Category:OWASP Application Security Verification Standard Project

Download
Web Application Standard

Download ASVS now, for free, here.

Other Versions
 * There is a wikified version here.
 * Please see the ASVS Google Code repository here for other versions, including translations and other formats (Word, XML, etc.)

Precedents/Interpretations
PI-0001: Are there levels between the levels?
 * Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"?
 * Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged.
 * References: ASVS section "Application Security Verification Levels"

PI-0002: Is use of a master key simply another level of indirection?
 * Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection?
 * Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection.
 * References: ASVS verification requirement V2.14

PI-0003: What is a "TOV" or "Target of Verification"?
 * Issue: New terminology
 * Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the “Target of Verification” or simply the TOV. The TOV should be identified in verification documentation as follows:
 * TOV Identification –  or ,, dynamic testing was performed in a staging environment, not the production environment
 * TOV Developer – 
 * References: ASVS section "Approach"

News
Project News


 * 07/06/2009 - OWASP ASVS users list updated to include Minded Security


 * 07/02/2009 - OWASP ASVS and "Man vs. Code" ASVS article mentioned in Toorcamp 2009 presentation


 * 07/01/2009 - OWASP ASVS users list updated to include CETEC/CTCSE - Divisão Processos de Segurança no Desenvolvimento SERPRO - Serviço Federal de Processamento de Dados / Sede - Brasília-DF (CETEC / CTCSE - Division of Security in Development Processes SERPRO - Federal Service of Data Processing / Headquarters - Brasília-DF)


 * 06/22/2009 - OWASP ASVS rulesets are added to Casaba Security's security testing tool Watcher version 1.2.0. First tool vendor to do so!


 * 06/09/2009 - OWASP ASVS users list updated to include CGI Federal


 * 06/03/2009 - OWASP ASVS Release Version published! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.


 * 05/15/2009 - OWASP ASVS users list updated to include Denim Group


 * 05/13/2009 - OWASP ASVS is presented by Dave Wichers at OWASP AppSec Europe 2009 - Poland.


 * 05/04/2009 - OWASP ASVS users list updated to include Casaba Security


 * 05/09/2009 - OWASP ASVS is discussed in the Department of Defense (DoD) Information Assurance Technology Analysis Center (IATAC) State-of-the-Art-Report (SOAR) on "Measuring Cyber Security and Information Assurance".


 * 04/09/2009 - OWASP ASVS is the subject of an opinion piece by Mike Boberski in SC Magazine on the need for a web app standard


 * 04/08/2009 - OWASP ASVS users list updated to include ps_testware.


 * 04/06/2009 - OWASP ASVS users list updated to include Federal Deposit Insurance Corporation (FDIC).


 * 03/13/2009 - OWASP ASVS is presented by Dave Wichers at OWASP Software Assurance Day DC 2009 in conjunction with the Software Assurance Forum sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.


 * 02/25/2009 – OWASP ASVS proposed updates based on pilots being considered.


 * 01/22/2009 - OWASP ASVS has been integrated into the OWASP Secure Software Contract Annex in the OWASP Legal Project.


 * 01/08/2009 - OWASP ASVS is presented by Mike Boberski at the OWASP Washington VA Local Chapter meeting.


 * 12/29/2008 - OWASP ASVS is the subject of an article by DarkReading.


 * 12/08/2008 - OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments.


 * 12/05/2008 - OWASP ASVS exits the Summer of Code 2008! The Beta draft of the Web Application Edition is released! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.


 * 11/03/2008 - OWASP ASVS is presented by Jeff Williams at OWASP EU Summit 2008.


 * 10/03/2008 - OWASP ASVS Alpha draft is released! Mike Boberski is the primary author.


 * 04/16/2008 - OWASP ASVS Summer of Code 2008 proposal submitted by Mike Boberski wins!

Weekly Status
 * 2009-11-27

Users/Contributors
This project licensed under the Creative Commons Attribution ShareAlike 3.0.

= Articles Below - More About ASVS and Using It =