You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Andrew van der Stock e499d2a3f7
Update README for 4.0
11 months ago
1.0 Find older versions and include them 3 years ago
2.0 Find older versions and include them 3 years ago
3.0 Moved training slides into 3.0 directory. #465 1 year ago
3.0.1 Merge pull request #295 from scriptingxss/master 1 year ago
4.0 4.0.1 update 11 months ago
images Upload of high fidelity images used in ASVS 4 years ago
.gitattributes Fix 1 year ago
.gitignore Update .gitignore 1 year ago Update README for 4.0 11 months ago

OWASP Application Security Verification Standard

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to provide an open application security standard for web apps and web services of all types.

The standard provides a basis for designing, building, and testing technical application security controls, including architectural concerns, secure development lifecycle, threat modelling, agile security including continuous integration / deploynent, serverless, and configuration concerns.

The latest published version is version 4.0.1, which can be found:

The requirements were developed with the following objectives in mind:

  • Help organizations adopt or adapt a high quality secure coding standard
  • Help architects and developers build secure software by designing and building security in, and verifying that they are in place and effective by the use of unit and integration tests that implement ASVS tests
  • Help deploy secure software via the use of repeatable, secured builds
  • Help security reviewers use a comprehensive, consistent, high quality standard for hybrid code reviews, secure code reviews, peer code reviews, retrospectives, and work with developers to build security unit and integration tests. It is even possible to use this standard for penetration testing at Level 1
  • Assist tool vendors by ensuring there is an easily generatable machine readable version, with CWE mappings
  • Assist organizations to benchmark application security tools by the percentage of coverage of the ASVS for dynamic, interactive, and static analysis tools
  • Minimize overlapping and competing requirements from other standards, by either aligning strongly with them (NIST 800-63), or being strict supersets (OWASP Top 10 2017, PCI DSS 3.2.1), which will help reduce compliance costs, effort, and time wasted in accepting unnecessary differences as risks.

Please log issues if you find anything. We are actively looking for translations of the 4.0 branch.