V2.1.12
      description: Verify that the user can choose to either temporarily view the
        entire masked password, or temporarily view the last typed character of the
        password on platforms that do not have this as built-in functionality.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'utilisateur peut choisir soit de visualiser\
            \ temporairement la totalit\xE9 du mot de passe masqu\xE9, soit de visualiser\
            \ temporairement le dernier caract\xE8re tap\xE9 du mot de passe sur les\
            \ plateformes qui n'ont pas cette fonctionnalit\xE9 en natif."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.2
      name: General Authenticator Security
      translations:
        fr:
          name: "Exigences g\xE9n\xE9rales relatives aux authentificateurs"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      ref_id: V2.2.1
      description: Verify that anti-automation controls are effective at mitigating
        breached credential testing, brute force, and account lockout attacks. Such
        controls include blocking the most common breached passwords, soft lockouts,
        rate limiting, CAPTCHA, ever increasing delays between attempts, IP address
        restrictions, or risk-based restrictions such as location, first login on
        a device, recent attempts to unlock the account, or similar. Verify that no
        more than 100 failed attempts per hour is possible on a single account.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les contr\xF4les anti-automatisation sont\
            \ efficaces pour att\xE9nuer les attaques par violation des tests d'accr\xE9\
            ditation, par \xE9num\xE9ration exhaustive (brute-force) et par verrouillage\
            \ de compte. Ces contr\xF4les comprennent le blocage des mots de passe\
            \ les plus courants, les verrouillages progressifs, la limitation de d\xE9\
            bit, les CAPTCHA, les d\xE9lais toujours plus longs entre les tentatives,\
            \ les restrictions d'adresse IP ou les restrictions bas\xE9es sur le risque\
            \ telles que l'emplacement, la premi\xE8re connexion sur un appareil,\
            \ les tentatives r\xE9centes de d\xE9verrouillage du compte, ou autres.\
            \ V\xE9rifiez qu'il n'y a pas plus de 100 tentatives infructueuses par\
            \ heure sur un seul compte."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      ref_id: V2.2.2
      description: Verify that the use of weak authenticators (such as SMS and email)
        is limited to secondary verification and transaction approval and not as a
        replacement for more secure authentication methods. Verify that stronger methods
        are offered before weak methods, users are aware of the risks, or that proper
        measures are in place to limit the risks of account compromise.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'utilisation d'authentificateurs faibles\
            \ (tels que les SMS et les e-mails) se limite \xE0 la v\xE9rification\
            \ secondaire et \xE0 l'approbation des transactions et ne remplace pas\
            \ les m\xE9thodes d'authentification plus s\xFBres. V\xE9rifiez que les\
            \ m\xE9thodes plus fortes sont propos\xE9es avant les m\xE9thodes faibles,\
            \ que les utilisateurs sont conscients des risques, ou que des mesures\
            \ appropri\xE9es sont en place pour limiter les risques de compromission\
            \ du compte."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      ref_id: V2.2.3
      description: Verify that secure notifications are sent to users after updates
        to authentication details, such as credential resets, email or address changes,
        logging in from unknown or risky locations. The use of push notifications
        - rather than SMS or email - is preferred, but in the absence of push notifications,
        SMS or email is acceptable as long as no sensitive information is disclosed
        in the notification.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que des notifications s\xE9curis\xE9es sont envoy\xE9\
            es aux utilisateurs apr\xE8s la mise \xE0 jour des d\xE9tails d'authentification,\
            \ tels que la r\xE9initialisation de l'identifiant, le changement d'adresse\
            \ \xE9lectronique ou d'adresse, la connexion \xE0 partir d'un lieu inconnu\
            \ ou risqu\xE9. L'utilisation de notifications \"push\" - plut\xF4t que\
            \ de SMS ou d'e-mail - est pr\xE9f\xE9rable, mais en l'absence de notifications\
            \ \"push\", les SMS ou les e-mails sont acceptables tant qu'aucune information\
            \ sensible n'est divulgu\xE9e dans la notification."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      ref_id: V2.2.4
      description: Verify impersonation resistance against phishing, such as the use
        of multi-factor authentication, cryptographic devices with intent (such as
        connected keys with a push to authenticate), or at higher AAL levels, client-side
        certificates.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier la r\xE9sistance \xE0 l'usurpation d'identit\xE9\
            \ contre le phishing, comme l'utilisation de l'authentification multi-facteurs,\
            \ les dispositifs cryptographiques avec intention (comme les cl\xE9s connect\xE9\
            es avec un \"push to authenticate\"), ou \xE0 des niveaux AAL sup\xE9\
            rieurs, les certificats c\xF4t\xE9 client."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      ref_id: V2.2.5
      description: Verify that where a Credential Service Provider (CSP) and the application
        verifying authentication are separated, mutually authenticated TLS is in place
        between the two endpoints.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que lorsqu'un fournisseur de services d'accr\xE9\
            ditation (CSP) et l'application v\xE9rifiant l'authentification sont s\xE9\
            par\xE9s, un TLS mutuellement authentifi\xE9 est en place entre les deux\
            \ points terminaux."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      ref_id: V2.2.6
      description: Verify replay resistance through the mandated use of One-time Passwords
        (OTP) devices, cryptographic authenticators, or lookup codes.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier la r\xE9sistance au attaque de rejeu par l'utilisation\
            \ obligatoire de dispositifs OTP, d'authentificateurs cryptographiques\
            \ ou de codes de consultation."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.2
      ref_id: V2.2.7
      description: Verify intent to authenticate by requiring the entry of an OTP
        token or user-initiated action such as a button press on a FIDO hardware key.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier l'intention d'authentification en exigeant l'entr\xE9\
            e d'un jeton OTP ou une action initi\xE9e par l'utilisateur telle qu'une\
            \ pression sur un bouton d'une cl\xE9 mat\xE9rielle FIDO."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.3
      name: Authenticator Lifecycle
      translations:
        fr:
          name: Exigences relatives au cycle de vie des authentificateurs
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.3
      ref_id: V2.3.1
      description: Verify system generated initial passwords or activation codes SHOULD
        be securely randomly generated, SHOULD be at least 6 characters long, and
        MAY contain letters and numbers, and expire after a short period of time.
        These initial secrets must not be permitted to become the long term password.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les mots de passe ou codes d'activation initiaux\
            \ g\xE9n\xE9r\xE9s par le syst\xE8me DOIVENT \xEAtre g\xE9n\xE9r\xE9s\
            \ de mani\xE8re al\xE9atoire et s\xE9curis\xE9e, DOIVENT comporter au\
            \ moins 6 caract\xE8res, PEUVENT contenir des lettres et des chiffres,\
            \ et expirent apr\xE8s une courte p\xE9riode de temps. Ces secrets initiaux\
            \ ne doivent pas \xEAtre autoris\xE9s \xE0 devenir le mot de passe \xE0\
            \ long terme."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.3
      ref_id: V2.3.2
      description: Verify that enrollment and use of user-provided authentication
        devices are supported, such as a U2F or FIDO tokens.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'inscription et l'utilisation de dispositifs\
            \ d'authentification fournis par l'abonn\xE9 sont prises en charge, comme\
            \ les jetons U2F ou FIDO."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.3
      ref_id: V2.3.3
      description: Verify that renewal instructions are sent with sufficient time
        to renew time bound authenticators.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les instructions de renouvellement sont envoy\xE9\
            es suffisamment t\xF4t pour renouveler les authentificateurs \xE0 dur\xE9\
            e d\xE9termin\xE9e."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.4
      name: Credential Storage
      translations:
        fr:
          name: "Exigences en mati\xE8re de stockage des identifiants"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4
      ref_id: V2.4.1
      description: Verify that passwords are stored in a form that is resistant to
        offline attacks. Passwords SHALL be salted and hashed using an approved one-way
        key derivation or password hashing function. Key derivation and password hashing
        functions take a password, a salt, and a cost factor as inputs when generating
        a password hash. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les mots de passe sont stock\xE9s sous une\
            \ forme qui r\xE9siste aux attaques hors ligne. Les mots de passe DOIVENT\
            \ \xEAtre sal\xE9s et hach\xE9s \xE0 l'aide d'une fonction approuv\xE9\
            e de d\xE9rivation de cl\xE9 ou de hachage de mot de passe \xE0 sens unique.\
            \ Les fonctions de d\xE9rivation de cl\xE9 et de hachage de mot de passe\
            \ prennent un mot de passe, un sel et un facteur de co\xFBt en entr\xE9\
            e pour g\xE9n\xE9rer un hachage de mot de passe. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4
      ref_id: V2.4.2
      description: Verify that the salt is at least 32 bits in length and be chosen
        arbitrarily to minimize salt value collisions among stored hashes. For each
        credential, a unique salt value and the resulting hash SHALL be stored. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le sel a une longueur d'au moins 32 bits et\
            \ qu'il est choisi arbitrairement pour minimiser les collisions de la\
            \ valeur du sel parmi les hashs stock\xE9s. Pour chaque authentifiant,\
            \ une valeur de sel unique et le hachage qui en r\xE9sulte DOIVENT \xEA\
            tre stock\xE9s. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4
      ref_id: V2.4.3
      description: Verify that if PBKDF2 is used, the iteration count SHOULD be as
        large as verification server performance will allow, typically at least 100,000
        iterations. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que si le PBKDF2 est utilis\xE9, le nombre d'it\xE9\
            rations DOIT \xEAtre aussi important que les performances du serveur de\
            \ v\xE9rification le permettent, g\xE9n\xE9ralement au moins 100 000 it\xE9\
            rations. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4
      ref_id: V2.4.4
      description: Verify that if bcrypt is used, the work factor SHOULD be as large
        as verification server performance will allow, with a minimum of 10. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que si bcrypt est utilis\xE9, le facteur de travail\
            \ DOIT \xEAtre aussi important que les performances du serveur de v\xE9\
            rification le permettent, g\xE9n\xE9ralement au moins 10. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.4
      ref_id: V2.4.5
      description: Verify that an additional iteration of a key derivation function
        is performed, using a salt value that is secret and known only to the verifier.
        Generate the salt value using an approved random bit generator [SP 800-90Ar1]
        and provide at least the minimum security strength specified in the latest
        revision of SP 800-131A. The secret salt value SHALL be stored separately
        from the hashed passwords (e.g., in a specialized device like a hardware security
        module).
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier qu'une it\xE9ration suppl\xE9mentaire d'une fonction\
            \ de d\xE9rivation cl\xE9 est effectu\xE9e, en utilisant une valeur de\
            \ sel qui est secr\xE8te et connue uniquement du v\xE9rificateur. G\xE9\
            n\xE9rer la valeur de sel en utilisant un g\xE9n\xE9rateur de bits al\xE9\
            atoires approuv\xE9 [SP 800-90Ar1] et fournir au moins la s\xE9curit\xE9\
            \ minimale sp\xE9cifi\xE9e dans la derni\xE8re r\xE9vision de la norme\
            \ SP 800-131A. La valeur de sel secr\xE8te DOIT \xEAtre stock\xE9e s\xE9\
            par\xE9ment des mots de passe hach\xE9s (par exemple, dans un dispositif\
            \ sp\xE9cialis\xE9 comme un module de s\xE9curit\xE9 mat\xE9riel)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.5
      name: Credential Recovery
      translations:
        fr:
          name: "Exigences en mati\xE8re de r\xE9cup\xE9ration des identifiants"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      ref_id: V2.5.1
      description: Verify that a system generated initial activation or recovery secret
        is not sent in clear text to the user. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'un secret d'activation initiale ou de r\xE9\
            cup\xE9ration g\xE9n\xE9r\xE9 par le syst\xE8me n'est pas envoy\xE9 en\
            \ clair \xE0 l'utilisateur.  ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      ref_id: V2.5.2
      description: Verify password hints or knowledge-based authentication (so-called
        "secret questions") are not present.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les indices de mot de passe ou l'authentification\
            \ bas\xE9e sur la connaissance (dites \"questions secr\xE8tes\") ne sont\
            \ pas pr\xE9sents."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      ref_id: V2.5.3
      description: Verify password credential recovery does not reveal the current
        password in any way. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la r\xE9cup\xE9ration du mot de passe ne r\xE9\
            v\xE8le en aucune fa\xE7on le mot de passe actuel. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      ref_id: V2.5.4
      description: Verify shared or default accounts are not present (e.g. "root",
        "admin", or "sa").
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les comptes partag\xE9s ou par d\xE9faut ne\
            \ sont pas pr\xE9sents (par exemple \"root\", \"admin\" ou \"sa\")."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      ref_id: V2.5.5
      description: Verify that if an authentication factor is changed or replaced,
        that the user is notified of this event.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que si un facteur d'authentification est modifi\xE9\
            \ ou remplac\xE9, l'utilisateur est inform\xE9 de cet \xE9v\xE9nement."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      ref_id: V2.5.6
      description: Verify forgotten password, and other recovery paths use a secure
        recovery mechanism, such as time-based OTP (TOTP) or other soft token, mobile
        push, or another offline recovery mechanism. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier les mots de passe oubli\xE9s, et les autres chemins\
            \ de r\xE9cup\xE9ration utilisent un m\xE9canisme de r\xE9cup\xE9ration\
            \ s\xE9curis\xE9, tel que TOTP ou autre soft token, mobile push, ou un\
            \ autre m\xE9canisme de r\xE9cup\xE9ration hors ligne. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.5
      ref_id: V2.5.7
      description: Verify that if OTP or multi-factor authentication factors are lost,
        that evidence of identity proofing is performed at the same level as during
        enrollment.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier qu'en cas de perte des facteurs d'authentification\
            \ OTP ou multi-facteurs, la preuve d'identit\xE9 est effectu\xE9e au m\xEA\
            me niveau que lors de l'inscription."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.6
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.6
      name: Look-up Secret Verifier
      translations:
        fr:
          name: "Exigences relatives aux v\xE9rificateurs des secrets"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.6.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.6
      ref_id: V2.6.1
      description: Verify that lookup secrets can be used only once.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les secrets de la table d'authentification\
            \ ne peuvent \xEAtre utilis\xE9s qu'une seule fois."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.6.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.6
      ref_id: V2.6.2
      description: Verify that lookup secrets have sufficient randomness (112 bits
        of entropy), or if less than 112 bits of entropy, salted with a unique and
        random 32-bit salt and hashed with an approved one-way hash.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les secrets de la table d'authentification\
            \ ont un caract\xE8re al\xE9atoire suffisant (112 bits d'entropie) ou,\
            \ s'ils ont moins de 112 bits d'entropie, qu'ils sont sal\xE9s avec un\
            \ sel unique et al\xE9atoire de 32 bits et hach\xE9s avec un hachage unidirectionnel\
            \ approuv\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.6.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.6
      ref_id: V2.6.3
      description: Verify that lookup secrets are resistant to offline attacks, such
        as predictable values.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les secrets de la table d'authentification\
            \ r\xE9sistent aux attaques hors ligne, comme les valeurs pr\xE9visibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.7
      name: Out of Band Verifier
      translations:
        fr:
          name: "Exigences relatives aux v\xE9rificateurs hors bande"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7
      ref_id: V2.7.1
      description: Verify that clear text out of band (NIST "restricted") authenticators,
        such as SMS or PSTN, are not offered by default, and stronger alternatives
        such as push notifications are offered first.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les authentificateurs de texte en clair hors\
            \ bande (NIST \"restreint\"), tels que les SMS ou le PSTN, ne sont pas\
            \ propos\xE9s par d\xE9faut, et que des alternatives plus fortes, telles\
            \ que les notifications \"push\", sont propos\xE9es en premier lieu."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7
      ref_id: V2.7.2
      description: Verify that the out of band verifier expires out of band authentication
        requests, codes, or tokens after 10 minutes.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le v\xE9rificateur hors bande expire les demandes\
            \ d'authentification, les codes ou les jetons hors bande apr\xE8s 10 minutes."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7
      ref_id: V2.7.3
      description: Verify that the out of band verifier authentication requests, codes,
        or tokens are only usable once, and only for the original authentication request.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les demandes d'authentification, codes ou\
            \ jetons hors bande du v\xE9rificateur ne sont utilisables qu'une seule\
            \ fois, et uniquement pour la demande d'authentification originale."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7
      ref_id: V2.7.4
      description: Verify that the out of band authenticator and verifier communicates
        over a secure independent channel.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'authentificateur et le v\xE9rificateur hors\
            \ bande communiquent sur un canal ind\xE9pendant s\xE9curis\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7
      ref_id: V2.7.5
      description: Verify that the out of band verifier retains only a hashed version
        of the authentication code.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le v\xE9rificateur hors bande ne conserve\
            \ qu'une version hach\xE9e du code d'authentification."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.7
      ref_id: V2.7.6
      description: Verify that the initial authentication code is generated by a secure
        random number generator, containing at least 20 bits of entropy (typically
        a six digital random number is sufficient).
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le code d'authentification initial est g\xE9\
            n\xE9r\xE9 par un g\xE9n\xE9rateur de nombres al\xE9atoires s\xE9curis\xE9\
            , contenant au moins 20 bits d'entropie (en g\xE9n\xE9ral, un nombre al\xE9\
            atoire de six chiffres est suffisant)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.8
      name: One Time Verifier
      translations:
        fr:
          name: "Exigences relatives aux v\xE9rificateurs uniques \xE0 facteur unique\
            \ ou \xE0 facteurs multiples"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      ref_id: V2.8.1
      description: Verify that time-based OTPs have a defined lifetime before expiring.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les OTP bas\xE9es sur le temps ont une dur\xE9\
            e de vie d\xE9finie avant d'expirer."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      ref_id: V2.8.2
      description: Verify that symmetric keys used to verify submitted OTPs are highly
        protected, such as by using a hardware security module or secure operating
        system based key storage.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les cl\xE9s sym\xE9triques utilis\xE9es pour\
            \ v\xE9rifier les OTP soumises sont hautement prot\xE9g\xE9es, par exemple\
            \ en utilisant un module de s\xE9curit\xE9 mat\xE9riel ou un stockage\
            \ de cl\xE9s bas\xE9 sur un syst\xE8me d'exploitation s\xE9curis\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      ref_id: V2.8.3
      description: Verify that approved cryptographic algorithms are used in the generation,
        seeding, and verification of OTPs.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que des algorithmes cryptographiques approuv\xE9\
            s sont utilis\xE9s dans la g\xE9n\xE9ration, dans la pr\xE9paration et\
            \ dans la v\xE9rification des OTP."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      ref_id: V2.8.4
      description: Verify that time-based OTP can be used only once within the validity
        period.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'OTP bas\xE9 sur le temps ne peut \xEAtre\
            \ utilis\xE9 qu'une seule fois pendant la p\xE9riode de validit\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      ref_id: V2.8.5
      description: Verify that if a time-based multi-factor OTP token is re-used during
        the validity period, it is logged and rejected with secure notifications being
        sent to the holder of the device.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que si un jeton OTP multi-facteur bas\xE9 sur\
            \ le temps est r\xE9utilis\xE9 pendant la p\xE9riode de validit\xE9, il\
            \ est enregistr\xE9 et rejet\xE9 avec des notifications s\xE9curis\xE9\
            es envoy\xE9es au d\xE9tenteur du dispositif."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      ref_id: V2.8.6
      description: Verify physical single-factor OTP generator can be revoked in case
        of theft or other loss. Ensure that revocation is immediately effective across
        logged in sessions, regardless of location.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que le g\xE9n\xE9rateur OTP physique \xE0 facteur\
            \ unique peut \xEAtre r\xE9voqu\xE9 en cas de vol ou autre perte. S'assurer\
            \ que la r\xE9vocation est imm\xE9diatement effective pour toutes les\
            \ sessions connect\xE9es, quel que soit le lieu."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.8
      ref_id: V2.8.7
      description: Verify that biometric authenticators are limited to use only as
        secondary factors in conjunction with either something you have and something
        you know.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les authentificateurs biom\xE9triques sont\
            \ limit\xE9s \xE0 une utilisation en tant que facteurs secondaires en\
            \ conjonction avec quelque chose que vous avez et quelque chose que vous\
            \ connaissez."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.9
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.9
      name: Cryptographic Verifier
      translations:
        fr:
          name: "Exigences relatives aux v\xE9rificateurs de logiciels et d'appareils\
            \ cryptographiques"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.9.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.9
      ref_id: V2.9.1
      description: Verify that cryptographic keys used in verification are stored
        securely and protected against disclosure, such as using a Trusted Platform
        Module (TPM) or Hardware Security Module (HSM), or an OS service that can
        use this secure storage.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les cl\xE9s cryptographiques utilis\xE9es\
            \ dans la v\xE9rification sont stock\xE9es de mani\xE8re s\xFBre et prot\xE9\
            g\xE9es contre la divulgation, par exemple en utilisant un TPM ou un HSM,\
            \ ou un service OS qui peut utiliser ce stockage s\xE9curis\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.9.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.9
      ref_id: V2.9.2
      description: Verify that the challenge nonce is at least 64 bits in length,
        and statistically unique or unique over the lifetime of the cryptographic
        device.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le nonce de d\xE9fi est d'une longueur d'au\
            \ moins 64 bits, et statistiquement unique ou non pendant la dur\xE9e\
            \ de vie du dispositif cryptographique."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.9.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.9
      ref_id: V2.9.3
      description: Verify that approved cryptographic algorithms are used in the generation,
        seeding, and verification.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que des algorithmes cryptographiques approuv\xE9\
            s sont utilis\xE9s dans la g\xE9n\xE9ration, la pr\xE9paration et la v\xE9\
            rification."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2
      ref_id: V2.10
      name: Service Authentication
      translations:
        fr:
          name: Exigences d'authentification des services
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10
      ref_id: V2.10.1
      description: Verify that intra-service secrets do not rely on unchanging credentials
        such as passwords, API keys or shared accounts with privileged access.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les secrets d'int\xE9gration ne reposent pas\
            \ sur des mots de passe immuables, tels que les cl\xE9s API ou les comptes\
            \ privil\xE9gi\xE9s partag\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10
      ref_id: V2.10.2
      description: Verify that if passwords are required for service authentication,
        the service account used is not a default credential. (e.g. root/root or admin/admin
        are default in some services during installation).
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que si des mots de passe sont requis pour l'authentification\
            \ des services, le compte de service utilis\xE9 n'est pas un identifiant\
            \ par d\xE9faut. (par exemple, root/root ou admin/admin sont utilis\xE9\
            s par d\xE9faut dans certains services lors de l'installation)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10
      ref_id: V2.10.3
      description: Verify that passwords are stored with sufficient protection to
        prevent offline recovery attacks, including local system access.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les mots de passe sont stock\xE9s avec une\
            \ protection suffisante pour emp\xEAcher les attaques de r\xE9cup\xE9\
            ration hors ligne, y compris l'acc\xE8s au syst\xE8me local."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v2.10
      ref_id: V2.10.4
      description: Verify passwords, integrations with databases and third-party systems,
        seeds and internal secrets, and API keys are managed securely and not included
        in the source code or stored within source code repositories. Such storage
        SHOULD resist offline attacks. The use of a secure software key store (L1),
        hardware TPM, or an HSM (L3) is recommended for password storage.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les mots de passe, les int\xE9grations avec\
            \ les bases de donn\xE9es et les syst\xE8mes tiers, les seeds et les secrets\
            \ internes, ainsi que les cl\xE9s API sont g\xE9r\xE9s de mani\xE8re s\xE9\
            curis\xE9e et ne sont pas inclus dans le code source ou stock\xE9s dans\
            \ des d\xE9p\xF4ts de code source. Ce type de stockage DEVRAIT r\xE9sister\
            \ aux attaques hors ligne. L'utilisation d'un stockage de cl\xE9s logiciel\
            \ s\xE9curis\xE9 (L1), d'un module de plate-forme de confiance (TPM) ou\
            \ d'un module de s\xE9curit\xE9 mat\xE9riel (L3) est recommand\xE9e pour\
            \ le stockage des mots de passe."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      assessable: false
      depth: 1
      ref_id: V3
      name: Session Management
      translations:
        fr:
          name: "Exigences de v\xE9rification de la gestion des sessions"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      ref_id: V3.1
      name: Fundamental Session Management Security
      translations:
        fr:
          name: "Exigences fondamentales en mati\xE8re de gestion des sessions"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.1
      ref_id: V3.1.1
      description: Verify the application never reveals session tokens in URL parameters.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application ne r\xE9v\xE8le jamais les jetons\
            \ de session dans les param\xE8tres d'URL ou les messages d'erreur. "
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      ref_id: V3.2
      name: Session Binding
      translations:
        fr:
          name: Exigences contraignantes de la session
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2
      ref_id: V3.2.1
      description: Verify the application generates a new session token on user authentication.
        ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application g\xE9n\xE8re un nouveau jeton\
            \ de session sur l'authentification de l'utilisateur. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2
      ref_id: V3.2.2
      description: Verify that session tokens possess at least 64 bits of entropy.
        ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les jetons de session poss\xE8dent au moins\
            \ 64 bits d'entropie. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2
      ref_id: V3.2.3
      description: Verify the application only stores session tokens in the browser
        using secure methods such as appropriately secured cookies (see section 3.4)
        or HTML 5 session storage.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application ne stocke que des jetons de\
            \ session dans le navigateur en utilisant des m\xE9thodes s\xFBres telles\
            \ que les cookies correctement s\xE9curis\xE9s (voir section 3.4) ou le\
            \ stockage de session HTML 5."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.2
      ref_id: V3.2.4
      description: Verify that session tokens are generated using approved cryptographic
        algorithms. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les jetons de session sont g\xE9n\xE9r\xE9\
            s \xE0 l'aide d'algorithmes cryptographiques approuv\xE9s. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      ref_id: V3.3
      name: Session Termination
      translations:
        fr:
          name: "Exigences en mati\xE8re de d\xE9connexion et de temporisation des\
            \ sessions"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3
      ref_id: V3.3.1
      description: Verify that logout and expiration invalidate the session token,
        such that the back button or a downstream relying party does not resume an
        authenticated session, including across relying parties. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la d\xE9connexion et l'expiration invalident\
            \ le jeton de session, de sorte que le bouton de retour ou une partie\
            \ de confiance en aval ne reprenne pas une session authentifi\xE9e, y\
            \ compris entre les parties de confiance. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3
      ref_id: V3.3.2
      description: If authenticators permit users to remain logged in, verify that
        re-authentication occurs periodically both when actively used or after an
        idle period. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "Si les authentificateurs permettent aux utilisateurs de rester\
            \ connect\xE9s, v\xE9rifiez que la r\xE9-authentification a lieu p\xE9\
            riodiquement, que ce soit en cas d'utilisation active ou apr\xE8s une\
            \ p\xE9riode d'inactivit\xE9. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3
      ref_id: V3.3.3
      description: Verify that the application gives the option to terminate all other
        active sessions after a successful password change (including change via password
        reset/recovery), and that this is effective across the application, federated
        login (if present), and any relying parties.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application offre la possibilit\xE9 de mettre\
            \ fin \xE0 toutes les autres sessions actives apr\xE8s un changement de\
            \ mot de passe r\xE9ussi (y compris le changement par r\xE9initialisation/r\xE9\
            cup\xE9ration du mot de passe), et que cette option est effective dans\
            \ toute l'application, la connexion f\xE9d\xE9r\xE9e (si elle existe)\
            \ et toute partie qui se fie \xE0 elle."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.3
      ref_id: V3.3.4
      description: Verify that users are able to view and (having re-entered login
        credentials) log out of any or all currently active sessions and devices.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les utilisateurs sont en mesure de consulter\
            \ et (apr\xE8s avoir saisi \xE0 nouveau leurs identifiants de connexion)\
            \ de se d\xE9connecter d'une ou de toutes les sessions et de tous les\
            \ dispositifs actuellement actifs."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      ref_id: V3.4
      name: Cookie-based Session Management
      translations:
        fr:
          name: "Gestion de session bas\xE9e sur les cookies"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4
      ref_id: V3.4.1
      description: Verify that cookie-based session tokens have the 'Secure' attribute
        set. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les jetons de session bas\xE9s sur des cookies\
            \ ont l'attribut 'Secure'. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4
      ref_id: V3.4.2
      description: Verify that cookie-based session tokens have the 'HttpOnly' attribute
        set. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les jetons de session bas\xE9s sur des cookies\
            \ ont l'attribut 'HttpOnly'. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4
      ref_id: V3.4.3
      description: Verify that cookie-based session tokens utilize the 'SameSite'
        attribute to limit exposure to cross-site request forgery attacks. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les jetons de session bas\xE9s sur des cookies\
            \ utilisent l'attribut 'SameSite' pour limiter l'exposition aux attaques\
            \ de contrefa\xE7on par requ\xEAte intersite. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4
      ref_id: V3.4.4
      description: Verify that cookie-based session tokens use the "__Host-" prefix
        so cookies are only sent to the host that initially set the cookie.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les jetons de session bas\xE9s sur les cookies\
            \ utilisent le pr\xE9fixe \"__Host-\" (voir r\xE9f\xE9rences) pour assurer\
            \ la confidentialit\xE9 des cookies de session."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.4
      ref_id: V3.4.5
      description: Verify that if the application is published under a domain name
        with other applications that set or use session cookies that might disclose
        the session cookies, set the path attribute in cookie-based session tokens
        using the most precise path possible. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que si la demande est publi\xE9e sous un nom de\
            \ domaine avec d'autres applications qui d\xE9finissent ou utilisent des\
            \ cookies de session susceptibles de les remplacer ou de les divulguer,\
            \ d\xE9finissez l'attribut de chemin dans les jetons de session bas\xE9\
            s sur les cookies en utilisant le chemin le plus pr\xE9cis possible. ([C6](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      ref_id: V3.5
      name: Token-based Session Management
      translations:
        fr:
          name: "Gestion de session \xE0 jetons"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.5
      ref_id: V3.5.1
      description: Verify the application allows users to revoke OAuth tokens that
        form trust relationships with linked applications.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application permet aux utilisateurs de r\xE9\
            voquer les jetons OAuth qui forment des relations d'approbation avec les\
            \ applications li\xE9es. "
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.5
      ref_id: V3.5.2
      description: Verify the application uses session tokens rather than static API
        secrets and keys, except with legacy implementations.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application utilise des jetons de session\
            \ plut\xF4t que des secrets et des cl\xE9s d'API statiques, sauf dans\
            \ le cas d'anciennes impl\xE9mentations (legacy)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.5.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.5
      ref_id: V3.5.3
      description: Verify that stateless session tokens use digital signatures, encryption,
        and other countermeasures to protect against tampering, enveloping, replay,
        null cipher, and key substitution attacks.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les jetons de session sans \xE9tat utilisent\
            \ les signatures num\xE9riques, le chiffrement et d'autres contre-mesures\
            \ pour se prot\xE9ger contre les attaques par alt\xE9ration, mise sous\
            \ enveloppe, rediffusion, chiffrement nul et substitution de cl\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.6
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      ref_id: V3.6
      name: Federated Re-authentication
      translations:
        fr:
          name: "Re-authentification d'une f\xE9d\xE9ration ou d'une assertion"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.6.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.6
      ref_id: V3.6.1
      description: Verify that Relying Parties (RPs) specify the maximum authentication
        time to Credential Service Providers (CSPs) and that CSPs re-authenticate
        the user if they haven't used a session within that period.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les parties qui se fient \xE0 la proc\xE9\
            dure pr\xE9cisent le d\xE9lai maximal d'authentification aux fournisseurs\
            \ de services d'authentification (CSP) et que ces derniers r\xE9-authentifient\
            \ l'abonn\xE9 s'ils n'ont pas utilis\xE9 de session pendant cette p\xE9\
            riode."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.6.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.6
      ref_id: V3.6.2
      description: Verify that Credential Service Providers (CSPs) inform Relying
        Parties (RPs) of the last authentication event, to allow RPs to determine
        if they need to re-authenticate the user.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les fournisseurs de services d'accr\xE9ditation\
            \ (CSP) informent les parties ayant fait confiance au dernier \xE9v\xE9\
            nement d'authentification, afin de permettre aux RP de d\xE9terminer s'ils\
            \ doivent r\xE9-authentifier l'utilisateur."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.7
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3
      ref_id: V3.7
      name: Defenses Against Session Management Exploits
      translations:
        fr:
          name: "D\xE9fenses contre l'exploitation de la gestion des sessions"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.7.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v3.7
      ref_id: V3.7.1
      description: Verify the application ensures a full, valid login session or requires
        re-authentication or secondary verification before allowing any sensitive
        transactions or account modifications.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application garantit une session de connexion\
            \ compl\xE8te et valide ou exige une nouvelle authentification ou une\
            \ v\xE9rification secondaire avant d'autoriser toute transaction sensible\
            \ ou modification de compte."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4
      assessable: false
      depth: 1
      ref_id: V4
      name: Access Control
      translations:
        fr:
          name: "Exigences de v\xE9rification du contr\xF4le d'acc\xE8s"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4
      ref_id: V4.1
      name: General Access Control Design
      translations:
        fr:
          name: "Conception g\xE9n\xE9rale du contr\xF4le d'acc\xE8s"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1
      ref_id: V4.1.1
      description: Verify that the application enforces access control rules on a
        trusted service layer, especially if client-side access control is present
        and could be bypassed.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application applique les r\xE8gles de contr\xF4\
            le d'acc\xE8s sur une couche de service de confiance, en particulier si\
            \ le contr\xF4le d'acc\xE8s c\xF4t\xE9 client est pr\xE9sent et pourrait\
            \ \xEAtre contourn\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1
      ref_id: V4.1.2
      description: Verify that all user and data attributes and policy information
        used by access controls cannot be manipulated by end users unless specifically
        authorized.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que tous les attributs des utilisateurs et des\
            \ donn\xE9es et les informations sur les politiques utilis\xE9es par les\
            \ contr\xF4les d'acc\xE8s ne peuvent \xEAtre manipul\xE9s par les utilisateurs\
            \ finaux, sauf autorisation sp\xE9cifique."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1
      ref_id: V4.1.3
      description: Verify that the principle of least privilege exists - users should
        only be able to access functions, data files, URLs, controllers, services,
        and other resources, for which they possess specific authorization. This implies
        protection against spoofing and elevation of privilege. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que le principe du moindre privil\xE8ge existe\
            \ - les utilisateurs ne doivent pouvoir acc\xE9der qu'aux fonctions, fichiers\
            \ de donn\xE9es, URL, contr\xF4leurs, services et autres ressources pour\
            \ lesquels ils poss\xE8dent une autorisation sp\xE9cifique. Cela implique\
            \ une protection contre l'usurpation et l'\xE9l\xE9vation des privil\xE8\
            ges. ([C7](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.1
      ref_id: V4.1.5
      description: Verify that access controls fail securely including when an exception
        occurs. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les contr\xF4les d'acc\xE8s \xE9chouent de\
            \ mani\xE8re s\xFBre, y compris lorsqu'une exception se produit. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4
      ref_id: V4.2
      name: Operation Level Access Control
      translations:
        fr:
          name: "Contr\xF4le d'acc\xE8s au niveau des op\xE9rations"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.2
      ref_id: V4.2.1
      description: Verify that sensitive data and APIs are protected against Insecure
        Direct Object Reference (IDOR) attacks targeting creation, reading, updating
        and deletion of records, such as creating or updating someone else's record,
        viewing everyone's records, or deleting all records.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les donn\xE9es sensibles et les API sont prot\xE9\
            g\xE9es contre les attaques par r\xE9f\xE9rence directe \xE0 un objet\
            \ (IDOR) non s\xE9curis\xE9es visant la cr\xE9ation, la lecture, la mise\
            \ \xE0 jour et la suppression d'enregistrements, telles que la cr\xE9\
            ation ou la mise \xE0 jour de l'enregistrement de quelqu'un d'autre, la\
            \ consultation de tous les enregistrements ou la suppression de tous les\
            \ enregistrements."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.2
      ref_id: V4.2.2
      description: Verify that the application or framework enforces a strong anti-CSRF
        mechanism to protect authenticated functionality, and effective anti-automation
        or anti-CSRF protects unauthenticated functionality.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application ou le cadriciel applique un\
            \ m\xE9canisme anti-CSRF fort pour prot\xE9ger les fonctionnalit\xE9s\
            \ authentifi\xE9es, et qu'une anti-automation ou un anti-CSRF efficace\
            \ prot\xE8ge les fonctionnalit\xE9s non authentifi\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4
      ref_id: V4.3
      name: Other Access Control Considerations
      translations:
        fr:
          name: "Autres consid\xE9rations relatives au contr\xF4le d'acc\xE8s"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.3
      ref_id: V4.3.1
      description: Verify administrative interfaces use appropriate multi-factor authentication
        to prevent unauthorized use.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les interfaces administratives utilisent une\
            \ authentification multifactorielle appropri\xE9e pour emp\xEAcher toute\
            \ utilisation non autoris\xE9e."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.3
      ref_id: V4.3.2
      description: Verify that directory browsing is disabled unless deliberately
        desired. Additionally, applications should not allow discovery or disclosure
        of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn
        folders.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la navigation dans les r\xE9pertoires est\
            \ d\xE9sactiv\xE9e, sauf si vous le souhaitez d\xE9lib\xE9r\xE9ment. En\
            \ outre, les applications ne doivent pas permettre la d\xE9couverte ou\
            \ la divulgation de m\xE9tadonn\xE9es de fichiers ou de r\xE9pertoires,\
            \ tels que les dossiers Thumbs.db, .DS_Store, .git ou .svn."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v4.3
      ref_id: V4.3.3
      description: Verify the application has additional authorization (such as step
        up or adaptive authentication) for lower value systems, and / or segregation
        of duties for high value applications to enforce anti-fraud controls as per
        the risk of application and past fraud.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que la demande dispose d'une autorisation suppl\xE9\
            mentaire (telle qu'une authentification renforc\xE9e ou adaptative) pour\
            \ les syst\xE8mes \xE0 faible valeur, et/ou d'une s\xE9paration des t\xE2\
            ches pour les demandes \xE0 valeur \xE9lev\xE9e afin de faire appliquer\
            \ les contr\xF4les anti-fraude en fonction du risque de fraude de la demande\
            \ et de la fraude pass\xE9e."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5
      assessable: false
      depth: 1
      ref_id: V5
      name: Validation, Sanitization and Encoding
      translations:
        fr:
          name: "Exigences de validation, d'assainissement et de v\xE9rification de\
            \ l'encodage"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5
      ref_id: V5.1
      name: Input Validation
      translations:
        fr:
          name: "Exigences de validation des entr\xE9es"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1
      ref_id: V5.1.1
      description: Verify that the application has defenses against HTTP parameter
        pollution attacks, particularly if the application framework makes no distinction
        about the source of request parameters (GET, POST, cookies, headers, or environment
        variables).
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application dispose de d\xE9fenses contre\
            \ les attaques de pollution des param\xE8tres HTTP, en particulier si\
            \ le cadre de l'application ne fait aucune distinction quant \xE0 la source\
            \ des param\xE8tres de la requ\xEAte (GET, POST, cookies, en-t\xEAtes\
            \ ou variables d'environnement)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1
      ref_id: V5.1.2
      description: Verify that frameworks protect against mass parameter assignment
        attacks, or that the application has countermeasures to protect against unsafe
        parameter assignment, such as marking fields private or similar. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les cadriciels prot\xE8gent contre les attaques\
            \ par assignation massive de param\xE8tres, ou que l'application dispose\
            \ de contre-mesures pour prot\xE9ger contre l'assignation dangereuse de\
            \ param\xE8tres, comme le marquage des champs priv\xE9s ou similaires.\
            \ ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1
      ref_id: V5.1.3
      description: Verify that all input (HTML form fields, REST requests, URL parameters,
        HTTP headers, cookies, batch files, RSS feeds, etc) is validated using positive
        validation (allow lists). ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les entr\xE9es (champs de formulaire\
            \ HTML, demandes REST, param\xE8tres URL, en-t\xEAtes HTTP, cookies, fichiers\
            \ batch, flux RSS, etc) sont valid\xE9es par une validation positive (liste\
            \ d'autorisation). ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1
      ref_id: V5.1.4
      description: Verify that structured data is strongly typed and validated against
        a defined schema including allowed characters, length and pattern (e.g. credit
        card numbers, e-mail addresses, telephone numbers, or validating that two
        related fields are reasonable, such as checking that suburb and zip/postcode
        match). ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les donn\xE9es structur\xE9es sont fortement\
            \ typ\xE9es et valid\xE9es par rapport \xE0 un sch\xE9ma d\xE9fini comprenant\
            \ les caract\xE8res, la longueur et le mod\xE8le autoris\xE9s (par exemple,\
            \ num\xE9ros de carte de cr\xE9dit ou de t\xE9l\xE9phone, ou valider que\
            \ deux champs connexes sont raisonnables, comme v\xE9rifier la correspondance\
            \ entre la banlieue et le code postal). ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.1
      ref_id: V5.1.5
      description: Verify that URL redirects and forwards only allow destinations
        which appear on an allow list, or show a warning when redirecting to potentially
        untrusted content.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les redirections et les transferts d'URL n'autorisent\
            \ que les destinations pr\xE9vu, ou affichez un avertissement lors d'une\
            \ redirection vers un contenu potentiellement non fiable."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5
      ref_id: V5.2
      name: Sanitization and Sandboxing
      translations:
        fr:
          name: "Exigences en mati\xE8re d'assainissement et de \xAB bac \xE0 sable\
            \ \xBB"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.1
      description: Verify that all untrusted HTML input from WYSIWYG editors or similar
        is properly sanitized with an HTML sanitizer library or framework feature.
        ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les entr\xE9es HTML non fiables provenant\
            \ d'\xE9diteurs WYSIWYG ou similaires sont correctement assainit avec\
            \ une biblioth\xE8que ou une fonction de framework de nettoyage HTML.\
            \ ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.2
      description: Verify that unstructured data is sanitized to enforce safety measures
        such as allowed characters and length.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les donn\xE9es non structur\xE9es sont assainit\
            \ afin d'appliquer les mesures de s\xE9curit\xE9 telles que les caract\xE8\
            res et la longueur autoris\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.3
      description: Verify that the application sanitizes user input before passing
        to mail systems to protect against SMTP or IMAP injection.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application assainit les entr\xE9es de l'utilisateur\
            \ avant de passer aux syst\xE8mes de messagerie pour prot\xE9ger contre\
            \ l'injection SMTP ou IMAP."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.4
      description: Verify that the application avoids the use of eval() or other dynamic
        code execution features. Where there is no alternative, any user input being
        included must be sanitized or sandboxed before being executed.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application \xE9vite l'utilisation de eval()\
            \ ou d'autres fonctions d'ex\xE9cution de code dynamique. Lorsqu'il n'y\
            \ a pas d'alternative, toute entr\xE9e utilisateur incluse doit \xEAtre\
            \ assainit ou mise en sandbox avant d'\xEAtre ex\xE9cut\xE9e."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.5
      description: Verify that the application protects against template injection
        attacks by ensuring that any user input being included is sanitized or sandboxed.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application prot\xE8ge contre les attaques\
            \ par injection de mod\xE8les en veillant \xE0 ce que toute entr\xE9e\
            \ de l'utilisateur incluse soit aseptis\xE9e ou mise en bac \xE0 sable."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.6
      description: Verify that the application protects against SSRF attacks, by validating
        or sanitizing untrusted data or HTTP file metadata, such as filenames and
        URL input fields, and uses allow lists of protocols, domains, paths and ports.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application prot\xE8ge contre les attaques\
            \ SSRF, en validant ou en assainissant les donn\xE9es non fiables ou les\
            \ m\xE9tadonn\xE9es de fichiers HTTP, comme les noms de fichiers et les\
            \ champs de saisie d'URL, utiliser la liste d'autorisation des protocoles,\
            \ domaines, chemins et ports."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.7
      description: Verify that the application sanitizes, disables, or sandboxes user-supplied
        Scalable Vector Graphics (SVG) scriptable content, especially as they relate
        to XSS resulting from inline scripts, and foreignObject.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application assainit, d\xE9sactive ou met\
            \ en place une isolation (sandbox) pour le contenu scriptable fourni par\
            \ l'utilisateur (Scalable Vector Graphics - SVG), en particulier en ce\
            \ qui concerne les XSS r\xE9sultant de scripts natif au code pr\xE9sent\
            \ et foreignObject."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.2
      ref_id: V5.2.8
      description: Verify that the application sanitizes, disables, or sandboxes user-supplied
        scriptable or expression template language content, such as Markdown, CSS
        or XSL stylesheets, BBCode, or similar.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application assainit, d\xE9sactive ou met\
            \ en sandbox le contenu des scripts ou des mod\xE8les d'expression fournis\
            \ par l'utilisateur, tels que les feuilles de style Markdown, CSS ou XSL,\
            \ le BBCode ou autres."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5
      ref_id: V5.3
      name: Output Encoding and Injection Prevention
      translations:
        fr:
          name: "Exigences en mati\xE8re d'encodage de sortie et de pr\xE9vention\
            \ des injections"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.1
      description: "Verify that output encoding is relevant for the interpreter and\
        \ context required. For example, use encoders specifically for HTML values,\
        \ HTML attributes, JavaScript, URL parameters, HTTP headers, SMTP, and others\
        \ as the context requires, especially from untrusted inputs (e.g. names with\
        \ Unicode or apostrophes, such as \u201E\xC5\u2260\u201E\xC5\xEC or O'Hara).\
        \ ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'encodage de sortie est pertinent pour l'interpr\xE8\
            te et le contexte requis. Par exemple, utilisez des encodeurs sp\xE9cifiques\
            \ pour les valeurs HTML, les attributs HTML, JavaScript, les param\xE8\
            tres URL, les en-t\xEAtes HTTP, SMTP et autres selon le contexte, en particulier\
            \ \xE0 partir d'entr\xE9es non fiables (par exemple les noms avec Unicode\
            \ ou apostrophes, comme \u306D\u3053 ou O'Hara). ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.2
      description: Verify that output encoding preserves the user's chosen character
        set and locale, such that any Unicode character point is valid and safely
        handled. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'encodage de sortie pr\xE9serve le jeu de\
            \ caract\xE8res et la langue choisis par l'utilisateur, de sorte que tout\
            \ point de caract\xE8re Unicode soit valide et trait\xE9 en toute s\xE9\
            curit\xE9. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.3
      description: Verify that context-aware, preferably automated - or at worst,
        manual - output escaping protects against reflected, stored, and DOM based
        XSS. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'encodage des sorties en fonction du contexte,\
            \ de pr\xE9f\xE9rence automatis\xE9 - ou au pire, manuel - prot\xE8ge\
            \ contre le XSS r\xE9fl\xE9chi, stock\xE9 et bas\xE9 sur le DOM. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.4
      description: Verify that data selection or database queries (e.g. SQL, HQL,
        ORM, NoSQL) use parameterized queries, ORMs, entity frameworks, or are otherwise
        protected from database injection attacks. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que la s\xE9lection de donn\xE9es ou les requ\xEA\
            tes de base de donn\xE9es (par exemple SQL, HQL, ORM, NoSQL) utilisent\
            \ des requ\xEAtes param\xE9tr\xE9es, des ORM, des cadres d'entit\xE9s,\
            \ ou sont autrement prot\xE9g\xE9es contre les attaques par injection\
            \ de base de donn\xE9es. ([C3](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.5
      description: Verify that where parameterized or safer mechanisms are not present,
        context-specific output encoding is used to protect against injection attacks,
        such as the use of SQL escaping to protect against SQL injection. ([C3, C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que, lorsque des m\xE9canismes param\xE9tr\xE9\
            s ou plus s\xFBrs ne sont pas pr\xE9sents, un encodage de sortie sp\xE9\
            cifique au contexte est utilis\xE9 pour se prot\xE9ger contre les attaques\
            \ par injection, comme l'utilisation de l'\xE9chappement SQL pour se prot\xE9\
            ger contre l'injection SQL. ([C3, C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.6
      description: Verify that the application protects against JSON injection attacks,
        JSON eval attacks, and JavaScript expression evaluation. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application se prot\xE8ge contre les attaques\
            \ par injection de JSON, les attaques par \xE9valuation de JSON et les\
            \ \xE9valuations d'expressions JavaScript. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.7
      description: Verify that the application protects against LDAP injection vulnerabilities,
        or that specific security controls to prevent LDAP injection have been implemented.
        ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application prot\xE8ge contre les vuln\xE9\
            rabilit\xE9s de LDAP Injection, ou que des contr\xF4les de s\xE9curit\xE9\
            \ sp\xE9cifiques pour emp\xEAcher des injections LDAP ont \xE9t\xE9 mis\
            \ en place. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.8
      description: Verify that the application protects against OS command injection
        and that operating system calls use parameterized OS queries or use contextual
        command line output encoding. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application prot\xE8ge contre l'injection\
            \ de commandes du syst\xE8me d'exploitation et que les appels du syst\xE8\
            me d'exploitation utilisent des requ\xEAtes param\xE9tr\xE9es du syst\xE8\
            me d'exploitation ou utilisent l'encodage contextuel de la sortie de la\
            \ ligne de commande. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.9
      description: Verify that the application protects against Local File Inclusion
        (LFI) or Remote File Inclusion (RFI) attacks.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application prot\xE8ge contre les attaques\
            \ par inclusion de fichier local (LFI) ou par inclusion de fichier distant\
            \ (RFI)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3.10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.3
      ref_id: V5.3.10
      description: Verify that the application protects against XPath injection or
        XML injection attacks. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application prot\xE8ge contre les attaques\
            \ par injection XPath ou par injection XML. ([C4](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5
      ref_id: V5.4
      name: Memory, String, and Unmanaged Code
      translations:
        fr:
          name: "Exigences en mati\xE8re de m\xE9moire, de cha\xEEnes de caract\xE8\
            res et de code non g\xE9r\xE9"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.4
      ref_id: V5.4.1
      description: Verify that the application uses memory-safe string, safer memory
        copy and pointer arithmetic to detect or prevent stack, buffer, or heap overflows.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application utilise une cha\xEEne de caract\xE8\
            res \xE0 m\xE9moire s\xE9curis\xE9e, une copie m\xE9moire s\xE9curis\xE9\
            e et l'arithm\xE9tique des pointeurs pour d\xE9tecter ou emp\xEAcher les\
            \ d\xE9bordements de pile, de m\xE9moire tampon ou de tas."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.4
      ref_id: V5.4.2
      description: Verify that format strings do not take potentially hostile input,
        and are constant.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les cha\xEEnes de format ne prennent pas d'entr\xE9\
            e potentiellement hostile, et sont constantes."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.4.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.4
      ref_id: V5.4.3
      description: Verify that sign, range, and input validation techniques are used
        to prevent integer overflows.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les techniques de validation des signes, des\
            \ plages et des entr\xE9es sont utilis\xE9es pour \xE9viter les d\xE9\
            bordements d'entiers."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5
      ref_id: V5.5
      name: Deserialization Prevention
      translations:
        fr:
          name: "Exigences de pr\xE9vention de la d\xE9s\xE9rialisation"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5
      ref_id: V5.5.1
      description: Verify that serialized objects use integrity checks or are encrypted
        to prevent hostile object creation or data tampering. ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les objets s\xE9rialis\xE9s utilisent des\
            \ contr\xF4les d'int\xE9grit\xE9 ou sont chiffr\xE9s pour emp\xEAcher\
            \ la cr\xE9ation d'objets hostiles ou la falsification de donn\xE9es.\
            \ ([C5](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5
      ref_id: V5.5.2
      description: Verify that the application correctly restricts XML parsers to
        only use the most restrictive configuration possible and to ensure that unsafe
        features such as resolving external entities are disabled to prevent XML eXternal
        Entity (XXE) attacks.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application restreint correctement les analyseurs\
            \ XML pour n'utiliser que la configuration la plus restrictive possible\
            \ et pour s'assurer que les fonctions dangereuses telles que la r\xE9\
            solution d'entit\xE9s externes sont d\xE9sactiv\xE9es pour emp\xEAcher\
            \ les XXE. "
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5
      ref_id: V5.5.3
      description: Verify that deserialization of untrusted data is avoided or is
        protected in both custom code and third-party libraries (such as JSON, XML
        and YAML parsers).
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la d\xE9s\xE9rialisation des donn\xE9es non\
            \ fiables est \xE9vit\xE9e ou prot\xE9g\xE9e \xE0 la fois dans le code\
            \ personnalis\xE9 et les biblioth\xE8ques tierces (comme les analyseurs\
            \ JSON, XML et YAML). "
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v5.5
      ref_id: V5.5.4
      description: Verify that when parsing JSON in browsers or JavaScript-based backends,
        JSON.parse is used to parse the JSON document. Do not use eval() to parse
        JSON.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que lors de l'analyse de JSON dans les navigateurs\
            \ ou les backends bas\xE9s sur JavaScript, JSON.parse est utilis\xE9 pour\
            \ analyser le document JSON. N'utilisez pas eval() pour analyser JSON."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6
      assessable: false
      depth: 1
      ref_id: V6
      name: Stored Cryptography
      translations:
        fr:
          name: "Exigences de v\xE9rification de la cryptographie stock\xE9e"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6
      ref_id: V6.1
      name: Data Classification
      translations:
        fr:
          name: "Classification des donn\xE9es"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.1
      ref_id: V6.1.1
      description: Verify that regulated private data is stored encrypted while at
        rest, such as Personally Identifiable Information (PII), sensitive personal
        information, or data assessed likely to be subject to EU's GDPR.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les donn\xE9es priv\xE9es r\xE9glement\xE9\
            es sont stock\xE9es sous forme chiffr\xE9e pendant le repos, comme les\
            \ informations d'identification personnelle (IIP), les informations personnelles\
            \ sensibles ou les donn\xE9es consid\xE9r\xE9es comme susceptibles d'\xEA\
            tre soumises \xE0 la GDPR de l'UE."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.1
      ref_id: V6.1.2
      description: Verify that regulated health data is stored encrypted while at
        rest, such as medical records, medical device details, or de-anonymized research
        records.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les donn\xE9es de sant\xE9 r\xE9glement\xE9\
            es sont stock\xE9es de mani\xE8re chiffr\xE9e pendant le repos, comme\
            \ les dossiers m\xE9dicaux, les d\xE9tails des dispositifs m\xE9dicaux\
            \ ou les dossiers de recherche d\xE9sanonymis\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.1
      ref_id: V6.1.3
      description: Verify that regulated financial data is stored encrypted while
        at rest, such as financial accounts, defaults or credit history, tax records,
        pay history, beneficiaries, or de-anonymized market or research records.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les donn\xE9es financi\xE8res r\xE9glement\xE9\
            es sont stock\xE9es de mani\xE8re crypt\xE9e lorsqu'elles sont au repos,\
            \ telles que les comptes financiers, les d\xE9fauts ou les ant\xE9c\xE9\
            dents de cr\xE9dit, les dossiers fiscaux, l'historique des salaires, les\
            \ b\xE9n\xE9ficiaires ou les dossiers de march\xE9 ou de recherche d\xE9\
            sanonymis\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6
      ref_id: V6.2
      name: Algorithms
      translations:
        fr:
          name: Algorithmes
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.1
      description: Verify that all cryptographic modules fail securely, and errors
        are handled in a way that does not enable Padding Oracle attacks.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que tous les modules cryptographiques \xE9chouent\
            \ en toute s\xE9curit\xE9, et que les erreurs sont trait\xE9es de mani\xE8\
            re \xE0 ne pas permettre les attaques de type \"Padding Oracle\"."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.2
      description: Verify that industry proven or government approved cryptographic
        algorithms, modes, and libraries are used, instead of custom coded cryptography.
        ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que des algorithmes, des biblioth\xE8ques cryptographiques\
            \ et des modes \xE9prouv\xE9s par l'industrie ou approuv\xE9s par le gouvernement\
            \ sont utilis\xE9s, au lieu de la cryptographie cod\xE9e sur mesure. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.3
      description: Verify that encryption initialization vector, cipher configuration,
        and block modes are configured securely using the latest advice.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le vecteur d'initialisation du chiffrement,\
            \ la configuration du chiffrement et les modes de blocage sont configur\xE9\
            s de mani\xE8re s\xE9curis\xE9e en utilisant les derniers conseils."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.4
      description: Verify that random number, encryption or hashing algorithms, key
        lengths, rounds, ciphers or modes, can be reconfigured, upgraded, or swapped
        at any time, to protect against cryptographic breaks. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les algorithmes de chiffrement ou de hachage,\
            \ les longueurs de cl\xE9, le nombre de rondes, les chiffrements ou les\
            \ modes, peuvent \xEAtre reconfigur\xE9s, mis \xE0 niveau ou \xE9chang\xE9\
            s \xE0 tout moment, pour se prot\xE9ger contre les failles cryptographiques.\
            \ ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.5
      description: Verify that known insecure block modes (i.e. ECB, etc.), padding
        modes (i.e. PKCS#1 v1.5, etc.), ciphers with small block sizes (i.e. Triple-DES,
        Blowfish, etc.), and weak hashing algorithms (i.e. MD5, SHA1, etc.) are not
        used unless required for backwards compatibility.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les modes de blocs non s\xE9curis\xE9s connus\
            \ (c'est-\xE0-dire ECB, etc.), les modes de remplissage (c'est-\xE0-dire\
            \ PKCS#1 v1.5, etc.), les chiffrements avec des blocs de petites tailles\
            \ (c'est-\xE0-dire Triple-DES, Blowfish, etc.) et les algorithmes de hachage\
            \ faibles (c'est-\xE0-dire MD5, SHA1, etc.) ne sont pas utilis\xE9s, sauf\
            \ si cela est n\xE9cessaire pour la r\xE9trocompatibilit\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.6
      description: Verify that nonces, initialization vectors, and other single use
        numbers must not be used more than once with a given encryption key. The method
        of generation must be appropriate for the algorithm being used.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les nonces, vecteurs d'initialisation et autres\
            \ num\xE9ros \xE0 usage unique ne doivent pas \xEAtre utilis\xE9s plus\
            \ d'une fois avec une cl\xE9 de chiffrement donn\xE9e. La m\xE9thode de\
            \ g\xE9n\xE9ration doit \xEAtre appropri\xE9e \xE0 l'algorithme utilis\xE9\
            ."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.7
      description: Verify that encrypted data is authenticated via signatures, authenticated
        cipher modes, or HMAC to ensure that ciphertext is not altered by an unauthorized
        party.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les donn\xE9es chiffr\xE9es sont authentifi\xE9\
            es par des signatures, des modes de chiffrement authentifi\xE9s ou le\
            \ [HMAC](https://en.wikipedia.org/wiki/HMAC) pour s'assurer que le texte\
            \ chiffr\xE9 n'est pas alt\xE9r\xE9 par une partie non autoris\xE9e."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.2
      ref_id: V6.2.8
      description: Verify that all cryptographic operations are constant-time, with
        no 'short-circuit' operations in comparisons, calculations, or returns, to
        avoid leaking information.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les op\xE9rations cryptographiques\
            \ sont \xE0 temps constant, sans op\xE9rations de \"court-circuit\" dans\
            \ les comparaisons, les calculs ou les retours, afin d'\xE9viter les fuites\
            \ d'informations."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6
      ref_id: V6.3
      name: Random Values
      translations:
        fr:
          name: "Valeurs al\xE9atoires"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.3
      ref_id: V6.3.1
      description: Verify that all random numbers, random file names, random GUIDs,
        and random strings are generated using the cryptographic module's approved
        cryptographically secure random number generator when these random values
        are intended to be not guessable by an attacker.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que tous les nombres al\xE9atoires, noms de fichiers\
            \ al\xE9atoires, GUIDs al\xE9atoires et cha\xEEnes al\xE9atoires sont\
            \ g\xE9n\xE9r\xE9s en utilisant le g\xE9n\xE9rateur de nombres al\xE9\
            atoires s\xE9curis\xE9 cryptographiquement approuv\xE9 par le module cryptographique\
            \ lorsque ces valeurs al\xE9atoires sont destin\xE9es \xE0 ne pas \xEA\
            tre devin\xE9es par un attaquant."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.3
      ref_id: V6.3.2
      description: Verify that random GUIDs are created using the GUID v4 algorithm,
        and a Cryptographically-secure Pseudo-random Number Generator (CSPRNG). GUIDs
        created using other pseudo-random number generators may be predictable.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les GUID al\xE9atoires sont cr\xE9\xE9s en\
            \ utilisant l'algorithme GUID v4, et un g\xE9n\xE9rateur de nombres pseudo-al\xE9\
            atoires s\xE9curis\xE9 cryptographiquement (CSPRNG). Les GUID cr\xE9\xE9\
            s \xE0 l'aide d'autres g\xE9n\xE9rateurs de nombres pseudo-al\xE9atoires\
            \ peuvent \xEAtre pr\xE9visibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.3
      ref_id: V6.3.3
      description: Verify that random numbers are created with proper entropy even
        when the application is under heavy load, or that the application degrades
        gracefully in such circumstances.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les nombres al\xE9atoires sont cr\xE9\xE9\
            s avec une entropie correcte m\xEAme lorsque l'application est soumise\
            \ \xE0 une forte charge, ou que l'application se d\xE9grade gracieusement\
            \ dans de telles circonstances."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6
      ref_id: V6.4
      name: Secret Management
      translations:
        fr:
          name: Gestion du secret
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.4
      ref_id: V6.4.1
      description: Verify that a secrets management solution such as a key vault is
        used to securely create, store, control access to and destroy secrets. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'une solution de gestion des secrets, telle\
            \ qu'un coffre fort de cl\xE9s, est utilis\xE9 pour cr\xE9er, stocker,\
            \ contr\xF4ler l'acc\xE8s aux secrets et les d\xE9truire en toute s\xE9\
            curit\xE9. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v6.4
      ref_id: V6.4.2
      description: Verify that key material is not exposed to the application but
        instead uses an isolated security module like a vault for cryptographic operations.
        ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le mat\xE9riel cl\xE9 ne soit pas expos\xE9\
            \ \xE0 l'application mais utilise plut\xF4t un module de s\xE9curit\xE9\
            \ isol\xE9 comme un coffre-fort pour les op\xE9rations cryptographiques.\
            \ ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7
      assessable: false
      depth: 1
      ref_id: V7
      name: Error Handling and Logging
      translations:
        fr:
          name: "Traitement des erreurs et exigences de v\xE9rification de l'enregistrement"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7
      ref_id: V7.1
      name: Log Content
      translations:
        fr:
          name: Exigences relatives au contenu des journaux
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1
      ref_id: V7.1.1
      description: Verify that the application does not log credentials or payment
        details. Session tokens should only be stored in logs in an irreversible,
        hashed form. ([C9, C10](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le journal n'enregistre pas les r\xE9f\xE9\
            rences ou les d\xE9tails de paiement. Les jetons de session ne doivent\
            \ \xEAtre stock\xE9s dans les journaux que sous une forme hach\xE9e et\
            \ irr\xE9versible. ([C9, C10](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1
      ref_id: V7.1.2
      description: Verify that the application does not log other sensitive data as
        defined under local privacy laws or relevant security policy. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application n'enregistre pas d'autres donn\xE9\
            es sensibles telles que d\xE9finies par les lois locales sur la protection\
            \ de la vie priv\xE9e ou la politique de s\xE9curit\xE9 pertinente. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1
      ref_id: V7.1.3
      description: Verify that the application logs security relevant events including
        successful and failed authentication events, access control failures, deserialization
        failures and input validation failures. ([C5, C7](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application enregistre les \xE9v\xE9nements\
            \ pertinents pour la s\xE9curit\xE9, y compris les \xE9v\xE9nements d'authentification\
            \ r\xE9ussis et \xE9chou\xE9s, les \xE9checs de contr\xF4le d'acc\xE8\
            s, les \xE9checs de d\xE9s\xE9rialisation et les \xE9checs de validation\
            \ des entr\xE9es. ([C5, C7](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.1
      ref_id: V7.1.4
      description: Verify that each log event includes necessary information that
        would allow for a detailed investigation of the timeline when an event happens.
        ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que chaque \xE9v\xE9nement consign\xE9 dans le\
            \ journal contient les informations n\xE9cessaires pour permettre une\
            \ enqu\xEAte d\xE9taill\xE9e sur la chronologie de l'\xE9v\xE9nement.\
            \ ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7
      ref_id: V7.2
      name: Log Processing
      translations:
        fr:
          name: Exigences de traitement des journaux
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.2
      ref_id: V7.2.1
      description: Verify that all authentication decisions are logged, without storing
        sensitive session tokens or passwords. This should include requests with relevant
        metadata needed for security investigations.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les d\xE9cisions d'authentification\
            \ sont consign\xE9es, sans stocker d'identifiants de session ou de mots\
            \ de passe sensibles. Cela devrait inclure les demandes avec les m\xE9\
            tadonn\xE9es pertinentes n\xE9cessaires aux enqu\xEAtes de s\xE9curit\xE9\
            . "
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.2
      ref_id: V7.2.2
      description: Verify that all access control decisions can be logged and all
        failed decisions are logged. This should include requests with relevant metadata
        needed for security investigations.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les d\xE9cisions de contr\xF4le d'acc\xE8\
            s peuvent \xEAtre enregistr\xE9es et que toutes les d\xE9cisions qui ont\
            \ \xE9chou\xE9 sont enregistr\xE9es. Cela devrait inclure les demandes\
            \ avec les m\xE9tadonn\xE9es pertinentes n\xE9cessaires aux enqu\xEAtes\
            \ de s\xE9curit\xE9."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7
      ref_id: V7.3
      name: Log Protection
      translations:
        fr:
          name: "Exigences en mati\xE8re de protection des journaux"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.3
      ref_id: V7.3.1
      description: Verify that all logging components appropriately encode data to
        prevent log injection. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application encode correctement les donn\xE9\
            es fournies par l'utilisateur pour \xE9viter l'injection de logs. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.3
      ref_id: V7.3.3
      description: Verify that security logs are protected from unauthorized access
        and modification. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les journaux de s\xE9curit\xE9 sont prot\xE9\
            g\xE9s contre tout acc\xE8s et toute modification non autoris\xE9s. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.3.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.3
      ref_id: V7.3.4
      description: Verify that time sources are synchronized to the correct time and
        time zone. Strongly consider logging only in UTC if systems are global to
        assist with post-incident forensic analysis. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les sources de temps sont synchronis\xE9es\
            \ avec l'heure et le fuseau horaire corrects. Envisager s\xE9rieusement\
            \ de n'enregistrer les donn\xE9es qu'en UTC si les syst\xE8mes sont globaux\
            \ pour faciliter l'analyse criminalistique post-incident. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7
      ref_id: V7.4
      name: Error Handling
      translations:
        fr:
          name: Traitement des erreurs
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.4
      ref_id: V7.4.1
      description: Verify that a generic message is shown when an unexpected or security
        sensitive error occurs, potentially with a unique ID which support personnel
        can use to investigate. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'un message g\xE9n\xE9rique s'affiche lorsqu'une\
            \ erreur inattendue ou sensible \xE0 la s\xE9curit\xE9 se produit, \xE9\
            ventuellement avec un identifiant unique que le personnel de soutien peut\
            \ utiliser pour enqu\xEAter.  ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.4
      ref_id: V7.4.2
      description: Verify that exception handling (or a functional equivalent) is
        used across the codebase to account for expected and unexpected error conditions.
        ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le traitement des exceptions est utilis\xE9\
            \ dans toute le code source pour tenir compte des conditions d'erreur\
            \ pr\xE9vues et impr\xE9vues. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.4.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v7.4
      ref_id: V7.4.3
      description: Verify that a "last resort" error handler is defined which will
        catch all unhandled exceptions. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'un gestionnaire d'erreurs de \"dernier recours\"\
            \ est d\xE9fini, qui prendra en compte toutes les exceptions non trait\xE9\
            es. ([C10](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8
      assessable: false
      depth: 1
      ref_id: V8
      name: Data Protection
      translations:
        fr:
          name: "Exigences de v\xE9rification de la protection des donn\xE9es"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8
      ref_id: V8.1
      name: General Data Protection
      translations:
        fr:
          name: "Protection g\xE9n\xE9rale des donn\xE9es"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1
      ref_id: V8.1.1
      description: Verify the application protects sensitive data from being cached
        in server components such as load balancers and application caches.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application prot\xE8ge les donn\xE9es sensibles\
            \ contre la mise en cache dans des composants du serveur tels que les\
            \ \xE9quilibreurs de charge et les caches d'applications."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1
      ref_id: V8.1.2
      description: Verify that all cached or temporary copies of sensitive data stored
        on the server are protected from unauthorized access or purged/invalidated
        after the authorized user accesses the sensitive data.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que toutes les copies en cache ou temporaires\
            \ de donn\xE9es sensibles stock\xE9es sur le serveur sont prot\xE9g\xE9\
            es contre tout acc\xE8s non autoris\xE9 ou purg\xE9es/invalid\xE9es apr\xE8\
            s que l'utilisateur autoris\xE9 a acc\xE9d\xE9 aux donn\xE9es sensibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1
      ref_id: V8.1.3
      description: Verify the application minimizes the number of parameters in a
        request, such as hidden fields, Ajax variables, cookies and header values.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application minimise le nombre de param\xE8\
            tres dans une requ\xEAte, tels que les champs cach\xE9s, les variables\
            \ Ajax, les cookies et les valeurs d'en-t\xEAte."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1
      ref_id: V8.1.4
      description: Verify the application can detect and alert on abnormal numbers
        of requests, such as by IP, user, total per hour or day, or whatever makes
        sense for the application.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application peut d\xE9tecter et alerter\
            \ sur un nombre anormal de demandes, par exemple par IP, par utilisateur,\
            \ par total par heure ou par jour, ou tout ce qui a un sens pour l'application."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1
      ref_id: V8.1.5
      description: Verify that regular backups of important data are performed and
        that test restoration of data is performed.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que des sauvegardes r\xE9guli\xE8res des donn\xE9\
            es importantes sont effectu\xE9es et que des tests de restauration des\
            \ donn\xE9es sont effectu\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.1
      ref_id: V8.1.6
      description: Verify that backups are stored securely to prevent data from being
        stolen or corrupted.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les sauvegardes sont stock\xE9es en toute\
            \ s\xE9curit\xE9 pour \xE9viter que les donn\xE9es ne soient vol\xE9es\
            \ ou corrompues."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8
      ref_id: V8.2
      name: Client-side Data Protection
      translations:
        fr:
          name: "Protection des donn\xE9es c\xF4t\xE9 client"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.2
      ref_id: V8.2.1
      description: Verify the application sets sufficient anti-caching headers so
        that sensitive data is not cached in modern browsers.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application d\xE9finit suffisamment d'en-t\xEA\
            tes anticaching pour que les donn\xE9es sensibles ne soient pas mises\
            \ en cache dans les navigateurs modernes."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.2
      ref_id: V8.2.2
      description: Verify that data stored in browser storage (such as localStorage,
        sessionStorage, IndexedDB, or cookies) does not contain sensitive data.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les donn\xE9es stock\xE9es dans le stockage\
            \ du navigateur (telles que localStorage, sessionStorage, IndexedDB ou\
            \ cookies) ne contiennent pas de donn\xE9es sensibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.2
      ref_id: V8.2.3
      description: Verify that authenticated data is cleared from client storage,
        such as the browser DOM, after the client or session is terminated.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les donn\xE9es authentifi\xE9es sont effac\xE9\
            es du stockage du client, tel que le DOM du navigateur, apr\xE8s la fin\
            \ du client ou de la session."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8
      ref_id: V8.3
      name: Sensitive Private Data
      translations:
        fr:
          name: "Donn\xE9es priv\xE9es sensibles"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.1
      description: Verify that sensitive data is sent to the server in the HTTP message
        body or headers, and that query string parameters from any HTTP verb do not
        contain sensitive data.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les donn\xE9es sensibles sont envoy\xE9es\
            \ au serveur dans le corps ou les en-t\xEAtes du message HTTP, et que\
            \ les param\xE8tres de la cha\xEEne de requ\xEAte de tout verbe HTTP ne\
            \ contiennent pas de donn\xE9es sensibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.2
      description: Verify that users have a method to remove or export their data
        on demand.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les utilisateurs disposent d'une m\xE9thode\
            \ pour supprimer ou exporter leurs donn\xE9es sur demande."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.3
      description: Verify that users are provided clear language regarding collection
        and use of supplied personal information and that users have provided opt-in
        consent for the use of that data before it is used in any way.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les utilisateurs disposent d'un langage clair\
            \ concernant la collecte et l'utilisation des informations personnelles\
            \ fournies et que les utilisateurs ont donn\xE9 leur consentement pour\
            \ l'utilisation de ces donn\xE9es avant qu'elles ne soient utilis\xE9\
            es de quelque mani\xE8re que ce soit."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.4
      description: Verify that all sensitive data created and processed by the application
        has been identified, and ensure that a policy is in place on how to deal with
        sensitive data. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que toutes les donn\xE9es sensibles cr\xE9\xE9\
            es et trait\xE9es par l'application ont \xE9t\xE9 identifi\xE9es, et s'assurer\
            \ qu'une politique est en place sur la mani\xE8re de traiter les donn\xE9\
            es sensibles. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.5
      description: Verify accessing sensitive data is audited (without logging the
        sensitive data itself), if the data is collected under relevant data protection
        directives or where logging of access is required.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'acc\xE8s aux donn\xE9es sensibles est contr\xF4\
            l\xE9 (sans enregistrer les donn\xE9es sensibles elles-m\xEAmes), si les\
            \ donn\xE9es sont collect\xE9es en vertu des directives pertinentes sur\
            \ la protection des donn\xE9es ou si l'enregistrement de l'acc\xE8s est\
            \ n\xE9cessaire."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.6
      description: Verify that sensitive information contained in memory is overwritten
        as soon as it is no longer required to mitigate memory dumping attacks, using
        zeroes or random data.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les informations sensibles contenues dans\
            \ la m\xE9moire sont \xE9cras\xE9es d\xE8s qu'elles ne sont plus n\xE9\
            cessaires pour att\xE9nuer les attaques de vidage de la m\xE9moire, en\
            \ utilisant des z\xE9ros ou des donn\xE9es al\xE9atoires."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.7
      description: Verify that sensitive or private information that is required to
        be encrypted, is encrypted using approved algorithms that provide both confidentiality
        and integrity. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les informations sensibles ou priv\xE9es qui\
            \ doivent \xEAtre chiffr\xE9es, le sont \xE0 l'aide d'algorithmes approuv\xE9\
            s qui assurent \xE0 la fois la confidentialit\xE9 et l'int\xE9grit\xE9\
            . ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v8.3
      ref_id: V8.3.8
      description: Verify that sensitive personal information is subject to data retention
        classification, such that old or out of date data is deleted automatically,
        on a schedule, or as the situation requires.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les informations personnelles sensibles font\
            \ l'objet d'une classification de conservation des donn\xE9es, de sorte\
            \ que les donn\xE9es anciennes ou p\xE9rim\xE9es soient supprim\xE9es\
            \ automatiquement, selon un calendrier ou selon la situation."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9
      assessable: false
      depth: 1
      ref_id: V9
      name: Communication
      translations:
        fr:
          name: "Exigences de v\xE9rification des communications"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9
      ref_id: V9.1
      name: Client Communication Security
      translations:
        fr:
          name: "Exigences de s\xE9curit\xE9 des communications des clients"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.1
      ref_id: V9.1.1
      description: Verify that TLS is used for all client connectivity, and does not
        fall back to insecure or unencrypted communications. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le TLS s\xE9curis\xE9 est utilis\xE9 pour\
            \ toutes les connexions des clients et ne revient pas \xE0 des protocoles\
            \ non s\xE9curis\xE9s ou non chiffr\xE9s. ([C8](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.1
      ref_id: V9.1.2
      description: Verify using up to date TLS testing tools that only strong cipher
        suites are enabled, with the strongest cipher suites set as preferred.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez \xE0 l'aide d'outils de test TLS en ligne ou actualis\xE9\
            s que seuls les algorithmes, les chiffrages et les protocoles puissants\
            \ sont activ\xE9s, les algorithmes et les chiffrages les plus puissants\
            \ \xE9tant d\xE9finis de pr\xE9f\xE9rence."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.1
      ref_id: V9.1.3
      description: Verify that only the latest recommended versions of the TLS protocol
        are enabled, such as TLS 1.2 and TLS 1.3. The latest version of the TLS protocol
        should be the preferred option.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que seules les derni\xE8res versions recommand\xE9\
            es du protocole TLS sont activ\xE9es, telles que TLS 1.2 et TLS 1.3. La\
            \ derni\xE8re version du protocole TLS doit \xEAtre l'option pr\xE9f\xE9\
            r\xE9e."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9
      ref_id: V9.2
      name: Server Communication Security
      translations:
        fr:
          name: "Exigences de s\xE9curit\xE9 des communications du serveur"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2
      ref_id: V9.2.1
      description: Verify that connections to and from the server use trusted TLS
        certificates. Where internally generated or self-signed certificates are used,
        the server must be configured to only trust specific internal CAs and specific
        self-signed certificates. All others should be rejected.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les connexions vers et depuis le serveur utilisent\
            \ des certificats TLS de confiance. Lorsque des certificats g\xE9n\xE9\
            r\xE9s en interne ou auto-sign\xE9s sont utilis\xE9s, le serveur doit\
            \ \xEAtre configur\xE9 pour ne faire confiance qu'\xE0 des AC internes\
            \ sp\xE9cifiques et \xE0 des certificats auto-sign\xE9s sp\xE9cifiques.\
            \ Tous les autres doivent \xEAtre rejet\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2
      ref_id: V9.2.2
      description: Verify that encrypted communications such as TLS is used for all
        inbound and outbound connections, including for management ports, monitoring,
        authentication, API, or web service calls, database, cloud, serverless, mainframe,
        external, and partner connections. The server must not fall back to insecure
        or unencrypted protocols.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les communications chiffr\xE9es telles que\
            \ TLS sont utilis\xE9es pour toutes les connexions entrantes et sortantes,\
            \ y compris pour les ports de gestion, la surveillance, l'authentification,\
            \ les appels d'API ou de service web, les connexions de base de donn\xE9\
            es, de nuage, sans serveur, d'ordinateur central, externes et de partenaires.\
            \ Le serveur ne doit pas se rabattre sur des protocoles non s\xE9curis\xE9\
            s ou non chiffr\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2
      ref_id: V9.2.3
      description: Verify that all encrypted connections to external systems that
        involve sensitive information or functions are authenticated.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les connexions chiffr\xE9es \xE0 des\
            \ syst\xE8mes externes qui impliquent des informations ou des fonctions\
            \ sensibles sont authentifi\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2
      ref_id: V9.2.4
      description: Verify that proper certification revocation, such as Online Certificate
        Status Protocol (OCSP) Stapling, is enabled and configured.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la r\xE9vocation de certification appropri\xE9\
            e, telle que le protocol OCSP (Online Certificate Status Protocol), est\
            \ activ\xE9e et configur\xE9e."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v9.2
      ref_id: V9.2.5
      description: Verify that backend TLS connection failures are logged.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les \xE9checs de connexion TLS en arri\xE8\
            re-plan sont enregistr\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10
      assessable: false
      depth: 1
      ref_id: V10
      name: Malicious Code
      translations:
        fr:
          name: "Exigences de v\xE9rification des codes malveillants"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10
      ref_id: V10.1
      name: Code Integrity
      translations:
        fr:
          name: "Contr\xF4les de l'int\xE9grit\xE9 du code"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.1
      ref_id: V10.1.1
      description: Verify that a code analysis tool is in use that can detect potentially
        malicious code, such as time functions, unsafe file operations and network
        connections.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'un outil d'analyse de code est utilis\xE9 pour\
            \ d\xE9tecter les codes potentiellement malveillants, tels que les fonctions\
            \ temporelles, les op\xE9rations de fichiers et les connexions r\xE9seau\
            \ non s\xE9curis\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10
      ref_id: V10.2
      name: Malicious Code Search
      translations:
        fr:
          name: Recherche de code malveillant
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2
      ref_id: V10.2.1
      description: Verify that the application source code and third party libraries
        do not contain unauthorized phone home or data collection capabilities. Where
        such functionality exists, obtain the user's permission for it to operate
        before collecting any data.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le code source de l'application et les biblioth\xE8\
            ques tierces ne contiennent pas de \"t\xE9l\xE9phone \xE0 la maison\"\
            \ ou de capacit\xE9s de collecte de donn\xE9es non autoris\xE9es. Lorsque\
            \ de telles fonctionnalit\xE9s existent, obtenez l'autorisation de l'utilisateur\
            \ pour leur fonctionnement avant de collecter des donn\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2
      ref_id: V10.2.2
      description: Verify that the application does not ask for unnecessary or excessive
        permissions to privacy related features or sensors, such as contacts, cameras,
        microphones, or location.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application ne demande pas d'autorisations\
            \ inutiles ou excessives pour les caract\xE9ristiques ou capteurs li\xE9\
            s \xE0 la vie priv\xE9e, tels que les contacts, les cam\xE9ras, les microphones\
            \ ou l'emplacement."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2
      ref_id: V10.2.3
      description: Verify that the application source code and third party libraries
        do not contain back doors, such as hard-coded or additional undocumented accounts
        or keys, code obfuscation, undocumented binary blobs, rootkits, or anti-debugging,
        insecure debugging features, or otherwise out of date, insecure, or hidden
        functionality that could be used maliciously if discovered.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le code source de l'application et les biblioth\xE8\
            ques tierces ne contiennent pas de portes d\xE9rob\xE9es, telles que des\
            \ comptes ou des cl\xE9s cod\xE9es en dur ou suppl\xE9mentaires non document\xE9\
            es, des obscurcissements de code, des blobs binaires non document\xE9\
            s, des rootkits, ou des fonctions de d\xE9bogage anti-d\xE9bogage, non\
            \ s\xE9curis\xE9es, ou encore des fonctionnalit\xE9s obsol\xE8tes, non\
            \ s\xE9curis\xE9es ou cach\xE9es qui pourraient \xEAtre utilis\xE9es de\
            \ mani\xE8re malveillante si elles \xE9taient d\xE9couvertes."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2
      ref_id: V10.2.4
      description: Verify that the application source code and third party libraries
        do not contain time bombs by searching for date and time related functions.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le code source de l'application et les biblioth\xE8\
            ques tierces ne contiennent pas de bombes \xE0 retardement en recherchant\
            \ les fonctions li\xE9es \xE0 la date et \xE0 l'heure."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2
      ref_id: V10.2.5
      description: Verify that the application source code and third party libraries
        do not contain malicious code, such as salami attacks, logic bypasses, or
        logic bombs.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le code source de l'application et les biblioth\xE8\
            ques tierces ne contiennent pas de code malveillant, tel que des attaques\
            \ de type salami, des contournements logiques ou des bombes logiques."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.2
      ref_id: V10.2.6
      description: Verify that the application source code and third party libraries
        do not contain Easter eggs or any other potentially unwanted functionality.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le code source de l'application et les biblioth\xE8\
            ques tierces ne contiennent pas d'\u0153ufs de P\xE2ques ou toute autre\
            \ fonctionnalit\xE9 potentiellement ind\xE9sirable."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10
      ref_id: V10.3
      name: Application Integrity
      translations:
        fr:
          name: "Contr\xF4les d'int\xE9grit\xE9 des applications d\xE9ploy\xE9es"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.3
      ref_id: V10.3.1
      description: Verify that if the application has a client or server auto-update
        feature, updates should be obtained over secure channels and digitally signed.
        The update code must validate the digital signature of the update before installing
        or executing the update.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que si l'application dispose d'une fonction de\
            \ mise \xE0 jour automatique du client ou du serveur, les mises \xE0 jour\
            \ doivent \xEAtre obtenues par des canaux s\xE9curis\xE9s et sign\xE9\
            es num\xE9riquement. Le code de mise \xE0 jour doit valider la signature\
            \ num\xE9rique de la mise \xE0 jour avant l'installation ou l'ex\xE9cution\
            \ de la mise \xE0 jour."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.3
      ref_id: V10.3.2
      description: Verify that the application employs integrity protections, such
        as code signing or subresource integrity. The application must not load or
        execute code from untrusted sources, such as loading includes, modules, plugins,
        code, or libraries from untrusted sources or the Internet.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application utilise des protections d'int\xE9\
            grit\xE9, telles que la signature de code ou l'int\xE9grit\xE9 des sous-ressources.\
            \ L'application ne doit pas charger ou ex\xE9cuter du code provenant de\
            \ sources non fiables, comme des includes de chargement, des modules,\
            \ des plugins, du code ou des biblioth\xE8ques provenant de sources non\
            \ fiables ou de l'Internet."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v10.3
      ref_id: V10.3.3
      description: Verify that the application has protection from subdomain takeovers
        if the application relies upon DNS entries or DNS subdomains, such as expired
        domain names, out of date DNS pointers or CNAMEs, expired projects at public
        source code repos, or transient cloud APIs, serverless functions, or storage
        buckets (*autogen-bucket-id*.cloud.example.com) or similar. Protections can
        include ensuring that DNS names used by applications are regularly checked
        for expiry or change.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application est prot\xE9g\xE9e contre les\
            \ reprises de sous-domaines si elle repose sur des entr\xE9es DNS ou des\
            \ sous-domaines DNS, tels que des noms de domaine expir\xE9s, des pointeurs\
            \ DNS ou CNAME obsol\xE8tes, des projets expir\xE9s dans des d\xE9p\xF4\
            ts de code source publics, ou des API de nuages transitoires, des fonctions\
            \ sans serveur, ou des espaces de stockage (*autogen-bucket-id*.cloud.example.com)\
            \ ou similaires. Les protections peuvent consister \xE0 s'assurer que\
            \ les noms DNS utilis\xE9s par les applications sont r\xE9guli\xE8rement\
            \ v\xE9rifi\xE9s pour d\xE9tecter toute expiration ou modification."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11
      assessable: false
      depth: 1
      ref_id: V11
      name: Business Logic
      translations:
        fr:
          name: "Exigences de v\xE9rification de la logique d'entreprise"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11
      ref_id: V11.1
      name: Business Logic Security
      translations:
        fr:
          name: "Exigences de s\xE9curit\xE9 de la logique d'entreprise"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.1
      description: Verify that the application will only process business logic flows
        for the same user in sequential step order and without skipping steps.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application traitera seulement les flux\
            \ de logique m\xE9tier pour un utilisateur dans l'ordre s\xE9quentiel\
            \ des \xE9tapes et sans sauter d'\xE9tapes."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.2
      description: Verify that the application will only process business logic flows
        with all steps being processed in realistic human time, i.e. transactions
        are not submitted too quickly.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application ne traitera que des flux de\
            \ logique m\xE9tier dont toutes les \xE9tapes sont trait\xE9es dans un\
            \ temps humain r\xE9aliste, c'est-\xE0-dire que les transactions ne sont\
            \ pas soumises trop rapidement."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.3
      description: Verify the application has appropriate limits for specific business
        actions or transactions which are correctly enforced on a per user basis.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application comporte des limites appropri\xE9\
            es pour des actions ou des transactions commerciales sp\xE9cifiques qui\
            \ sont correctement ex\xE9cut\xE9es par utilisateur."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.4
      description: Verify that the application has anti-automation controls to protect
        against excessive calls such as mass data exfiltration, business logic requests,
        file uploads or denial of service attacks.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application dispose de contr\xF4les anti-automatisation\
            \ suffisants pour d\xE9tecter et prot\xE9ger contre l'exfiltration de\
            \ donn\xE9es, les demandes excessives de logique m\xE9tiers, les t\xE9\
            l\xE9chargements excessifs de fichiers ou les attaques par d\xE9ni de\
            \ service."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.5
      description: Verify the application has business logic limits or validation
        to protect against likely business risks or threats, identified using threat
        modeling or similar methodologies.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application a des limites ou une validation\
            \ de la logique m\xE9tier pour se prot\xE9ger contre les risques ou les\
            \ menaces commerciales probables, identifi\xE9s \xE0 l'aide de la mod\xE9\
            lisation des menaces ou de m\xE9thodologies similaires."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.6
      description: Verify that the application does not suffer from "Time Of Check
        to Time Of Use" (TOCTOU) issues or other race conditions for sensitive operations.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la demande ne souffre pas de probl\xE8mes\
            \ de \"temps de contr\xF4le au moment de l'utilisation\" (TOCTOU) ou d'autres\
            \ situation de comp\xE9tition (race condition) pour les op\xE9rations\
            \ sensibles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.7
      description: Verify that the application monitors for unusual events or activity
        from a business logic perspective. For example, attempts to perform actions
        out of order or actions which a normal user would never attempt. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les moniteurs de demande ne pr\xE9sentent\
            \ pas d'\xE9v\xE9nements ou d'activit\xE9s inhabituels du point de vue\
            \ de la logique m\xE9tier. Par exemple, des tentatives d'effectuer des\
            \ actions hors service ou des actions qu'un utilisateur normal ne tenterait\
            \ jamais. ([C9](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v11.1
      ref_id: V11.1.8
      description: Verify that the application has configurable alerting when automated
        attacks or unusual activity is detected.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application dispose d'alertes configurables\
            \ lorsque des attaques automatis\xE9es ou une activit\xE9 inhabituelle\
            \ sont d\xE9tect\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12
      assessable: false
      depth: 1
      ref_id: V12
      name: Files and Resources
      translations:
        fr:
          name: "Exigences de v\xE9rification des dossiers et des ressources"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12
      ref_id: V12.1
      name: File Upload
      translations:
        fr:
          name: "Exigences pour le t\xE9l\xE9chargement de fichiers"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.1
      ref_id: V12.1.1
      description: Verify that the application will not accept large files that could
        fill up storage or cause a denial of service.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application n'accepte pas de fichiers volumineux\
            \ qui pourraient remplir l'espace de stockage ou provoquer un d\xE9ni\
            \ de service."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.1
      ref_id: V12.1.2
      description: Verify that the application checks compressed files (e.g. zip,
        gz, docx, odt) against maximum allowed uncompressed size and against maximum
        number of files before uncompressing the file.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application contr\xF4le les fichiers compress\xE9\
            s (par exemple, zip, gz, docx, odt) par rapport \xE0 la taille maximale\
            \ autoris\xE9e non compress\xE9e et au nombre maximal de fichiers avant\
            \ de d\xE9compresser le fichier."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.1
      ref_id: V12.1.3
      description: Verify that a file size quota and maximum number of files per user
        is enforced to ensure that a single user cannot fill up the storage with too
        many files, or excessively large files.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'un quota de taille de fichier et un nombre\
            \ maximum de fichiers par utilisateur sont appliqu\xE9s pour s'assurer\
            \ qu'un seul utilisateur ne peut pas remplir le stockage avec trop de\
            \ fichiers, ou des fichiers excessivement gros."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12
      ref_id: V12.2
      name: File Integrity
      translations:
        fr:
          name: "Exigences en mati\xE8re d'int\xE9grit\xE9 des fichiers"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.2
      ref_id: V12.2.1
      description: Verify that files obtained from untrusted sources are validated
        to be of expected type based on the file's content.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les fichiers obtenus de sources non fiables\
            \ sont valid\xE9s comme \xE9tant du type attendu en fonction du contenu\
            \ du fichier."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12
      ref_id: V12.3
      name: File Execution
      translations:
        fr:
          name: "Exigences relatives \xE0 l'ex\xE9cution des fichiers"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3
      ref_id: V12.3.1
      description: Verify that user-submitted filename metadata is not used directly
        by system or framework filesystems and that a URL API is used to protect against
        path traversal.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les m\xE9tadonn\xE9es de nom de fichier soumises\
            \ par l'utilisateur ne sont pas utilis\xE9es directement par les syst\xE8\
            mes de fichiers du syst\xE8me ou du cadre et qu'une API URL est utilis\xE9\
            e pour prot\xE9ger contre la travers\xE9e du chemin (path traversal)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3
      ref_id: V12.3.2
      description: Verify that user-submitted filename metadata is validated or ignored
        to prevent the disclosure, creation, updating or removal of local files (LFI).
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les m\xE9tadonn\xE9es de nom de fichier soumises\
            \ par l'utilisateur sont valid\xE9es ou ignor\xE9es pour emp\xEAcher la\
            \ divulgation, la cr\xE9ation, la mise \xE0 jour ou la suppression de\
            \ fichiers locaux (LFI)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3
      ref_id: V12.3.3
      description: Verify that user-submitted filename metadata is validated or ignored
        to prevent the disclosure or execution of remote files via Remote File Inclusion
        (RFI) or Server-side Request Forgery (SSRF) attacks.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les m\xE9tadonn\xE9es de nom de fichier soumises\
            \ par l'utilisateur sont valid\xE9es ou ignor\xE9es pour emp\xEAcher la\
            \ divulgation ou l'ex\xE9cution de fichiers distants (RFI), qui peuvent\
            \ \xE9galement conduire \xE0 des SSRF. "
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3
      ref_id: V12.3.4
      description: Verify that the application protects against Reflective File Download
        (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP,
        or URL parameter, the response Content-Type header should be set to text/plain,
        and the Content-Disposition header should have a fixed filename.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application prot\xE8ge contre le t\xE9l\xE9\
            chargement de fichiers r\xE9fl\xE9chis (RFD) en validant ou en ignorant\
            \ les noms de fichiers soumis par les utilisateurs dans un param\xE8tre\
            \ JSON, JSONP ou URL, l'en-t\xEAte Content-Type de la r\xE9ponse doit\
            \ \xEAtre d\xE9fini sur text/plain, et l'en-t\xEAte Content-Disposition\
            \ doit avoir un nom de fichier fixe."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3
      ref_id: V12.3.5
      description: Verify that untrusted file metadata is not used directly with system
        API or libraries, to protect against OS command injection.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les m\xE9tadonn\xE9es de fichiers non fiables\
            \ ne sont pas utilis\xE9es directement avec l'API syst\xE8me ou les biblioth\xE8\
            ques, pour se prot\xE9ger contre l'injection de commandes du syst\xE8\
            me d'exploitation."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.3
      ref_id: V12.3.6
      description: Verify that the application does not include and execute functionality
        from untrusted sources, such as unverified content distribution networks,
        JavaScript libraries, node npm libraries, or server-side DLLs.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application n'inclut pas et n'ex\xE9cute\
            \ pas de fonctionnalit\xE9s provenant de sources non fiables, telles que\
            \ des r\xE9seaux de distribution de contenu non v\xE9rifi\xE9s, des biblioth\xE8\
            ques JavaScript, des biblioth\xE8ques node npm ou des DLL c\xF4t\xE9 serveur."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12
      ref_id: V12.4
      name: File Storage
      translations:
        fr:
          name: "Exigences en mati\xE8re de stockage des fichiers"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.4
      ref_id: V12.4.1
      description: Verify that files obtained from untrusted sources are stored outside
        the web root, with limited permissions.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les fichiers obtenus \xE0 partir de sources\
            \ non fiables sont stock\xE9s en dehors de la racine Web, avec des autorisations\
            \ limit\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.4
      ref_id: V12.4.2
      description: Verify that files obtained from untrusted sources are scanned by
        antivirus scanners to prevent upload and serving of known malicious content.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les fichiers obtenus de sources non fiables\
            \ sont analys\xE9s par des scanners antivirus pour emp\xEAcher le t\xE9\
            l\xE9chargement de contenus malveillants connus."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12
      ref_id: V12.5
      name: File Download
      translations:
        fr:
          name: "Exigences de t\xE9l\xE9chargement des fichiers"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.5
      ref_id: V12.5.1
      description: Verify that the web tier is configured to serve only files with
        specific file extensions to prevent unintentional information and source code
        leakage. For example, backup files (e.g. .bak), temporary working files (e.g.
        .swp), compressed files (.zip, .tar.gz, etc) and other extensions commonly
        used by editors should be blocked unless required.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'application web est configur\xE9 pour ne\
            \ servir que les fichiers ayant des extensions de fichier sp\xE9cifiques\
            \ afin d'\xE9viter les informations involontaires et les fuites de code\
            \ source. Par exemple, les fichiers de sauvegarde (par exemple .bak),\
            \ les fichiers de travail temporaires (par exemple .swp), les fichiers\
            \ compress\xE9s (.zip, .tar.gz, etc) et les autres extensions couramment\
            \ utilis\xE9es par les \xE9diteurs doivent \xEAtre bloqu\xE9s, sauf si\
            \ cela est n\xE9cessaire."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.5
      ref_id: V12.5.2
      description: Verify that direct requests to uploaded files will never be executed
        as HTML/JavaScript content.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les demandes directes aux fichiers t\xE9l\xE9\
            charg\xE9s ne seront jamais ex\xE9cut\xE9es en tant que contenu HTML/JavaScript."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.6
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12
      ref_id: V12.6
      name: SSRF Protection
      translations:
        fr:
          name: Exigences de protection des SSRF
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.6.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v12.6
      ref_id: V12.6.1
      description: Verify that the web or application server is configured with an
        allow list of resources or systems to which the server can send requests or
        load data/files from.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le serveur web ou d'application est configur\xE9\
            \ avec une liste d'autorisation de ressources ou de syst\xE8mes \xE0 partir\
            \ desquels le serveur peut envoyer des requ\xEAtes ou charger des donn\xE9\
            es/fichiers."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13
      assessable: false
      depth: 1
      ref_id: V13
      name: API and Web Service
      translations:
        fr:
          name: "Exigences de v\xE9rification des API et des services Web"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13
      ref_id: V13.1
      name: Generic Web Service Security
      translations:
        fr:
          name: "Exigences g\xE9n\xE9riques de v\xE9rification de la s\xE9curit\xE9\
            \ des services web"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1
      ref_id: V13.1.1
      description: Verify that all application components use the same encodings and
        parsers to avoid parsing attacks that exploit different URI or file parsing
        behavior that could be used in SSRF and RFI attacks.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que tous les composants de l'application utilisent\
            \ les m\xEAmes encodages et analyseurs pour \xE9viter les attaques par\
            \ analyse qui exploitent des comportements diff\xE9rents d'URI ou d'analyse\
            \ de fichiers qui pourraient \xEAtre utilis\xE9s dans les attaques SSRF\
            \ et RFI."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1
      ref_id: V13.1.3
      description: Verify API URLs do not expose sensitive information, such as the
        API key, session tokens etc.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les URL des API n'exposent pas d'informations\
            \ sensibles, telles que la cl\xE9 API, les jetons de session, etc."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1
      ref_id: V13.1.4
      description: Verify that authorization decisions are made at both the URI, enforced
        by programmatic or declarative security at the controller or router, and at
        the resource level, enforced by model-based permissions.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les d\xE9cisions d'autorisation sont prises\
            \ \xE0 la fois \xE0 l'URI, appliqu\xE9es par la s\xE9curit\xE9 programmatique\
            \ ou d\xE9clarative au niveau du contr\xF4leur ou du routeur, et au niveau\
            \ des ressources, appliqu\xE9es par des autorisations bas\xE9es sur des\
            \ mod\xE8les de permission."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.1
      ref_id: V13.1.5
      description: Verify that requests containing unexpected or missing content types
        are rejected with appropriate headers (HTTP response status 406 Unacceptable
        or 415 Unsupported Media Type).
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les demandes contenant des types de contenu\
            \ inattendus ou manquants sont rejet\xE9es avec les en-t\xEAtes appropri\xE9\
            s (statut de r\xE9ponse HTTP 406 Inacceptable ou 415 Type de support non\
            \ pris en charge)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13
      ref_id: V13.2
      name: RESTful Web Service
      translations:
        fr:
          name: "Exigences de v\xE9rification pour les services web de type RESTful"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2
      ref_id: V13.2.1
      description: Verify that enabled RESTful HTTP methods are a valid choice for
        the user or action, such as preventing normal users using DELETE or PUT on
        protected API or resources.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les m\xE9thodes HTTP RESTful activ\xE9es sont\
            \ un choix valable pour l'utilisateur ou une action, comme par exemple\
            \ emp\xEAcher les utilisateurs normaux d'utiliser le verbe DELETE ou PUT\
            \ sur des API ou des ressources prot\xE9g\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2
      ref_id: V13.2.2
      description: Verify that JSON schema validation is in place and verified before
        accepting input.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que la validation du sch\xE9ma JSON est en place\
            \ et v\xE9rifi\xE9e avant d'accepter la saisie."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2
      ref_id: V13.2.3
      description: 'Verify that RESTful web services that utilize cookies are protected
        from Cross-Site Request Forgery via the use of at least one or more of the
        following: double submit cookie pattern, CSRF nonces, or Origin request header
        checks.'
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les services Web RESTful qui utilisent des\
            \ cookies sont prot\xE9g\xE9s contre la falsification de requ\xEAte intersite\
            \ via l'utilisation d'au moins un ou plusieurs des \xE9l\xE9ments suivants\_\
            : mod\xE8le de cookie de double soumission, nonces CSRF ou v\xE9rifications\
            \ d'en-t\xEAte de requ\xEAte d'origine."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2
      ref_id: V13.2.5
      description: Verify that REST services explicitly check the incoming Content-Type
        to be the expected one, such as application/xml or application/json.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les services REST v\xE9rifient explicitement\
            \ que le type de contenu entrant est bien celui attendu, par exemple application/xml\
            \ ou application/json."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.2
      ref_id: V13.2.6
      description: Verify that the message headers and payload are trustworthy and
        not modified in transit. Requiring strong encryption for transport (TLS only)
        may be sufficient in many cases as it provides both confidentiality and integrity
        protection. Per-message digital signatures can provide additional assurance
        on top of the transport protections for high-security applications but bring
        with them additional complexity and risks to weigh against the benefits.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les en-t\xEAtes de message et la charge utile\
            \ sont dignes de confiance et non modifi\xE9s en transit. Exiger un chiffrement\
            \ fort pour le transport (TLS uniquement) peut \xEAtre suffisant dans\
            \ de nombreux cas, car il assure \xE0 la fois la confidentialit\xE9 et\
            \ la protection de l'int\xE9grit\xE9. Les signatures num\xE9riques par\
            \ message peuvent fournir une assurance suppl\xE9mentaire en plus des\
            \ protections de transport pour les applications de haute s\xE9curit\xE9\
            , mais apportent avec elles une complexit\xE9 et des risques suppl\xE9\
            mentaires \xE0 peser par rapport aux avantages."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13
      ref_id: V13.3
      name: SOAP Web Service
      translations:
        fr:
          name: "Exigences de v\xE9rification du service web SOAP"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.3
      ref_id: V13.3.1
      description: Verify that XSD schema validation takes place to ensure a properly
        formed XML document, followed by validation of each input field before any
        processing of that data takes place.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que la validation du sch\xE9ma XSD a lieu pour\
            \ garantir un document XML correctement form\xE9, suivie de la validation\
            \ de chaque champ de saisie avant tout traitement de ces donn\xE9es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.3
      ref_id: V13.3.2
      description: Verify that the message payload is signed using WS-Security to
        ensure reliable transport between client and service.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que la charge utile du message est sign\xE9e en\
            \ utilisant WS-Security pour assurer un transport fiable entre le client\
            \ et le service."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13
      ref_id: V13.4
      name: GraphQL
      translations:
        fr:
          name: "GraphQL et autres exigences de s\xE9curit\xE9 de la couche de donn\xE9\
            es des services Web"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.4
      ref_id: V13.4.1
      description: Verify that a query allow list or a combination of depth limiting
        and amount limiting is used to prevent GraphQL or data layer expression Denial
        of Service (DoS) as a result of expensive, nested queries. For more advanced
        scenarios, query cost analysis should be used.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'une liste de requ\xEAtes autoris\xE9es ou une\
            \ combinaison de limitation de la profondeur et de la quantit\xE9 est\
            \ utilis\xE9e pour emp\xEAcher les d\xE9nis de service (DoS) de GraphQL\
            \ ou de l'expression de la couche de donn\xE9es r\xE9sultant de requ\xEA\
            tes imbriqu\xE9es et co\xFBteuses. Pour les sc\xE9narios plus avanc\xE9\
            s, il convient d'utiliser l'analyse du co\xFBt des requ\xEAtes."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v13.4
      ref_id: V13.4.2
      description: Verify that GraphQL or other data layer authorization logic should
        be implemented at the business logic layer instead of the GraphQL layer.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la logique d'autorisation de GraphQL ou d'une\
            \ autre couche de donn\xE9es doit \xEAtre mise en \u0153uvre au niveau\
            \ de la couche de logique d'entreprise au lieu de la couche GraphQL."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14
      assessable: false
      depth: 1
      ref_id: V14
      name: Configuration
      translations:
        fr:
          name: "Exigences de v\xE9rification de la configuration"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14
      ref_id: V14.1
      name: Build and Deploy
      translations:
        fr:
          name: Exigences sur les constructions
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1
      ref_id: V14.1.1
      description: Verify that the application build and deployment processes are
        performed in a secure and repeatable way, such as CI / CD automation, automated
        configuration management, and automated deployment scripts.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les processus de construction et de d\xE9\
            ploiement des applications sont effectu\xE9s de mani\xE8re s\xFBre et\
            \ r\xE9p\xE9table, comme l'automatisation des CI / CD, la gestion automatis\xE9\
            e de la configuration et les scripts de d\xE9ploiement automatis\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1
      ref_id: V14.1.2
      description: Verify that compiler flags are configured to enable all available
        buffer overflow protections and warnings, including stack randomization, data
        execution prevention, and to break the build if an unsafe pointer, memory,
        format string, integer, or string operations are found.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les drapeaux du compilateur sont configur\xE9\
            s pour activer toutes les protections et les avertissements disponibles\
            \ contre les d\xE9bordements de m\xE9moire tampon, y compris la randomisation\
            \ de la pile, la pr\xE9vention de l'ex\xE9cution des donn\xE9es, et pour\
            \ casser la compilation si un pointeur, une m\xE9moire, une cha\xEEne\
            \ de format, un entier ou une cha\xEEne de caract\xE8res dangereux sont\
            \ trouv\xE9s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1
      ref_id: V14.1.3
      description: Verify that server configuration is hardened as per the recommendations
        of the application server and frameworks in use.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la configuration du serveur est durcie conform\xE9\
            ment aux recommandations du serveur d'application et des frameworks utilis\xE9\
            s."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1
      ref_id: V14.1.4
      description: Verify that the application, configuration, and all dependencies
        can be re-deployed using automated deployment scripts, built from a documented
        and tested runbook in a reasonable time, or restored from backups in a timely
        fashion.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que l'application, la configuration et toutes\
            \ les d\xE9pendances peuvent \xEAtre red\xE9ploy\xE9es \xE0 l'aide de\
            \ scripts de d\xE9ploiement automatis\xE9s, construites \xE0 partir d'un\
            \ runbook document\xE9 et test\xE9 dans un d\xE9lai raisonnable, ou restaur\xE9\
            es \xE0 partir de sauvegardes en temps utile."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.1
      ref_id: V14.1.5
      description: Verify that authorized administrators can verify the integrity
        of all security-relevant configurations to detect tampering.
      implementation_groups:
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les administrateurs autoris\xE9s peuvent v\xE9\
            rifier l'int\xE9grit\xE9 de toutes les configurations pertinentes pour\
            \ la s\xE9curit\xE9 afin de d\xE9tecter les alt\xE9rations."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14
      ref_id: V14.2
      name: Dependency
      translations:
        fr:
          name: "Exigences sur les d\xE9pendances"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2
      ref_id: V14.2.1
      description: Verify that all components are up to date, preferably using a dependency
        checker during build or compile time. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que tous les composants sont \xE0 jour, de pr\xE9\
            f\xE9rence en utilisant un v\xE9rificateur de d\xE9pendances pendant le\
            \ temps de construction ou de compilation. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2
      ref_id: V14.2.2
      description: Verify that all unneeded features, documentation, sample applications
        and configurations are removed.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les fonctionnalit\xE9s, la documentation,\
            \ les applications d'exemple et les configurations inutiles sont supprim\xE9\
            es."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2
      ref_id: V14.2.3
      description: Verify that if application assets, such as JavaScript libraries,
        CSS or web fonts, are hosted externally on a Content Delivery Network (CDN)
        or external provider, Subresource Integrity (SRI) is used to validate the
        integrity of the asset.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que si les actifs d'application, tels que les\
            \ biblioth\xE8ques JavaScript, les feuilles de style CSS ou les polices\
            \ web, sont h\xE9berg\xE9s en externe sur un r\xE9seau de diffusion de\
            \ contenu (CDN) ou un fournisseur externe, l'int\xE9grit\xE9 des sous-ressources\
            \ (SRI) est utilis\xE9e pour valider l'int\xE9grit\xE9 de l'actif."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2
      ref_id: V14.2.4
      description: Verify that third party components come from pre-defined, trusted
        and continually maintained repositories. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les composants tiers proviennent de d\xE9\
            p\xF4ts pr\xE9d\xE9finis, fiables et continuellement entretenus. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2
      ref_id: V14.2.5
      description: Verify that a Software Bill of Materials (SBOM) is maintained of
        all third party libraries in use. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier qu'un catalogue d'inventaire de toutes les biblioth\xE8\
            ques tierces en service est tenu \xE0 jour. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.2
      ref_id: V14.2.6
      description: Verify that the attack surface is reduced by sandboxing or encapsulating
        third party libraries to expose only the required behaviour into the application.
        ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que la surface d'attaque est r\xE9duite en mettant\
            \ en bac \xE0 sable ou en encapsulant des biblioth\xE8ques tierces pour\
            \ n'exposer que le comportement requis dans l'application. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering))"
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14
      ref_id: V14.3
      name: Unintended Security Disclosure
      translations:
        fr:
          name: "Exigences de divulgation involontaire de renseignements sur la s\xE9\
            curit\xE9"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.3
      ref_id: V14.3.2
      description: Verify that web or application server and application framework
        debug modes are disabled in production to eliminate debug features, developer
        consoles, and unintended security disclosures.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que les modes de d\xE9bogage du serveur web ou\
            \ d'application et du cadre d'application sont d\xE9sactiv\xE9s en production\
            \ afin d'\xE9liminer les fonctionnalit\xE9s de d\xE9bogage, les consoles\
            \ de d\xE9veloppement et les divulgations de s\xE9curit\xE9 non intentionnelles."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.3
      ref_id: V14.3.3
      description: Verify that the HTTP headers or any part of the HTTP response do
        not expose detailed version information of system components.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les en-t\xEAtes HTTP ou toute partie de la\
            \ r\xE9ponse HTTP n'exposent pas d'informations d\xE9taill\xE9es sur la\
            \ version des composants du syst\xE8me."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14
      ref_id: V14.4
      name: HTTP Security Headers
      translations:
        fr:
          name: "Exigences relatives aux en-t\xEAtes de s\xE9curit\xE9 HTTP"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      ref_id: V14.4.1
      description: Verify that every HTTP response contains a Content-Type header.
        Also specify a safe character set (e.g., UTF-8, ISO-8859-1) if the content
        types are text/*, /+xml and application/xml. Content must match with the provided
        Content-Type header.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que chaque r\xE9ponse HTTP contient un en-t\xEA\
            te Content-Type. Les types de contenu text/*, */*+xml et application/xml\
            \ doivent \xE9galement sp\xE9cifier un jeu de caract\xE8res s\xFBr (par\
            \ exemple, UTF-8, ISO-8859-1)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      ref_id: V14.4.2
      description: 'Verify that all API responses contain a Content-Disposition: attachment;
        filename="api.json" header (or other appropriate filename for the content
        type).'
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les r\xE9ponses de l'API contiennent\
            \ Content-Disposition : attachment ; filename=\"api.json\" (ou tout autre\
            \ nom de fichier appropri\xE9 pour le type de contenu)."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      ref_id: V14.4.3
      description: Verify that a Content Security Policy (CSP) response header is
        in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON,
        and JavaScript injection vulnerabilities.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier qu'une politique de s\xE9curit\xE9 du contenu\
            \ (CSP) est en place pour aider \xE0 att\xE9nuer l'impact des attaques\
            \ XSS comme les vuln\xE9rabilit\xE9s d'injection HTML, DOM, JSON et JavaScript."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      ref_id: V14.4.4
      description: 'Verify that all responses contain a X-Content-Type-Options: nosniff
        header.'
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que toutes les r\xE9ponses contiennent X-Content-Type-Options:\
            \ nosniff."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      ref_id: V14.4.5
      description: 'Verify that a Strict-Transport-Security header is included on
        all responses and for all subdomains, such as Strict-Transport-Security: max-age=15724800;
        includeSubdomains.'
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'en-t\xEAte Strict-Transport-Security est\
            \ inclus dans toutes les r\xE9ponses et pour tous les sous-domaines, comme\
            \ Strict-Transport-Security : max-age=15724800 ; includeSubdomains."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      ref_id: V14.4.6
      description: Verify that a suitable Referrer-Policy header is included to avoid
        exposing sensitive information in the URL through the Referer header to untrusted
        parties.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez qu'un en-t\xEAte \"Referrer-Policy\" appropri\xE9\
            \ est inclus, tel que \"no-referrer\" ou \"same-origin\"."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.4
      ref_id: V14.4.7
      description: 'Verify that the content of a web application cannot be embedded
        in a third-party site by default and that embedding of the exact resources
        is only allowed where necessary by using suitable Content-Security-Policy:
        frame-ancestors and X-Frame-Options response headers.'
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifier que le contenu d'une application web ne peut pas\
            \ \xEAtre int\xE9gr\xE9 par d\xE9faut dans un site tiers et que l'int\xE9\
            gration des ressources exactes n'est autoris\xE9e que si n\xE9cessaire\
            \ en utilisant un en-t\xEAte appropri\xE9 tel \"Content-Security-Policy:\
            \ frame-ancestors\" ou \"X-Frame-Options\"."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14
      ref_id: V14.5
      name: HTTP Request Header Validation
      translations:
        fr:
          name: "Exigences sur la validation des en-t\xEAtes de requ\xEAte HTTP"
          description: null
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5
      ref_id: V14.5.1
      description: Verify that the application server only accepts the HTTP methods
        in use by the application/API, including pre-flight OPTIONS, and logs/alerts
        on any requests that are not valid for the application context.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que le serveur d'application accepte seulement\
            \ les m\xE9thodes HTTP utilis\xE9es par l'application/API (incluant les\
            \ requetes de type OPTIONS), et les journalise/alertes sur toutes les\
            \ demandes qui sont invalades pour le contexte de l'application."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5
      ref_id: V14.5.2
      description: Verify that the supplied Origin header is not used for authentication
        or access control decisions, as the Origin header can easily be changed by
        an attacker.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'en-t\xEAte Origin fourni n'est pas utilis\xE9\
            \ pour les d\xE9cisions d'authentification ou de contr\xF4le d'acc\xE8\
            s, car l'en-t\xEAte Origin peut facilement \xEAtre modifi\xE9 par un attaquant."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5
      ref_id: V14.5.3
      description: Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin
        header uses a strict allow list of trusted domains and subdomains to match
        against and does not support the "null" origin.
      implementation_groups:
      - L1
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que l'en-t\xEAte \"Cross-Origin Resource Sharing\"\
            \ (CORS) Access-Control-Allow-Origin utilise une liste d'autorisation\
            \ stricte de domaines et sous-domaines de confiance pour la comparaison\
            \ avec l'origine \"null\" et ne la prend pas en charge."
    - urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:owasp-asvs-4.0.3:v14.5
      ref_id: V14.5.4
      description: Verify that HTTP headers added by a trusted proxy or SSO devices,
        such as a bearer token, are authenticated by the application.
      implementation_groups:
      - L2
      - L3
      translations:
        fr:
          name: null
          description: "V\xE9rifiez que les en-t\xEAtes HTTP ajout\xE9s par un proxy\
            \ de confiance ou des dispositifs SSO, tels qu'un jeton au porteur, sont\
            \ authentifi\xE9s par l'application."