Definition and purpose

The primary goal of the OWASP ASVS is to normalize the range of security controls required when designing, developing, and testing modern web applications and web services. It offers a basis for testing web application technical security controls, as well as any technical security controls in the environment, that are relied on to protect, authenticate, and verify user access to web applications.

Governing Body

The Open Web Application Security Project (OWASP) is the governing body for ASVS. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain trusted applications.

Last updated

The most recent update was version 4.03 released in 2019. Version 5.0 has been announced and is currently being developed.

Applies to

The OWASP ASVS applies broadly to web applications and web services, irrespective of industry. This includes organizations in finance, healthcare, e-commerce, IT, public sector, and virtually any other industry that designs, develops, or maintains web applications.

Controls and requirements

The ASVS defines a series of security requirements grouped into domains:

• Architecture, Design, and Threat Modeling
• Authentication
• Session Management
• Access Control
• Validation, Sanitization, and Encoding
• Stored Cryptographic Protections
• Error Handling and Logging
• Data Protection
• Communications
• HTTP Security Configuration
• Malicious Controls
• Business Logic
• Files and Resources

Each domain has its own specific controls or requirements. For instance, within the "Authentication" domain, there might be controls related to password complexity, account lockout mechanisms, and multi-factor authentication.

Please refer to the official OWASP Application Security Verification Standard documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

OWASP ASVS assessments are typically a mix of manual reviews and automated scans, encompassing source code review, runtime testing, and environment configuration examination.

The frequency of audits depends on the development lifecycle, any changes made to the application, or the specific business or regulatory requirements. Typically, security assessments might be conducted for major application releases or at least once a year.

The duration of the audit varies based on the complexity and size of the application, the specific level of verification sought (ASVS has three levels), and the depth of testing required.