Application Security Verification Standard

The Application Security Verification Standard (ASVS) is a long established OWASP flagship project, and is widely used to suggest security requirements as well as the core verification of web applications.

It can be downloaded from the OWASP project page in various languages and formats: PDF, Word, CSV, XML and JSON. Having said that, the recommended way to consume the ASVS is to access the github markdown pages directly - this will ensure that the latest version is used.

What is ASVS?

The ASVS is an open standard that sets out the coverage and level of rigor expected when it comes to performing web application security verification. The standard also provides a basis for testing any technical security controls that are relied on to protect against vulnerabilities in the application.

The ASVS is split into various sections:

  1. applications that only need low assurance levels; these applications are completely penetration testable
  2. applications which contain sensitive data that require protection; the recommended level for most applications
  3. the most critical applications that require the highest level of trust

Most applications will aim for Level 2, with only those applications that perform high value transactions, or contain sensitive medical data, aiming for the highest level of trust at level 3.

Why use it?

The ASVS is used by many organizations as a basis for the verification of their web applications. It is well established, the earlier versions were written in 2008, and it has been continually supported since then. The ASVS is comprehensive, for example version 4.0.3 has a list of 286 verification requirements, and these verification requirements have been created and agreed to by a wide security community.

For these reasons the ASVS is a good starting point for creating and updating security requirements for web applications. The widespread use of this open standard means that development teams and suppliers may already be familiar with the requirements, leading to easier adoption of the security requirements.

How to use it

The OWASP Spotlight series provides an overview of the ASVS and its uses: ‘Project 19 - OWASP Application Security Verification standard (ASVS)’.

The appropriate level of verification should be chosen from the ASVS levels:

Tools such as SecurityRAT can help create a more manageable subset of the ASVS security requirements, allowing focus and decisions on whether each one is applicable to the web application or not.

The OWASP Cheat Sheets have been indexed specifically for each section of the ASVS, which can be used as documentation to help decide if a requirements category is to be included in the test scheme.

References

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

Developer Guide

Upcoming OWASP Global Events

Corporate Supporters

OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.