OWASP: Application Security Verification Standard

What is the ASVS?

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

The primary aim of the?OWASP Application Security Verification Standard (ASVS) Project?is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:

• Use as a metric?- Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
• Use as guidance?- Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
• Use during procurement?- Provide a basis for specifying application security verification requirements in contracts.

OWASP ASVS 4.0.2 Released!

Get the new version of the ASVS (4.0.2) from the?Downloads?page.

How To Reference ASVS Requirements

Each requirement has an identifier in the format?<chapter>.<section>.<requirement>?where each element is a number, for example:?1.11.3.

• The?<chapter>?value corresponds to the chapter from which the requirement comes, for example: all?1.#.#?requirements are from the?Architecture?chapter.
• The?<section>?value corresponds to the section within that chapter where the requirement appears, for example: all?1.11.#?requirements are in the?Business Logic Architectural Requirements?section of the?Architecture?chapter.
• The?<requirement>?value identifies the specific requirement within the chapter and section, for example:?1.11.3?which as of version 4.0.2 of this standard is:

Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions.

The identifiers may change between versions of the standard therefore it is preferable that other documents, reports, or tools use the format:?v<version>-<chapter>.<section>.<requirement>, where: ‘version’ is the ASVS version tag. For example:?v4.0.2-1.11.3?would be understood to mean specifically the 3rd requirement in the ‘Business Logic Architectural Requirements’ section of the ‘Architecture’ chapter from version 4.0.2. (This could be summarized as?v<version>-<requirement_identifier>.)

Note: The?v?preceding the version portion is to be lower case.

If identifiers are used without including the?v<version>?element then they should be assumed to refer to the latest Application Security Verification Standard content. Obviously as the standard grows and changes this becomes problematic, which is why writers or developers should include the version element.

ASVS requirement lists are made available in?CSV, JSON, and other formats?which may be useful for reference or programmatic use.

Related Projects

OWASP Resources:

• OWASP Top Ten Proactive Controls (2018)
• OWASP Top Ten Risks (2017)
• OWASP Cheatsheet Series

Glossary

• Access Control?– A means of restricting access to files, referenced functions, URLs, and data based on the identity of users and/or groups to which they belong.
• Application Component?– An individual or group of source files, libraries, and/or executables, as defined by the verifier for a particular application.
• Application Security?– Application-level security focuses on the analysis of components that comprise the application layer of the Open Systems Interconnection Reference Model (OSI Model), rather than focusing on for example the underlying operating system or connected networks.
• Application Security Verification?– The technical assessment of an application against the OWASP ASVS.
• Application Security Verification Report?– A report that documents the overall results and supporting analysis produced by the verifier for a particular application.
• Application Security Verification Standard (ASVS)?– An OWASP standard that defines four levels of application security verification for applications.
• Authentication?– The verification of the claimed identity of an application user.
• Automated Verification?– The use of automated tools (either dynamic analysis tools, static analysis tools, or both) that use vulnerability signatures to find problems.
• Back Doors?– A type of malicious code that allows unauthorized access to an application.
• Blacklist?– A list of data or operations that are not permitted, for example a list of characters that are not allowed as input.
• Common Criteria (CC)?– A multipart standard that can be used as the basis for the verification of the design and implementation of security controls in IT products.
• Communication Security?– The protection of application data when it is transmitted between application components, between clients and servers, and between external systems and the application.
• Design Verification?– The technical assessment of the security architecture of an application.
• Internal Verification?– The technical assessment of specific aspects of the security architecture of an application as defined in the OWASP ASVS.
• Cryptographic module?– Hardware, software, and/or firmware that implements cryptographic algorithms and/or generates cryptographic keys.
• Denial of Service (DOS) Attacks?– The flooding of an application with more requests than it can handle.
• Dynamic Verification?– The use of automated tools that use vulnerability signatures to find problems during the execution of an application.
• Easter Eggs?– A type of malicious code that does not run until a specific user input event occurs.
• External Systems?– A server-side application or service that is not part of the application.
• FIPS 140-2?– A standard that can be used as the basis for the verification of the design and implementation of cryptographic modules
• Input Validation?– The canonicalization and validation of untrusted user input.
• Malicious Code?– Code introduced into an application during its development unbeknownst to the application owner which circumvents the application’s intended security policy. Not the same as malware such as a virus or worm!
• Malware?– Executable code that is introduced into an application during runtime without the knowledge of the application user or administrator.
• Open Web Application Security Project (OWASP)?– The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security “visible,” so that people and organizations can make informed decisions about application security risks. See: https://www.owasp.org/
• Output Validation?– The canonicalization and validation of application output to Web browsers and to external systems.
• OWASP Enterprise Security API (ESAPI)?– A free and open collection of all the security methods that developers need to build secure Web applications. See: https://www.owasp.org/index.php/ESAPI
• OWASP Risk Rating Methodology?– A risk rating methodology that has been customized for application security. See: https://www.owasp.org/index.php/How_to_value_the_real_risk
• OWASP Testing Guide?– A document designed to help organizations understand what comprises a testing program, and to help them identify the steps needed to build and operate that testing program. See: https://www.owasp.org/index.php/Category:OWASP_Testing_Project
• OWASP Top Ten?– A document that represents a broad consensus about what the most critical Web application security flaws are. See: https://www.owasp.org/index.php/Top10
• Positive?– See whitelist.
• Salami Attack?– A type of malicious code that is used to redirect small amounts of money without detection in financial transactions.
• Security Architecture?– An abstraction of an application’s design that identifies and describes where and how security controls are used, and also identifies and describes the location and sensitivity of both user and application data.
• Security Control?– A function or component that performs a security check (e.g. an access control check) or when called results in a security effect (e.g. generating an audit record).
• Security Configuration?– The runtime configuration of an application that affects how security controls are used.
• Static Verification?– The use of automated tools that use vulnerability signatures to find problems in application source code.
• Target of Verification (TOV)?– If you are performing an application security verification according to the OWASP ASVS requirements, the verification will be of a particular application. This application is called the “Target of Verification” or simply the TOV.
• Threat Modeling?- A technique consisting of developing increasingly refined security architectures to identify threat agents, security zones, security controls, and important technical and business assets.
• Time Bomb?– A type of malicious code that does not run until a preconfigured time or date elapses.
• Verifier?- The person or team that is reviewing an application against the OWASP ASVS requirements.
• Whitelist?– A list of permitted data or operations, for example a list of characters that are allowed to perform input validation.