OWASP Application Security Verification Standard (ASVS)

Creative Commons License OWASP Flagship Github stars ASVS Twitter Follow

What is the ASVS?

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

Support the ASVS

For more details on how to financially support the ASVS, see our Supporters Page.

Stay up to date with the ASVS

Follow us on social media to ensure you don’t miss updates about the ASVS:

  • Twitter Follow

More Details on the ASVS

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:

  • Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
  • Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
  • Use during procurement - Provide a basis for specifying application security verification requirements in contracts.

Get the latest stable version of the ASVS (4.0.3) from the Downloads page and the plan and roadmap towards ASVS version 5.0 has been announced!

How To Reference ASVS Requirements

Each requirement has an identifier in the format <chapter>.<section>.<requirement> where each element is a number, for example: 1.11.3.

  • The <chapter> value corresponds to the chapter from which the requirement comes, for example: all 1.#.# requirements are from the Architecture chapter.
  • The <section> value corresponds to the section within that chapter where the requirement appears, for example: all 1.11.# requirements are in the Business Logic Architecture section of the Architecture chapter.
  • The <requirement> value identifies the specific requirement within the chapter and section, for example: 1.11.3 which as of version 4.0.3 of this standard is:

Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions.

The identifiers may change between versions of the standard therefore it is preferable that other documents, reports, or tools use the format: v<version>-<chapter>.<section>.<requirement>, where: ‘version’ is the ASVS version tag. For example: v4.0.3-1.11.3 would be understood to mean specifically the 3rd requirement in the ‘Business Logic Architecture’ section of the ‘Architecture’ chapter from version 4.0.3. (This could be summarized as v<version>-<requirement_identifier>.)

Note: The v preceding the version portion is to be lower case.

If identifiers are used without including the v<version> element then they should be assumed to refer to the latest Application Security Verification Standard content. Obviously as the standard grows and changes this becomes problematic, which is why writers or developers should include the version element.

ASVS requirement lists are made available in CSV, JSON, and other formats which may be useful for reference or programmatic use.

OWASP Resources:


Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.


Creative Commons License OWASP Flagship Github stars ASVS Twitter Follow

Jump to an event







Meet the ASVS team at Global AppSec San Francisco 2024

You can meet some of the ASVS team and hear about using the ASVS at OWASP Global AppSec San Francisco 2024 happening between 23-27 September.


Get updated on the ASVS

Two of our working group, Shanni Prutchi and Ryan Armstrong will be delivering a short talk about the ASVS project and the latest developments and plans.

You can catch them at 14:15 on Friday afternoon in the Bayview A room. Add it to your conference schedule here.

(Ryan and Shanni are also doing their own excellent talks at the conference so dont forget to check those out here and here!)


Hear about using the ASVS

Shortly afterwards, Aram Hovsepyan will be giving a talk about “Maturing Your Application Security Program with ASVS-Driven Development”. In the talk Aram explains how leveraging ASVS for deriving security test cases can create a common theme across all stages of the software development lifecycle.

If you are interested in how to apply ASVS in your development teams, add it to your conference schedule here.


Engage with the Community

Our new Community Manager Matthew Aderhold will also be at the conference so make sure you catch him to grab some stickers, talk to him about how you are using ASVS and get more information on how you can engage with the ASVS community! He will be there from day 1 of the training so you have plenty of time to catch him!

If you have contributed to the ASVS, make sure you let him know as he will have some special shiny stickers for contributors!


We hope to see you there at Global AppSec San Francisco 2024







OWASP ASVS Community Meetup - Lisbon 2024

We held a community meetup for the ASVS project as part of Global AppSec Lisbon on 27th June 2024!

Jim Manico gave the opening keynote to reintroduce the ASVS and the background behind the project and we had some other great talks as well!

There was also an update on the current status of the standard and time allocated to work on the upcoming version 5.0.

You can see full details in the blog post we published about it: https://owasp.org/blog/2024/07/03/asvs-community-meetup.html

Additionally, we would love to get more community members involved in the ASVS and other than working on the standard we also have information about other volunteering opportunities to help develop and promote the project! See the “Get Involved” tab above!.

Full Agenda

You can see the current agenda we had here.

View the ASVS Community Meetup schedule.

Meetup Supporter

Thanks to our friends at Jit for supporting this exciting initiative!








Creative Commons License OWASP Flagship Github stars ASVS Twitter Follow

ASVS Supporters

Introduction

Within the ASVS project, we gratefully recognise the following organizations who support the OWASP Application Security Verification Standard project through monetary donations or allowing contributors to spend significant time working on the standard as part of their work with the organization.

We recognise various tiers of support and the amount of time the supporter is recognised for depends on the supporter level.

On this page and the project web page, we will display the supporter’s logo and link to their website and we will publicise via Social Media as well.

If you would like to directly become a Primary, Secondary or Tertiary supporter, you can make a donation to OWASP of $1,000 or more and choose to “restrict your gift”. Alternatively, when you pay your corporate membership you can choose to allocate part of your membership fee to the ASVS where the allocated amount will govern which level of supporter you become.

Maintaining Supporters (through time provision)

Organizations who have allowed contributors to spend significant time working on the standard as part of their working day with the organization. This will be evaluated at the sole discretion of the project leaders. Supporter will be listed 2 years from the end of the time provision.

Primary supporters

Organizations who have donated $7,000 or more to the project via OWASP. Supporter will be listed in this section for 3 years from the date of the donation.

Secondary supporters

Organizations who have donated $3,000 or more to the project via OWASP. Supporter will be listed in this section for 2 years from the date of the donation.

Tertiary supporters

Organizations who have donated $500 or more to the project via OWASP. Supporter will be listed in this section for 1 year from the date of the donation.

Associate supporters

Organizations who have donated another amount to the project via OWASP. Supporter will be listed in this section for 1 year from the date of the donation.


Creative Commons License OWASP Flagship Github stars ASVS Twitter Follow

News and Events


Creative Commons License OWASP Flagship Github stars ASVS Twitter Follow

Acknowledgements

Note that since 4.x, contributors have been acknowledged in the “Frontispiece” section at the start of the ASVS document itself.

Time and financial supporters are recognised on the “Supporters” tab.

Volunteers

Version 3 (2015)

Project Leaders

  • Daniel Cuthbert
  • Andrew van der Stock

Lead Author

  • Jim Manico

Other reviewers and contributors

  • Boy Baukema
  • Ari Kesäniemi
  • Colin Watson
  • François-Eric Guyomarc’h
  • Cristinel Dumitru
  • James Holland
  • Gary Robinson
  • Stephen de Vries
  • Glenn Ten Cate
  • Riccardo Ten Cate
  • Martin Knobloch
  • Abhinav Sejpal
  • David Ryan
  • Steven van der Baan
  • Ryan Dewhurst
  • Raoul Endres
  • Roberto Martelloni

Version 2 (2014)

Project leaders

  • Sahba Kazerooni
  • Daniel Cuthbert

Lead authors

  • Andrew van der Stock
  • Sahba Kazerooni
  • Daniel Cuthbert
  • Krishna Raja

Other reviewers and contributors

  • Jerome Athias
  • Boy Baukema
  • Archangel Cuison
  • Sebastien.Deleersnyder
  • Antonio Fontes
  • Evan Gaustad
  • Safuat Hamdy
  • Ari Kesäniemi
  • Scott Luc
  • Jim Manico
  • Mait Peekma
  • Pekka Sillanpää
  • Jeff Sergeant
  • Etienne Stalmans
  • Colin Watson
  • Dr. Emin İslam Tatlı

Translators

  • Abbas Javan Jafari (Persian)
  • Sajjad Pourali (Persian)

Version 2009

Project leader

  • Mike Boberski

Lead authors

  • Mike Boberski
  • Jeff Williams
  • Dave Wichers

Other reviewers and contributors

Pierre Parrend (OWASP Summer of Code), Andrew van der Stock, Nam Nguyen, John Martin, Gaurang Shah, Theodore Winograd, Stan Wisseman, Barry Boyd, Steve Coyle, Paul Douthit, Ken Huang, Dave Hausladen, Mandeep Khera Scott Matsumoto, John Steven, Stephen de Vries, Dan Cornell, Shouvik Bardhan, Dr. Sarbari Gupta, Eoin Keary, Richard Campbell, Matt Presson, Jeff LoSapio, Liz Fong, George Lawless, Dave van Stein, Terrie Diaz, Ketan Dilipkumar Vyas, Bedirhan Urgun, Dr. Thomas Braun, Colin Watson, Jeremiah Grossman.

OWASP Summer of Code 2008

The OWASP Foundation sponsored the OWASP Application Security Verification Standard Project during the OWASP Summer of Code 2008.


Creative Commons License OWASP Flagship Github stars ASVS Twitter Follow

Volunteer for the ASVS

Building the standard

We are always looking for people to help out with building the standards and discussing what should be in there.

You can find information on contributing to the standard in the Contribution Guide.

Helping in other ways

We are looking for volunteers to help with the following tasks. We are working on the ASVS all year around and you should expect to have to spend a few hours a week working on your tasks on average. Some of the tasks may be more intensive such as building scripts or GitHub actions.

If any of these roles sound like a good fit for you, please get in touch! Students and non-tech people are welcome to apply, especially folks in the community who are trying to get into the security space but don’t know how, as being involved in an OWASP project like this can provide valuable experience.

The latest list of roles is here:

Public ASVS jobs board

You can submit your interest here:

Volunteer for the ASVS!


Creative Commons License OWASP Flagship Github stars ASVS Twitter Follow

ASVS Users

CREST OWASP Verification Standard (OVS) Programme

The CREST OWASP OVS Programme accredits companies that provide app security testing services to the application development industry. The testing to be performed is based on the ASVS (and MASVS) projects.

App Defense Alliance

The App Defense Alliance has based its Cloud Application Security Assessment (CASA) program on the ASVS project.

Other users

A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including:

Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization’s name, and brief description of how you use the standard. The project leads can be reached using the contact details on the main page.