Category:OWASP Application Security Verification Standard Project

From OWASP

About
FAQ
Download
News
Users/Contributors


OWASP Documentation Project Application Security Verification Standards (ASVS) Application Security Verification Standards are specifications produced by OWASP in cooperation with secure applications developers and verifiers worldwide for the purpose of accelerating the deployment of secure Web applications. First published in 2008 as a result of an OWASP Summer of Code grant and meetings with a small group of early adopters, the ASVS documents have become widely referenced and implemented. Further development of ASVS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please contact us. You can download it here. Need help getting started? ASVS is brand new after all! Read this. Use this and this! Frequently asked questions can be found here. How ASVS Works ASVS defines four levels of Web application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that are being used.	Latest News OWASP ASVS users list updated to include CETEC/CTCSE - Divisão Processos de Segurança no Desenvolvimento SERPRO - Serviço Federal de Processamento de Dados / Sede - Brasília-DF (CETEC / CTCSE - Division of Security in Development Processes SERPRO - Federal Service of Data Processing / Headquarters - Brasília-DF) "Here in Serpro we have more than 2000 software developers as part of more than 10.000 employees. We have a strong need to address the webservices security issues. But as a first approach, we are working on the ASVS for web applications and we are integrating this standard to our development life cycle(including our agile process) and software acquisition process." OWASP ASVS is discussed in the Department of Defense (DoD) Information Assurance Technology Analysis Center (IATAC) State-of-the-Art-Report (SOAR) on "Measuring Cyber Security and Information Assurance". OWASP ASVS rulesets are added to Casaba Security's security testing tool Watcher version 1.2.0. First tool vendor to do so! OWASP ASVS users list updated to include CGI Federal OWASP ASVS Release Version published! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors. OWASP ASVS is presented by Dave Wichers at OWASP AppSec Europe 2009 - Poland. OWASP ASVS users list updated to include Federal Deposit Insurance Corporation (FDIC). Have you added ASVS to your software assurance tool box? Please let us know your stories! ASVS News Archives ASVS Announcement Feed ASVS Mailing List

OWASP Documentation Project

Application Security Verification Standards (ASVS)

Application Security Verification Standards are specifications produced by OWASP in cooperation with secure applications developers and verifiers worldwide for the purpose of accelerating the deployment of secure Web applications. First published in 2008 as a result of an OWASP Summer of Code grant and meetings with a small group of early adopters, the ASVS documents have become widely referenced and implemented. Further development of ASVS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please contact us. You can download it here. Need help getting started? ASVS is brand new after all! Read this. Use this and this! Frequently asked questions can be found here.

How ASVS Works

ASVS defines four levels of Web application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that are being used.

Latest News

OWASP ASVS users list updated to include CETEC/CTCSE - Divisão Processos de Segurança no Desenvolvimento SERPRO - Serviço Federal de Processamento de Dados / Sede - Brasília-DF (CETEC / CTCSE - Division of Security in Development Processes SERPRO - Federal Service of Data Processing / Headquarters - Brasília-DF)
- "Here in Serpro we have more than 2000 software developers as part of more than 10.000 employees. We have a strong need to address the webservices security issues. But as a first approach, we are working on the ASVS for web applications and we are integrating this standard to our development life cycle(including our agile process) and software acquisition process."
OWASP ASVS is discussed in the Department of Defense (DoD) Information Assurance Technology Analysis Center (IATAC) State-of-the-Art-Report (SOAR) on "Measuring Cyber Security and Information Assurance".
OWASP ASVS rulesets are added to Casaba Security's security testing tool Watcher version 1.2.0. First tool vendor to do so!
OWASP ASVS users list updated to include CGI Federal
OWASP ASVS Release Version published! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.
OWASP ASVS is presented by Dave Wichers at OWASP AppSec Europe 2009 - Poland.
OWASP ASVS users list updated to include Federal Deposit Insurance Corporation (FDIC).
Have you added ASVS to your software assurance tool box? Please let us know your stories!
ASVS News Archives
ASVS Announcement Feed
ASVS Mailing List


More About OWASP ASVS ASVS Datasheet: (PDF, Word) ASVS Article: Getting Started Using ASVS (PDF) ASVS Article: Man vs. Code (Wiki) ASVS Template: Sample verification fee schedule template (Excel) ASVS Template: Sample verification report template (Word) ASVS Presentation: Project Presentation (PowerPoint) ASVS Training: An ASVS training presentation (PowerPoint) ASVS Presentation: Executive-Level Presentation (PowerPoint) ASVS Presentation: Presentation Abstract (Word) Articles (More About ASVS and Using It) Related projects OWASP Top Ten OWASP Legal Project OWASP ESAPI	Did You Know... Businesses are under no obligation to seek inclusion in any sort of a registry or a program in order to perform application security verifications according to OWASP ASVS. Download the latest version and start using ASVS today! More complex applications typically take more time to analyze resulting in longer and more costly verifications. Lines of code are not the only factors that determine the complexity of an application – different technologies will typically require different amounts of analysis. Simple applications may include for example libraries and frameworks. Applications of moderate complexity may include simple Web 1.0 applications. Complex applications may include Web 2.0 applications and new/unique Web technologies. One way to introduce verification as an activity into your SDLC is depicted in the figure below.


Project Leader Mike Boberski Project Contributors Jeff Williams Dave Wichers	Project Sponsorship	Users A broad range of companies and agencies around the globe have added ASVS to their software assurance tool boxes, including: Aspect Security Booz Allen Hamilton Casaba Security CGI Federal Denim Group Federal Deposit Insurance Corporation (FDIC) ps_testware Serviço Federal de Processamento de Dados (SERPRO) Organizations listed above are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. Use of ASVS may include for example providing verification services using the standard. Use of ASVS may also include for example performing internal evaluation of products with the OWASP ASVS in mind, and NOT making any claims of meeting any given level in the standard. Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached here.