Skip to content

OWASP ASVS L2 mapping

This document maps each OWASP Application Security Verification Standard v4.0.3 control at Level 2 (the standard target for production-grade applications) to where it is implemented in Zion and how it is verified.

ASVS L1 is implicitly covered (L2 is a superset). L3 controls that require per-deployment policy (HSM, formal-methods proofs) are out of scope for the binary itself; the chart and the threat model document the L3 lift in docs/security/threat-model.md.

Each row of the table follows the format:

IDRequirementImplementationTest / Evidence

Implementation column links to a file or module where the control lives. Test / Evidence column links to a unit test, integration test, or external scan whose green status is the operational evidence.

V1 — Architecture, Design and Threat Modeling

IDRequirementImplementationTest / Evidence
1.1.4Threat model documentedthreat-model.mdDoc reviewed; STRIDE table covers all surfaces, including §10 Mesh (AIMP) for --features sovereign-aimp
1.1.7Architecture documentedadr/ (10 ADRs)ADR index in adr/; mesh integration captured in ADR-0008
1.4.5Data classification documentedredact policy + [zion.toml] [redact] blockproptest redact_drops_secret_values
1.5.2Serialization rejected for untrusted inputsimd-json validation gate in waf.rsunit tests denies_long_string_value, denies_deep_nesting

V2 — Authentication

auth is feature-gated. When disabled, V2 controls are not applicable to the binary path. Enabling --features auth brings:

IDRequirementImplementationTest / Evidence
2.1.1Passwords ≥ 12 charsN/A — Zion is a token-bearing proxy, no password store
2.5.1Anti-bruteforcePer-IP rate limit (security.rs)proptest rate_limiter_caps_at_rps_within_window
2.10.4Cryptographic algorithms currentrustls 0.23 + aws-lc-rs (≥ TLS 1.3)--features fips enforces FIPS subset

V3 — Session Management

IDRequirementImplementationTest / Evidence
3.5.2Session tokens cryptographically signedTLS 1.3 session tickets via Ticketer (tls.rs)Boot logs show ticketer enabled; cargo test --features fips
3.7.1Session timeout enforcementrustls default 8 hrustls upstream tests

V4 — Access Control

IDRequirementImplementationTest / Evidence
4.1.1Trusted enforcement at server sideAll gates run server-side (dispatch.rs)integration test suite
4.2.1Sensitive endpoints internal-onlyis_internal_ip gate on /metrics, /_zion/snapshot.jsontests/integration.rs internal_only_*
4.3.1Admin endpoints separated/_zion/* namespace + IP allowlistcode-review (no admin routes outside namespace)

V5 — Validation, Sanitization and Encoding

IDRequirementImplementationTest / Evidence
5.1.1Server validates all inputWAF 5-gate pipeline (waf.rs)117 unit tests in waf.rs
5.1.2HTTP parameter pollution defencematchit exact-path routing; query rebuilt by proxy.rsunit test denies_double_encoded_traversal
5.1.3URI length limitedMAX_URI_LEN = 8192 (dispatch.rs)unit test uri_too_long_returns_414
5.1.4Header count limitedmax_headers = 64 on hyper builder (main.rs)hyper-level enforcement
5.2.xEncoding outputhyper's serializer; security headers via inject_security_headersunit test inject_security_headers_*
5.5.1XML parsing disabled / hardenedNo XML in default path; simd-json covers JSONcode-review

V7 — Error Handling and Logging

IDRequirementImplementationTest / Evidence
7.1.1Centralized loggingtracing subscriber in observability.rscargo test observability
7.1.2Sensitive data NOT in logs[redact] policy applied at audit-event constructionproptest redact_drops_secret_values
7.1.3Log integrityHMAC-SHA256 chain (audit.rs)unit test tampering_an_event_breaks_the_next_hmac
7.4.1Generic error messages to clienttext_response(StatusCode::BAD_REQUEST, "request rejected") — no stack traces leakedmanual review of dispatch.rs deny paths

V8 — Data Protection

IDRequirementImplementationTest / Evidence
8.2.1Sensitive data redacted in transit logs[redact.headers], [redact.query_params]proptest matrix
8.3.4TLS for sensitive data in transitrustls 0.23 (TLS 1.3)--features fips validates with NIST CMVP cert

V9 — Communication

IDRequirementImplementationTest / Evidence
9.1.1TLS for all client trafficHTTPS listener mandatory; HTTP listener optional + redirectstls.rs config validation
9.1.2Strong ciphersuite listrustls default + optional FIPS subsetdocs/security/fips.md
9.1.3TLS configuration external evidenceExternal SSL Labs scan against the canonical deploy (pending)tracked in tls-conformance.md
9.2.1TLS for outbound callshyper-rustls with webpki-rootsupstream connectivity tests
9.2.4Authenticated peer-to-peer (mesh)Ed25519-signed AimpEnvelope over Noise AEAD (aimp_cp.rs)threat-model.md §10 Spoofing/Tampering

V10 — Malicious Code

IDRequirementImplementationTest / Evidence
10.2.1No outbound calls to dev infrastructureNo telemetry beacons, no analytics — fully self-containedcode-review
10.3.2Dependencies vettedcargo audit, cargo deny (deny.toml)CI .github/workflows/supply-chain.yml
10.3.3Build pipeline tamper-evidentSLSA L3 provenance (release.yml)gh attestation verify recipe in supply-chain.md

V11 — Business Logic

Business logic resides in upstream services. Zion is the L7 ingress gateway; V11 maps to upstream applications, not to Zion itself.

V12 — File and Resources

IDRequirementImplementationTest / Evidence
12.1.1Upload size limitedmax_body_mb per profile (waf.rs)unit test denies_oversize_body
12.3.1File path traversal blockedURL normalization + WAF Aho-Corasick patternsunit test uri_denies_encoded_traversal

V13 — API and Web Service

IDRequirementImplementationTest / Evidence
13.1.1API exposes only intended methodsMethod allowlist (GET/HEAD/POST/PUT/PATCH/DELETE/OPTIONS) (dispatch.rs)unit test disallows_TRACE
13.2.1Rate limit per identityper-IP rate limiterproptest rate_limiter_isolates_ips

V14 — Configuration

IDRequirementImplementationTest / Evidence
14.1.1Build toolchain pinnedrust-toolchain.toml, Cargo.lock committedCI --locked
14.1.4Reproducible buildsSOURCE_DATE_EPOCH, cargo-zigbuild, deterministic tarsupply-chain.md "Reproducing a build"
14.2.1Components inventoried (SBOM)CycloneDX 1.5 generated by cargo cyclonedxrelease artifact zion-sbom.cdx.json
14.2.5Components signedcosign keyless on container digest, SLSA on binariescosign verify recipe in supply-chain.md
14.3.2Server hardeningdistroless image, non-root UID 65532, dropped capabilities, seccompProfile=RuntimeDefaultHelm chart values.yaml
14.4.1Common security headersHSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy (security.rs)unit test inject_security_headers_*
14.5.1HTTP method allowlistdispatch.rs gateunit test disallows_TRACE

Coverage summary

SectionTotal L2 controlsMappedNotes
V1 Architecture124Application-specific items not applicable
V2 Auth233Feature-gated; bulk lives in upstream
V3 Session82TLS-only; no app sessions in proxy
V4 Access Control123Routing-level; upstream owns finer-grained ACL
V5 Validation236WAF + simd-json
V7 Error/Logging114Audit + tracing
V8 Data82Redaction + TLS
V9 Comms64rustls + FIPS path
V10 Malicious73Supply-chain pipeline
V12 Files52Body size + traversal
V13 API122Method + rate-limit
V14 Config227SBOM + cosign + Helm

The total mapped count is conservative — many controls are satisfied by TLS / hyper / rustls upstream defaults that we don't list here because they don't produce a useful "test / evidence" link in the Zion codebase. Operators with a checklist obligation should walk the official ASVS spreadsheet against this map and tick the boxes that overlap.

Update procedure

When adding a new external surface:

  1. Walk the ASVS L2 controls relevant to the surface.
  2. Add a row here per control. Implementation column must point to a file path; Test / Evidence column to a test or external scan.
  3. If a control cannot be met, write the gap into threat-model.md "Out of scope" and reference that section here.

Released under the MIT License.