What It Is
A comprehensive checklist of application security requirements — not a testing guide, but a verification standard. ASVS defines what to verify across 14 chapters:
- Architecture, Design, and Threat Modeling
- Authentication
- Session Management
- Access Control
- Validation, Sanitization, and Encoding
- Stored Cryptography
- Error Handling and Logging
- Data Protection
- Communication
- Malicious Code
- Business Logic
- Files and Resources
- API and Web Services
- Configuration
Three verification levels tier the requirements by risk:
- Level 1 (Opportunistic) — Automated-scannable, minimum viable security
- Level 2 (Standard) — Appropriate for most applications handling sensitive data
- Level 3 (Advanced) — High-value targets: banking, healthcare, critical infrastructure
Why It Matters
The OWASP Top 10 is an awareness document — ten risk categories to know about. ASVS is a verification standard — 280+ specific, testable requirements you can use as acceptance criteria. The difference matters: Top 10 tells you “injection is bad”; ASVS tells you exactly which input validation, parameterization, and encoding requirements your application must meet.
ASVS requirements are concrete enough to put in procurement contracts, RFPs, and CI/CD acceptance gates.
When to Use It
When you need to define what good looks like before you start testing. Use ASVS to set requirements, then use WSTG/MASTG to test against them. Also valuable for secure code review, architecture review, and vendor security assessment.
The Offensive Angle
ASVS Level 1 is what automated scanners can verify. Levels 2 and 3 require manual testing and architectural review. If you’re assessing an application that claims “we pass all automated scans,” ASVS Levels 2-3 are where you find the gaps that automation misses — business logic flaws, architectural weaknesses, and design-level vulnerabilities.
Pairs Well With
- OWASP WSTG — ASVS defines what; WSTG defines how to test it
- OWASP MASTG — Same relationship for mobile applications
- CSA CCM — Cloud-specific controls that complement application-level ASVS requirements