V13.2.1: Verify that communications between backend application components that don't support the application's standard user session mechanism, including APIs, middleware, and data layers, are authenticated. Authentication must use individual service accounts, short-term tokens, or certificate-based authentication and not unchanging credentials such as passwords, API keys, or shared accounts with privileged access.
ASVS Maturity
V13.2.2
V13.2.2: Verify that communications between backend application components, including local or operating system services, APIs, middleware, and data layers, are performed with accounts assigned the least necessary privileges.
ASVS Maturity
V13.2.3
V13.2.3: Verify that if a credential has to be used for service authentication, the credential being used by the consumer is not a default credential (e.g., root/root or admin/admin).
ASVS Maturity
V13.2.4
V13.2.4: Verify that an allowlist is used to define the external resources or systems with which the application is permitted to communicate (e.g., for outbound requests, data loads, or file access). This allowlist can be implemented at the application layer, web server, firewall, or a combination of different layers.
ASVS Maturity
V13.2.5
V13.2.5: Verify that the web or application server is configured with an allowlist of resources or systems to which the server can send requests or load data or files from.
ASVS Maturity
V13.2.6
V13.2.6: Verify that where the application connects to separate services, it follows the documented configuration for each connection, such as maximum parallel connections, behavior when maximum allowed connections is reached, connection timeouts, and retry strategies.