Changes were tracked until version 2.0 (tag v2) but they are no longer being tracked. Since then many requirements, as well as the whole structure of TSS-WEB, have been intensively updated, revised and extended.
Complete revision, including chapters
- Chapter 3 („Secure Operation“)
- Chapter 5 („Secure Development Process“)
- Chapter 6 („Security Tests“)
- Section 8.11. („Data Security & Cryptography“)
- Section 8.14 („Service & API Security”)
- Chapter 3 (“Operational Requirements”) revised and made more compliant to container and cloud environments.
- Chapter 5 (“Security of Development Process”) completely revised and restructured
- Chapter 6 (“Security Tests”) completely revised and and restructured
- Name of the standard changed to “web development” standard instead of “web application” standard.
- Minor updated in other chapters.
- Role “Security Champion” extended
- 3rd party component renamed to 3rd party dependencies and relevant requirements in chapter 4 completely revised.
- Chapter 5 (“Security of Development Process”) revised
- Chapter 6 (“Security Tests”) revised, and test policy aligned to assurance classes
- Update of security logging and monitoring requirements
- Section 1.3 (“Roles”): Changes of role description “Security Champion” and role “developer” added
- Chapter 3 (“Operational Requirements”): Extension of DMZ restrictions and security monitoring
- Multiple modifications of chapter 5 (“Protection of Source and Program Code”)
- 8.2 (“Input Validation”): New requirement for secure object sterilization
- 8.5 (“Authentication & Registration of Users): Deprecated NIST standard replaced with current NIST SP 800-63B
- 8.8 (“Authentication at Backend”): Multiple modifications
- 8.11 (“Access Controls”) Modification of OAuth requirements. Move of CORS and OAuth requirements to Service Security
- 8.13 (“Management of Technical Keys & Secrets”) Multiple Modifications
- 8.16 (“XML Parser Security”) Multiple modifications, renaming to “Service Security”; XML parser security requirements moved to 8.2 (“Input Validation”).
- Appendix A: Integration von SameSite cookies and modification of CSP requirements
- Security officer renamed to IT security function
- OWASP Top Ten was removed and will be maintained on the web site (tss-web.secodis.com) in the future.
- Protection class has been renamed into assurance class
- Multiple modifications of chapter 5 (“security in development process”)
- Multiple modifications of chapter 7 (“supplier requirements”)
- Minor modifications to file upload requirements
- Requirements for HPKP removed and for referrer policy added
- New requirements for handling X.509 certificates (8.17)
- Changes for agile Development (chapter 5)
- “Use of Secure JavaScript APIs” moved from 8.4 (“Output Validation”) to 8.14 (“Client-Side Security”)
- Various changes to chapter 6 ("Security Tests)
- Security Auditor renamed in Security Officer
- Changes to CSP statements
- CVSS scoring added to the security of 3rd party components
Initial English version based on a complete review of the standards with a lot of improvements and corrections.
ä 1.0 20/02/2015 Initial release (German)