Mapping ASVS v3.0.1 vs NIST SP 800-53
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGHIJK
1
Req#CategoryDetailLevel 1Level 2Level 3SinceNIST SP 800-53 (Rev.4) Equivalent CategoryDetailNIST Priority
2
11.1V1. Architecture, design and threat modellingVerify that all application components are identified and are known to be needed.xxx1.0PL-8 Information Security Architecture,
RA-3 Risk Assessment,
CM-8 Information System Component Inventory
3
21.2V1. Architecture, design and threat modellingVerify that all components, such as libraries, modules, and external systems, that are not part of the application but that the application relies on to operate are identified.xx1.0PL-8 Information Security Architecture,
CM-8 Information System Component Inventory
4
31.3V1. Architecture, design and threat modellingVerify that a high-level architecture for the application has been defined.xx1.0PL-8 Information Security Architecture,
CM-8 Information System Component Inventory
5
41.4V1. Architecture, design and threat modellingVerify that all application components are defined in terms of the business functions and/or security functions they provide.x1.0SA-5 Information System Documentation,
SI-6 Security Function Verification
6
51.5V1. Architecture, design and threat modellingVerify that all components that are not part of the application but that the application relies on to operate are defined in terms of the functions, and/or security functions, they provide.x1.0CA-3 System Interconnections,
SA-8 Security Engineering Principles,
SA-9 External Information System Services
7
61.6V1. Architecture, design and threat modellingVerify that a threat model for the target application has been produced and covers off risks associated with Spoofing, Tampering, Repudiation, Information Disclosure, and Elevation of privilege (STRIDE).x1.0SA-15 Development Process, Standards, and ToolsSA-15(4) - DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | THREAT MODELING / VULNERABILITY ANALYSIS
8
71.7V1. Architecture, design and threat modellingVerify all security controls (including libraries that call external security services) have a centralized implementation.x1.0SA-15 Development Process, Standards, and ToolsSA-15(5)
DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ATTACK SURFACE REDUCTION
9
81.8V1. Architecture, design and threat modellingVerify that components are segregated from each other via a defined security control, such as network segmentation, firewall rules, or cloud based security groups.xx3.0SA-15 Development Process, Standards, and ToolsSA-15(5)
DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ATTACK SURFACE REDUCTION
10
91.9V1. Architecture, design and threat modellingVerify the application has a clear separation between the data layer, controller layer and the display layer, such that security decisions can be enforced on trusted systems.xx3.0SA-8 Security Engineering Principles,
SC-2 Application Partitioning
11
101.10V1. Architecture, design and threat modellingVerify that there is no sensitive business logic, secret keys or other proprietary information in client side code.xx3.0SA-8 Security Engineering Principles
12
111.11V1. Architecture, design and threat modellingVerify that all application components, libraries, modules, frameworks, platform, and operating systems are free from known vulnerabilities.xx3.0.1SA-8 Security Engineering Principles,
SA-15 Development Process, Standards, and Tools
13
122.1V2: Authentication Verification RequirementsVerify all pages and resources by default require authentication except those specifically intended to be public (Principle of complete mediation).xxx1.0IA-1 Identification and Authentication Policy and Procedures,
AC-14 Permitted Actions without Identification or Authentication,
AC-21 Information Sharing,
AC-22 Publicly Accessible Content
14
132.2V2: Authentication Verification RequirementsVerify that forms containing credentials are not filled in by the application. Pre-filling by the application implies that credentials are stored in plaintext or a reversible format, which is explicitly prohibited. xxx3.0.1IA-1 Identification and Authentication Policy and Procedures
15
142.4V2: Authentication Verification RequirementsVerify all authentication controls are enforced on the server side.xxx1.0AC-1 Access Control Policy and Procedures
16
152.6V2: Authentication Verification RequirementsVerify all authentication controls fail securely to ensure attackers cannot log in.xxx1.0AC-7 Unsuccessful Logon Attempts,
AC-16 Security Attributes
17
162.7V2: Authentication Verification RequirementsVerify password entry fields allow, or encourage, the use of passphrases, and do not prevent password managers, long passphrases or highly complex passwords being entered.xxx3.0.1AC-16 Security Attributes,
IA-1 Identification and Authentication Policy and Procedures
18
172.8V2: Authentication Verification RequirementsVerify all account identity authentication functions (such as update profile, forgot password, disabled / lost token, help desk or IVR) that might regain access to the account are at least as resistant to attack as the primary authentication mechanism.xxx2.0CA-8 Penetration Testing,
AC-16 Security Attributes
19
182.9V2: Authentication Verification RequirementsVerify that the changing password functionality includes the old password, the new password, and a password confirmation.xxx1.0AC-16 Security Attributes,
IA-11 Re-authentication
20
192.12V2: Authentication Verification RequirementsVerify that all authentication decisions can be logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.xx3.0.1AC-7 Unsuccessful Logon Attempts,
AU-2 Audit Events,
AU-14 Session Audit,
IR-5 Incident Monitoring
21
202.13V2: Authentication Verification RequirementsVerify that account passwords are one way hashed with a salt, and there is sufficient work factor to defeat brute force and password hash recovery attacks. xx3.0.1AC-16 Security Attributes
22
212.16V2: Authentication Verification RequirementsVerify that credentials are transported using a suitable encrypted link and that all pages/functions that require a user to enter credentials are done so using an encrypted link.xxx3.0AC-16 Security Attributes,
SC-8 Transmission Confidentiality and Integrity
23
222.17V2: Authentication Verification RequirementsVerify that the forgotten password function and other recovery paths do not reveal the current password and that the new password is not sent in clear text to the user.xxx2.0AC-16 Security Attributes,
CA-8 Penetration Testing,
SC-8 Transmission Confidentiality and Integrity
24
232.18V2: Authentication Verification RequirementsVerify that information enumeration is not possible via login, password reset, or forgot account functionality.xxx2.0AC-16 Security Attributes
25
242.19V2: Authentication Verification RequirementsVerify there are no default passwords in use for the application framework or any components used by the application (such as “admin/password”).xxx2.0IA-1 Identification and Authentication Policy and Procedures
26
252.20V2: Authentication Verification RequirementsVerify that anti-automation is in place to prevent breached credential testing, brute forcing, and account lockout attacks.xxx3.0.1AC-16 Security Attributes
27
262.21V2: Authentication Verification RequirementsVerify that all authentication credentials for accessing services external to the application are encrypted and stored in a protected location.xx2.0CM-6 Configuration Settings
28
272.22V2: Authentication Verification RequirementsVerify that forgotten password and other recovery paths use a TOTP or other soft token, mobile push, or other offline recovery mechanism. Use of a random value in an e-mail or SMS should be a last resort and is known weak.xxx3.0.1IA-1 Identification and Authentication Policy and Procedures
29
282.23V2: Authentication Verification RequirementsVerify that account lockout is divided into soft and hard lock status, and these are not mutually exclusive. If an account is temporarily soft locked out due to a brute force attack, this should not reset the hard lock status.xx3.0IA-1 Identification and Authentication Policy and Procedures,
AC-2 Account Management,
AC-7 Unsuccessful Logon Attempts
30
292.24V2: Authentication Verification RequirementsVerify that if shared knowledge based questions (also known as "secret questions") are required, the questions do not violate privacy laws and are sufficiently strong to protect accounts from malicious recovery. xxx3.0.1IA-1 Identification and Authentication Policy and Procedures,
AC-2 Account Management
31
302.25V2: Authentication Verification RequirementsVerify that the system can be configured to disallow the use of a configurable number of previous passwords.xx2.0IA-1 Identification and Authentication Policy and Procedures
32
312.26V2: Authentication Verification RequirementsVerify that risk based re-authentication, two factor or transaction signing is in place for high value transactions. xx3.0.1IA-1 Identification and Authentication Policy and Procedures
33
322.27V2: Authentication Verification RequirementsVerify that measures are in place to block the use of commonly chosen passwords and weak passphrases.xxx3.0IA-1 Identification and Authentication Policy and Procedures
34
332.28V2: Authentication Verification RequirementsVerify that all authentication challenges, whether successful or failed, should respond in the same average response time.x3.0IA-1 Identification and Authentication Policy and Procedures
35
342.29V2: Authentication Verification RequirementsVerify that secrets, API keys, and passwords are not included in the source code, or online source code repositories.x3.0AU-13 Monitoring for Information Disclosure
36
352.31V2: Authentication Verification RequirementsVerify that if an application allows users to authenticate, they can authenticate using two-factor authentication or other strong authentication, or any similar scheme that provides protection against username + password disclosure.xx3.0IA-1 Identification and Authentication Policy and Procedures
37
362.32V2: Authentication Verification RequirementsVerify that administrative interfaces are not accessible to untrusted parties.xxx3.0AC-1 Access Control Policy and Procedures
38
372.33V2: Authentication Verification RequirementsBrowser autocomplete, and integration with password managers are permitted unless prohibited by risk based policy.xxx3.0.1RA-1 Risk Assessment Policy and Procedures
39
383.1V3: Session Management Verification RequirementsVerify that there is no custom session manager, or that the custom session manager is resistant against all common session management attacks.xxx1.0AC-11 Session Lock,
AC-12 Session Termination
40
393.2V3: Session Management Verification RequirementsVerify that sessions are invalidated when the user logs out.xxx1.0AC-12 Session Termination,
AC-11 Session Lock
41
403.3V3: Session Management Verification RequirementsVerify that sessions timeout after a specified period of inactivity.xxx1.0AC-12 Session Termination,
AC-11 Session Lock
42
413.4V3: Session Management Verification RequirementsVerify that sessions timeout after an administratively-configurable maximum time period regardless of activity (an absolute timeout).x1.0AC-12 Session Termination,
AC-11 Session Lock
43
423.5V3: Session Management Verification RequirementsVerify that all pages that require authentication have easy and visible access to logout functionality.xxx1.0IA-1 Identification and Authentication Policy and Procedures
44
433.6V3: Session Management Verification RequirementsVerify that the session id is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies.xxx1.0AC-16 Security Attributes,
CA-8 Penetration Testing
45
443.7V3: Session Management Verification RequirementsVerify that all successful authentication and re-authentication generates a new session and session id.xxx1.0AC-16 Security Attributes,
CA-8 Penetration Testing
46
453.10V3: Session Management Verification RequirementsVerify that only session ids generated by the application framework are recognized as active by the application.xx1.0AC-16 Security Attributes,
CA-8 Penetration Testing
47
463.11V3: Session Management Verification RequirementsVerify that session ids are sufficiently long, random and unique across the correct active session base.xx1.0AC-16 Security Attributes
48
473.12V3: Session Management Verification RequirementsVerify that session ids stored in cookies have their path set to an appropriately restrictive value for the application, and authentication session tokens additionally set the “HttpOnly” and “secure” attributesxxx3.0AC-16 Security Attributes
49
483.16V3: Session Management Verification RequirementsVerify that the application limits the number of active concurrent sessions.xxx3.0AC-10 Concurrent Session Control
50
493.17V3: Session Management Verification RequirementsVerify that an active session list is displayed in the account profile or similar of each user. The user should be able to terminate any active session.xxx3.0AC-10 Concurrent Session Control,
AC-11 Session Lock,
AC-12 Session Termination
51
503.18V3: Session Management Verification RequirementsVerify the user is prompted with the option to terminate all other active sessions after a successful change password process.xxx3.0AC-10 Concurrent Session Control,
AC-11 Session Lock,
AC-12 Session Termination
52
514.1V4: Access Control Verification RequirementsVerify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.xxx1.0AC-1 Access Control Policy and Procedures,
AC-6 Least Privilege,
AC-5 Separation of Duties,
CM-7 Least Functionality
53
524.4V4: Access Control Verification RequirementsVerify that access to sensitive records is protected, such that only authorized objects or data is accessible to each user (for example, protect against users tampering with a parameter to see or alter another user's account).xxx1.0AC-1 Access Control Policy and Procedures,
AC-6 Least Privilege,
AC-5 Separation of Duties
54
534.5V4: Access Control Verification RequirementsVerify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders.xxx1.0CM-2 Baseline Configuration,
CM-6 Configuration Settings
55
544.8V4: Access Control Verification RequirementsVerify that access controls fail securely.xxx1.0AC-1 Access Control Policy and Procedures,
AC-24 Access Control Decisions
56
554.9V4: Access Control Verification RequirementsVerify that the same access control rules implied by the presentation layer are enforced on the server side.xxx1.0AC-1 Access Control Policy and Procedures,
AC-24 Access Control Decisions
57
564.10V4: Access Control Verification RequirementsVerify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.xx1.0AC-1 Access Control Policy and Procedures,
AC-2 accountmanagement,
AC-6 Least Privilege
58
574.11V4: Access Control Verification RequirementsVerify that there is a centralized mechanism (including libraries that call external authorization services) for protecting access to each type of protected resource.x1.0AC-1 Access Control Policy and Procedures,
AC-3 Access Enforcement,
AC-6 Least Privilege,
AC-22 Publicly Accessible Content
59
584.12V4: Access Control Verification RequirementsVerify that all access control decisions can be logged and all failed decisions are logged.xx2.0AC-24 Access Control Decisions,
AU-2 Audit Events
60
594.13V4: Access Control Verification RequirementsVerify that the application or framework uses strong random anti-CSRF tokens or has another transaction protection mechanism.xxx2.0CM-6 Configuration Settings (provided the development framework has anti-CSRF tokens)
61
604.14V4: Access Control Verification RequirementsVerify the system can protect against aggregate or continuous access of secured functions, resources, or data. For example, consider the use of a resource governor to limit the number of edits per hour or to prevent the entire database from being scraped by an individual user.xx2.0AC-23 Data Mining Protection
62
614.15V4: Access Control Verification RequirementsVerify the application has additional authorization (such as step up or adaptive authentication) for lower value systems, and / or segregation of duties for high value applications to enforce anti-fraud controls as per the risk of application and past fraud.xx3.0IA-10 Adaptive Identification and Authentication,
AC-5 Separation of Duties
63
624.16V4: Access Control Verification RequirementsVerify that the application correctly enforces context-sensitive authorisation so as to not allow unauthorised manipulation by means of parameter tampering.xxx3.0AC-3 Access Enforcement
64
635.1V5: Malicious input handling verification requirementsVerify that the runtime environment is not susceptible to buffer overflows, or that security controls prevent buffer overflows.xxx1.0SI-10 Information Input Validation
65
645.3V5: Malicious input handling verification requirementsVerify that server side input validation failures result in request rejection and are logged.xxx1.0SI-10 Information Input Validation
66
655.5V5: Malicious input handling verification requirementsVerify that input validation routines are enforced on the server side.xxx1.0SI-10 Information Input Validation
67
665.6V5: Malicious input handling verification requirementsVerify that a single input validation control is used by the application for each type of data that is accepted.x1.0SI-1 System and Information Integrity Policy and Procedures,
SI-10 Information Input Validation
68
675.10V5: Malicious input handling verification requirementsVerify that all SQL queries, HQL, OSQL, NOSQL and stored procedures, calling of stored procedures are protected by the use of prepared statements or query parameterization, and thus not susceptible to SQL injectionxxx2.0SI-1 System and Information Integrity Policy and Procedures,
SI-10 Information Input Validation,
CA-8 Penetration Testing
69
685.11V5: Malicious input handling verification requirementsVerify that the application is not susceptible to LDAP Injection, or that security controls prevent LDAP Injection.xxx2.0SI-10 Information Input Validation,
CA-8 Penetration Testing
70
695.12V5: Malicious input handling verification requirementsVerify that the application is not susceptible to OS Command Injection, or that security controls prevent OS Command Injection.xxx2.0SI-3 Malicious Code Protection,
SI-10 Information Input Validation,
CA-8 Penetration Testing
71
705.13V5: Malicious input handling verification requirementsVerify that the application is not susceptible to Remote File Inclusion (RFI) or Local File Inclusion (LFI) when content is used that is a path to a file.xxx3.0SI-10 Information Input Validation,
CA-8 Penetration Testing
72
715.14V5: Malicious input handling verification requirementsVerify that the application is not susceptible to common XML attacks, such as XPath query tampering, XML External Entity attacks, and XML injection attacks.xxx2.0SI-10 Information Input Validation,
CA-8 Penetration Testing
73
725.15V5: Malicious input handling verification requirementsEnsure that all string variables placed into HTML or other web client code is either properly contextually encoded manually, or utilize templates that automatically encode contextually to ensure the application is not susceptible to reflected, stored and DOM Cross-Site Scripting (XSS) attacks.xxx2.0SI-10 Information Input Validation,
SI-14 Non-Persistence,
SI-15 Information Output Filtering,
CA-8 Penetration Testing
74
735.16V5: Malicious input handling verification requirementsIf the application framework allows automatic mass parameter assignment (also called automatic variable binding) from the inbound request to a model, verify that security sensitive fields such as “a ccountBalance ”, “r ole ” or “p assword ” are protected from malicious automatic binding.xx2.0SI-10 Information Input Validation,
CA-8 Penetration Testing
75
745.17V5: Malicious input handling verification requirementsVerify that the application has defenses against HTTP parameter pollution attacks, particularly if the application framework makes no distinction about the source of request parameters (GET, POST, cookies, headers, environment, etc.)xx2.0SI-10 Information Input Validation,
CA-8 Penetration Testing,
CM-2 Baseline Configuration,
CM-6 Configuration Settings
76
755.18V5: Malicious input handling verification requirementsVerify that client side validation is used as a second line of defense, in addition to server side validation.xx3.0SI-6 Security Function Verification,
SI-10 Information Input Validation,
CA-8 Penetration Testing
77
765.19V5: Malicious input handling verification requirementsVerify that all input data is validated, not only HTML form fields but all sources of input such as REST calls, query parameters, HTTP headers, cookies, batch files, RSS feeds, etc; using positive validation (whitelisting), then lesser forms of validation such as greylisting (eliminating known bad strings), or rejecting bad inputs (blacklisting).xx3.0SI-10 Information Input Validation,
CA-8 Penetration Testing
78
775.20V5: Malicious input handling verification requirementsVerify that structured data is strongly typed and validated against a defined schema including allowed characters, length and pattern (e.g. credit card numbers or telephone, or validating that two related fields are reasonable, such as validating suburbs and zip or post codes match).xx3.0SI-10 Information Input Validation
79
785.21V5: Malicious input handling verification requirementsVerify that unstructured data is sanitized to enforce generic safety measures such as allowed characters and length, and characters potentially harmful in given context should be escaped (e.g. natural names with Unicode or apostrophes, such as ねこ or O'Hara)xx3.0SI-10 Information Input Validation,
SI-15 Information Output Filtering,
CA-8 Penetration Testing
80
795.22V5: Malicious input handling verification requirementsMake sure untrusted HTML from WYSIWYG editors or similar are properly sanitized with an HTML sanitizer and handle it appropriately according to the input validation task and encoding task.xxx3.0SI-10 Information Input Validation,
SI-15 Information Output Filtering
81
805.23V5: Malicious input handling verification requirementsFor auto-escaping template technology, if UI escaping is disabled, ensure that HTML sanitization is enabled instead.xx3.0SI-10 Information Input Validation,
SI-15 Information Output Filtering,
CM-6 Configuration Settings
82
815.24V5: Malicious input handling verification requirementsVerify that data transferred from one DOM context to another, uses safe JavaScript methods, such as using .innerText and .val.xx3.0SI-1 System and Information Integrity Policy and Procedures,
SI-2 Flaw Remediation
83
825.25V5: Malicious input handling verification requirementsVerify when parsing JSON in browsers, that JSON.parse is used to parse JSON on the client. Do not use eval() to parse JSON on the client.xx3.0SI-2 Flaw Remediation,
SI-10 Information Input Validation,
CA-8 Penetration Testing
84
835.26V5: Malicious input handling verification requirementsVerify that authenticated data is cleared from client storage, such as the browser DOM, after the session is terminated.xx3.0SI-10 Information Input Validation,
SI-14 Non-Persistence,
CA-8 Penetration Testing
85
847.2V7: Cryptography at rest verification requirementsVerify that all cryptographic modules fail securely, and errors are handled in a way that does not enable oracle padding.xxx1.0SC-13 Cryptographic Protection,
SI-11 Error Handling
86
857.6V7: Cryptography at rest verification requirementsVerify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker.xx1.0SC-13 Cryptographic Protection
87
867.7V7: Cryptography at rest verification requirementsVerify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard.xxx1.0SC-12 Cryptographic Key Establishment and Management,
SI-6 Security Function Verification
88
877.8V7: Cryptography at rest verification requirementsVerify that cryptographic modules operate in their approved mode according to their published security policies.x1.0SC-12 Cryptographic Key Establishment and Management
89
887.9V7: Cryptography at rest verification requirementsVerify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced.xx1.0SC-12 Cryptographic Key Establishment and Management,
SC-17 Public Key Infrastructure Certificates
90
897.11V7: Cryptography at rest verification requirementsVerify that all consumers of cryptographic services do not have direct access to key material. Isolate cryptographic processes, including master secrets and consider the use of a virtualized or physical hardware key vault (HSM). x3.0.1SC-12 Cryptographic Key Establishment and Management,
SC-17 Public Key Infrastructure Certificates
91
907.12V7: Cryptography at rest verification requirementsPersonally Identifiable Information should be stored encrypted at rest and ensure that communication goes via protected channels.xx3.0SC-13 Cryptographic Protection,
SC-28 Protection of Information at Rest,
SI-12 Information Handling and Retention
92
917.13V7: Cryptography at rest verification requirementsVerify that sensitive passwords or key material maintained in memory is overwritten with zeros as soon as it no longer required, to mitigate memory dumping attacks.xx3.0.1SI-2 Flaw Remediation,
SI-16 Memory Protection
93
927.14V7: Cryptography at rest verification requirementsVerify that all keys and passwords are replaceable, and are generated or replaced at installation time.xx3.0SC-12 Cryptographic Key Establishment and Management
94
937.15V7: Cryptography at rest verification requirementsVerify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.x3.0SI-6 Security Function Verification,
SI-17 Fail-Safe Procedures
95
948.1V8: Error handling and logging verification requirementsVerify that the application does not output error messages or stack traces containing sensitive data that could assist an attacker, including session id, software/framework versions and personal informationxxx1.0SI-1 System and Information Integrity Policy and Procedures,
SI-11 Error Handling,
SI-12 Information Handling and Retention
96
958.2V8: Error handling and logging verification requirementsVerify that error handling logic in security controls denies access by default.xx1.0AC-24 Access Control Decisions,
SI-11 Error Handling
97
968.3V8: Error handling and logging verification requirementsVerify security logging controls provide the ability to log success and particularly failure events that are identified as security-relevant.xx1.0SI-5 Security Alerts, Advisories, and Directives,
SI-11 Error Handling,
SI-12 Information Handling and Retention,
AU-12 Audit Generation
98
978.4V8: Error handling and logging verification requirementsVerify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens.xx1.0SI-5 Security Alerts, Advisories, and Directives,
SI-12 Information Handling and Retention,
AU-3 Content of Audit Records
99
988.5V8: Error handling and logging verification requirementsVerify that all events that include untrusted data will not execute as code in the intended log viewing software.x1.0SI-11 Error Handling,
SI-12 Information Handling and Retention,
SI-15 Information Output Filtering
100
998.6V8: Error handling and logging verification requirementsVerify that security logs are protected from unauthorized access and modification.xx1.0AC-3 Access Enforcement,
AC-24 Access Control Decisions,
AU-9 Protection of Audit Information
Loading...
Main menu