Domain-Specific Testing v4.0.3

OWASP ASVS

Application Security Verification Standard

OWASP (Open Worldwide Application Security Project) Source Document →

What It Is

A comprehensive checklist of application security requirements — not a testing guide, but a verification standard. ASVS defines what to verify across 14 chapters:

  1. Architecture, Design, and Threat Modeling
  2. Authentication
  3. Session Management
  4. Access Control
  5. Validation, Sanitization, and Encoding
  6. Stored Cryptography
  7. Error Handling and Logging
  8. Data Protection
  9. Communication
  10. Malicious Code
  11. Business Logic
  12. Files and Resources
  13. API and Web Services
  14. Configuration

Three verification levels tier the requirements by risk:

  • Level 1 (Opportunistic) — Automated-scannable, minimum viable security
  • Level 2 (Standard) — Appropriate for most applications handling sensitive data
  • Level 3 (Advanced) — High-value targets: banking, healthcare, critical infrastructure

Why It Matters

The OWASP Top 10 is an awareness document — ten risk categories to know about. ASVS is a verification standard — 280+ specific, testable requirements you can use as acceptance criteria. The difference matters: Top 10 tells you “injection is bad”; ASVS tells you exactly which input validation, parameterization, and encoding requirements your application must meet.

ASVS requirements are concrete enough to put in procurement contracts, RFPs, and CI/CD acceptance gates.

When to Use It

When you need to define what good looks like before you start testing. Use ASVS to set requirements, then use WSTG/MASTG to test against them. Also valuable for secure code review, architecture review, and vendor security assessment.

The Offensive Angle

ASVS Level 1 is what automated scanners can verify. Levels 2 and 3 require manual testing and architectural review. If you’re assessing an application that claims “we pass all automated scans,” ASVS Levels 2-3 are where you find the gaps that automation misses — business logic flaws, architectural weaknesses, and design-level vulnerabilities.

Pairs Well With

  • OWASP WSTG — ASVS defines what; WSTG defines how to test it
  • OWASP MASTG — Same relationship for mobile applications
  • CSA CCM — Cloud-specific controls that complement application-level ASVS requirements