The OWASP Application Security Verification Standard (ASVS) Project provides a framework for the security of web applications and web services. It establishes a security control baseline for web applications in their design, development, and testing phases, providing developers, testers, and architects with a clear roadmap for creating secure applications.
Definition and purpose
The primary goal of the OWASP ASVS is to normalize the range of security controls required when designing, developing, and testing modern web applications and web services. It offers a basis for testing web application technical security controls, as well as any technical security controls in the environment, that are relied on to protect, authenticate, and verify user access to web applications.
The Open Web Application Security Project (OWASP) is the governing body for ASVS. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain trusted applications.
The most recent update was version 4.03 released in 2019. Version 5.0 has been announced and is currently being developed.
The OWASP ASVS applies broadly to web applications and web services, irrespective of industry. This includes organizations in finance, healthcare, e-commerce, IT, public sector, and virtually any other industry that designs, develops, or maintains web applications.
Controls and requirements
The ASVS defines a series of security requirements grouped into domains:
- Architecture, Design, and Threat Modeling
- Session Management
- Access Control
- Validation, Sanitization, and Encoding
- Stored Cryptographic Protections
- Error Handling and Logging
- Data Protection
- HTTP Security Configuration
- Malicious Controls
- Business Logic
- Files and Resources
Each domain has its own specific controls or requirements. For instance, within the "Authentication" domain, there might be controls related to password complexity, account lockout mechanisms, and multi-factor authentication.
Please refer to the official OWASP Application Security Verification Standard documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
OWASP ASVS assessments are typically a mix of manual reviews and automated scans, encompassing source code review, runtime testing, and environment configuration examination.
The frequency of audits depends on the development lifecycle, any changes made to the application, or the specific business or regulatory requirements. Typically, security assessments might be conducted for major application releases or at least once a year.
The duration of the audit varies based on the complexity and size of the application, the specific level of verification sought (ASVS has three levels), and the depth of testing required.