Category:OWASP Application Security Verification Standard Project

Precedents/Interpretations
PI-0001: Are there levels between the levels?
 * Issue: Are there levels between the levels for the cases where "The specification for an application may require OWASP ASVS Level N, but it could also include other additional detailed requirements such as from a higher ASVS level"?
 * Resolution: No. Use of alternate level definitions or notations such as "ASVS Level 1B+" is discouraged.
 * References: ASVS section "Application Security Verification Levels"

PI-0002: Is use of a master key simply another level of indirection?
 * Issue: If a master key is stored as plaintext, isn't using a master key simply another level of indirection?
 * Resolution: No. There is a strong rationale for having a "master key" stored in a secure location that is used to encrypt all other secrets. In many applications, there are lots of secrets stored in many different locations. This greatly increases the likelihood that one of them will be compromised. Having a single master key makes managing the protection considerably simpler and is not simply a level of indirection.
 * References: ASVS verification requirement V2.14

PI-0003: What is a "TOV" or "Target of Verification"?
 * Issue: New terminology
 * Resolution: If you are performing an application security verification according to ASVS, the verification will be of a particular application. This application is called the “Target of Verification” or simply the TOV. The TOV should be identified in verification documentation as follows:
 * TOV Identification –  or ,, dynamic testing was performed in a staging environment, not the production environment
 * TOV Developer – 
 * References: ASVS section "Approach"

Users/Contributors
This project licensed under the Creative Commons Attribution ShareAlike 3.0.

= Articles Below - More About ASVS and Using It =