Knowledge Center / OWASP ASVS
OWASP · Global

OWASP ASVS

A detailed, testable standard for verifying application security.

Introduction: The OWASP Application Security Verification Standard

The OWASP Application Security Verification Standard (ASVS) is the industry's most widely adopted open framework for specifying, building, verifying and procuring secure web applications and web services. Unlike prescriptive tick-box regulations, ASVS is a technical control catalogue that answers a deceptively simple question: 'How much security does this application actually need, and how do I prove it has been achieved?' It provides a graduated hierarchy of testable requirements that engineering teams, penetration testers, procurement officers and auditors can all rally around a shared, unambiguous definition of what 'secure enough' means for a given application.

For CyberSigma clients, ASVS is invaluable because it is simultaneously a design specification, a secure-coding contract, a functional test plan and a penetration-testing rubric. Where compliance mandates such as PCI DSS, DPDP, ISO 27001 or SOC 2 tell you that applications must be 'secure', they rarely tell your developers precisely which authentication, session, access-control, cryptographic and input-validation controls to implement. ASVS closes that gap. It converts abstract governance obligations into concrete, verifiable engineering requirements that can be embedded into user stories, code review gates, CI/CD pipelines and third-party assurance reports.

This guide provides an auditor-grade deep dive into ASVS: its structure, its verification levels, every control domain, a master assessment checklist mapping each family to what a verifier must confirm and the evidence they should expect, plus a phased implementation approach, scoping guidance, audit methodology, evidence request lists, RACI, KPIs and mappings to adjacent frameworks. It reflects the modernised ASVS structure (v4.0.3 lineage through the v5.0 reorganisation) and is written for teams that must both build to ASVS and be assessed against it.

Licensing and copyright note
The OWASP Application Security Verification Standard is published by the OWASP Foundation under the Creative Commons Attribution-ShareAlike (CC BY-SA) licence and is free to use, adapt and redistribute with attribution. This guide is original CyberSigma commentary and interpretation. It paraphrases ASVS concepts and control themes for educational purposes and does not reproduce the verbatim requirement text of the standard. Always download and verify against the current official ASVS release from owasp.org before formal assessment, as requirement identifiers and level assignments evolve between versions.

What is OWASP ASVS

OWASP ASVS is a catalogue of application security requirements, organised into control domains (chapters), each containing groups of related requirements (sections/families), each of which contains individually numbered, testable verification requirements. Every requirement is a positive assertion that can be answered 'verified' or 'not verified' against a target application. The standard is deliberately framed as verification requirements rather than vulnerabilities: instead of saying 'the application must not be vulnerable to SQL injection', ASVS says 'verify that the application uses parameterised queries or equivalent for all database access', which is directly testable and buildable.

ASVS serves several distinct audiences with a single artefact. Architects use it as a security requirements baseline during design. Developers use it as a secure-coding specification. Security testers and penetration testers use it as a coverage checklist so their testing is comprehensive and repeatable. Procurement and vendor-risk teams use it to define the security bar in contracts and RFPs ('the delivered system shall meet ASVS Level 2'). Auditors and assurance providers use it as a maturity benchmark and evidence framework.

Three defining characteristics distinguish ASVS from other application security resources. First, it is levelled: requirements are assigned to Level 1, 2 or 3, so effort scales with application risk. Second, it is verifiable: each requirement is written so a competent tester can determine pass/fail with defined evidence. Third, it is holistic: it spans the full stack, from architecture and authentication through cryptography, error handling, malicious-code resistance, business logic, files, API security, configuration and, in newer editions, the software supply chain.

ASVS is complemented by companion OWASP projects: the OWASP Testing Guide (WSTG) provides the how-to test procedures, the Proactive Controls provide developer-friendly implementation guidance, the Cheat Sheet Series provides deep implementation detail per topic, and the Mobile Application Security Verification Standard (MASVS) provides the equivalent for mobile apps. CyberSigma typically deploys ASVS as the verification backbone and pulls in WSTG and the Cheat Sheets for execution.

Who must comply with (or should adopt) OWASP ASVS

ASVS is a voluntary standard: no law mandates it by name. However, a broad range of organisations adopt it either directly or because a regulator, customer or auditor requires 'a recognised secure development standard'. ASVS is the default choice for most application-centric organisations. The table below summarises who should adopt it and at which typical level.

Organisation / roleWhy ASVS appliesTypical target level
SaaS and product engineering companiesNeed a repeatable secure-build and verification bar across all releasesL2 baseline, L3 for security features
Financial services, fintech and paymentsHandle money movement and sensitive financial data; regulators expect secure SDLCL2 minimum, L3 for auth/crypto/transactions
Healthcare and health-techProcess sensitive health data under DPDP/HIPAA-equivalent regimesL2, L3 for records access
E-commerce and retail platformsProcess cardholder data; PCI DSS 6.x expects secure coding to a standardL2, with PCI-relevant flows at L3
Government and public-sector applicationsCitizen data and critical services demand high assuranceL2 to L3
Enterprises procuring softwareUse ASVS to define the security bar in RFPs and vendor contractsSpecify L2 as contractual minimum
Penetration testing and assurance firmsUse ASVS as a coverage rubric for consistent, comprehensive testingScope to the app's assigned level
Startups and MVP teamsEstablish security hygiene early without over-engineeringL1 baseline, plan for L2
API-first and microservice platformsNeed explicit API and machine-to-machine control coverageL2, plus API-specific requirements
Any team under ISO 27001 / SOC 2 / DPDPAuditors expect secure development controls; ASVS provides the evidenceL2 aligned to control objectives

In short: if you build or buy custom software that processes data of any sensitivity, ASVS applies to you. The only real decision is which verification level each application should target, driven by the data it handles and the impact of its compromise.

Structure of OWASP ASVS

ASVS is organised as a three-tier hierarchy: Chapters (control domains, historically numbered V1 to V14 in the v4 lineage) contain Sections (control families), which contain individual numbered Verification Requirements. Each requirement carries a level assignment (L1/L2/L3) and, in modern editions, a mapping to CWE. The v4.0.x structure comprises fourteen chapters; the v5.0 reorganisation consolidates and renames several chapters (for example splitting web frontend concerns, elevating self-contained tokens, and formalising secure communication and configuration), but the underlying control themes are stable. The table below presents the canonical v4 chapter set, which remains the most widely referenced mapping baseline, with notes on v5 evolution.

Chapter (v4)Control domainFocus / examplesv5 evolution note
V1Architecture, Design and Threat ModellingSecure SDLC, threat models, trust boundaries, design principlesIntegrated into design and secure-coding chapters
V2AuthenticationPasswords, MFA, credential storage, recovery, service authRetained as Authentication chapter
V3Session ManagementSession tokens, lifecycle, cookies, logout, re-authenticationSplit; self-contained tokens elevated
V4Access ControlAuthorisation, RBAC/ABAC, IDOR/BOLA, privilege enforcementRetained as Authorization
V5Validation, Sanitisation and EncodingInput validation, output encoding, injection defenceSplit across Validation/Encoding and Injection chapters
V6Stored CryptographyKey management, algorithms, secrets, data-at-rest encryptionRetained as Cryptography chapter
V7Error Handling and LoggingSecurity logging, log content controls, error leakageRetained as Logging chapter
V8Data ProtectionSensitive data handling, caching, client-side storage, privacyRetained as Data Protection
V9CommunicationTLS configuration, certificate validation, secure transportRetained as Secure Communication
V10Malicious CodeBackdoors, integrity of code, subresource integrity, deployed codeBroadened into supply-chain themes
V11Business LogicAnti-automation, sequencing, limits, business rule integrityRetained as Business Logic
V12Files and ResourcesUpload validation, path traversal, SSRF via files, downloadsRetained as File Handling
V13API and Web ServiceREST/GraphQL/SOAP security, auth, schema, rate limitingRetained as API and Web Service
V14ConfigurationDependency management, hardening, HTTP headers, secrets in configSplit into Configuration and Secure Installation

Alongside the chapters, ASVS defines three Verification Levels (detailed later) that determine which requirements apply. A requirement present at L1 also applies at L2 and L3 (levels are cumulative). The combination of chapter + level gives every application a precise, contractual security specification.

Master assessment checklist

This is the operational heart of the guide. Below, every ASVS control domain is enumerated with its constituent families. For each, the checklist states what a verifier must confirm and the typical evidence they should collect. Use this as both a build specification and an audit workpaper. Requirement identifiers below follow the v4 chapter numbering; map to your current release before formal sign-off.

V1 - Architecture, Design and Threat Modelling

What to verifyTypical evidence
A secure SDLC is defined with security requirements captured per componentSDLC policy, security requirements register, ASVS level assignment per app
Threat models exist for the application and are updated on significant changeThreat model documents (STRIDE/attack trees), review dates, updated diagrams
Trust boundaries and data flows are documented across all componentsData-flow diagrams, architecture diagrams marking trust zones
Security controls are centralised, reusable and not duplicated ad hocShared security library/framework references, control inventory
Authentication and access-control decisions are enforced server-sideDesign docs showing server-side enforcement, no client-only trust
Sensitive data is identified, classified and protection defined at design timeData classification matrix, data inventory, protection requirements
Segregation of tiers and least-privilege service accounts is designed inDeployment topology, service-account inventory, network segmentation design

V2 - Authentication

What to verifyTypical evidence
Passwords meet length/complexity policy and are checked against breach listsPassword policy config, breach-list integration (e.g. HIBP), screenshots
Credentials are stored using a strong adaptive hash (bcrypt/scrypt/Argon2/PBKDF2)Code review of hashing routine, algorithm/params, salt handling
Multi-factor authentication is available and enforced for sensitive roles/actionsMFA configuration, enrolment flow, enforcement policy, test evidence
Account lockout / rate limiting protects against credential brute forceRate-limit config, lockout thresholds, test logs of throttling
Credential recovery does not reveal account existence and uses secure tokensRecovery flow walkthrough, token entropy/expiry, enumeration test results
Default, shared and hard-coded credentials are absentSecret scan reports, code review, configuration review
Service/machine authentication uses secrets vaulting, not embedded keysVault references, absence of secrets in code, key rotation records
Session is established securely post-authentication with re-auth for sensitive opsTest evidence of step-up auth, session fixation checks

V3 - Session Management

What to verifyTypical evidence
Session tokens are generated with sufficient entropy by a trusted frameworkFramework/session config, token analysis, CSPRNG confirmation
Session cookies set Secure, HttpOnly and appropriate SameSite attributesHTTP response header captures, cookie configuration
Sessions expire after inactivity and absolute timeoutsTimeout configuration, test evidence of expiry behaviour
Logout fully invalidates the session server-sideTest of post-logout token reuse, session store review
Session identifiers are rotated on privilege change / re-authenticationFixation test evidence, code review of regeneration
Concurrent session handling and token binding are addressed where requiredSession policy, concurrent-login test evidence
Self-contained/stateless tokens (JWT) validate signature, expiry and audienceJWT validation code, alg confirmation (no 'none'), claim checks

V4 - Access Control

What to verifyTypical evidence
Access control is enforced at a trusted server-side layer on every requestCode/config showing central authorisation, request-level checks
The principle of least privilege applies to users, roles and servicesRole/permission matrix, entitlement review
Object-level authorisation prevents IDOR/BOLA on all direct object referencesTest evidence of horizontal access attempts, ownership checks in code
Function-level authorisation prevents privilege escalation to admin functionsVertical access test evidence, endpoint-to-role mapping
Access-control decisions default to deny (fail closed)Code review of default deny, negative test results
Multi-tenant isolation prevents cross-tenant data accessTenant-scoping tests, data-partitioning design
Administrative and sensitive functions require additional controlsAdmin access logs, step-up auth evidence, IP restriction config

V5 - Validation, Sanitisation and Encoding

What to verifyTypical evidence
Input is validated against positive allow-lists (type, length, range, format)Validation code/schema, rejection test evidence
Output is context-aware encoded to prevent XSS (HTML/JS/URL/CSS contexts)Encoding library usage, XSS test results, CSP configuration
Database access uses parameterised queries / ORM to prevent SQL injectionCode review of query construction, SQLi test evidence
OS command, LDAP, XPath and template injection defences are in placeInjection test coverage, safe-API usage evidence
Deserialisation of untrusted data is avoided or safely constrainedCode review, allow-list of deserialisable types, test evidence
File and content-type validation prevents malicious payloadsUpload validation rules, MIME/extension checks, scan results
Untrusted data in redirects, headers and hosts is validated (open redirect/SSRF)Redirect allow-list, SSRF test evidence, host header handling

V6 - Stored Cryptography

What to verifyTypical evidence
Approved, current algorithms and key lengths are used (no MD5/SHA1/DES/ECB)Crypto inventory, algorithm/key-size config, code review
Cryptographic keys are managed with defined generation, storage and rotationKey management policy, KMS/HSM/vault evidence, rotation logs
Secrets (keys, tokens, passwords) are never hard-coded or loggedSecret scanning reports, log review, vault integration
Sensitive data at rest is encrypted where required by policy/regulationEncryption-at-rest config, data classification mapping
Random values use a cryptographically secure generator (CSPRNG)Code review of RNG usage, no predictable seeds
Cryptographic modules and libraries are current and validatedDependency versions, FIPS/validated module evidence where applicable

V7 - Error Handling and Logging

What to verifyTypical evidence
Security-relevant events are logged (auth, access-control, input failures)Log samples, logging design, event catalogue
Logs exclude sensitive data (passwords, tokens, card/PII) or mask itLog content review, masking rules, redaction config
Errors are handled gracefully without leaking stack traces or internalsError-page tests, exception handling code, response captures
Logs are protected from tampering and forwarded to central SIEMLog integrity/WORM config, SIEM ingestion evidence, access controls
Log timestamps, identity and source are captured for forensicsLog schema, sample entries with who/what/when/where
Time synchronisation (NTP) ensures consistent, correlatable timestampsNTP configuration, time-sync monitoring

V8 - Data Protection

What to verifyTypical evidence
Sensitive data is classified and handled per its classificationData classification policy, data inventory, handling rules
Client-side caching of sensitive data is controlled (Cache-Control headers)Response header captures, no-store on sensitive pages
Sensitive data is not stored insecurely in browser storage/URLsClient-storage review, URL-parameter review, test evidence
Data retention and secure deletion honour policy and regulationRetention schedule, deletion/purge evidence, DPDP mapping
Personal data flows support privacy rights (access, erasure, minimisation)Privacy design docs, DSAR handling, data-minimisation evidence
Sensitive data is protected in memory and cleared after use where feasibleCode review, memory-handling evidence for high-assurance apps

V9 - Communication

What to verifyTypical evidence
All traffic uses TLS with modern versions and cipher suites (TLS 1.2+)TLS scan (SSL Labs), server config, protocol/cipher list
HTTP is redirected to HTTPS and HSTS is enforcedRedirect tests, HSTS header capture, preload status
Certificate validation is enforced for all outbound connectionsCode review of TLS clients, no disabled verification, pinning where required
Internal service-to-service communication is also encryptedService-mesh/mTLS config, internal TLS evidence
Weak/deprecated protocols and ciphers are disabledScan output showing SSLv3/TLS1.0/1.1 and weak ciphers disabled
Certificates are managed with monitored expiry and trusted CAsCert inventory, expiry monitoring, issuance records

V10 - Malicious Code

What to verifyTypical evidence
Code integrity controls prevent unauthorised code changes reaching productionSigned commits/artefacts, protected branches, deployment approvals
Third-party scripts use Subresource Integrity (SRI) where loaded from CDNsHTML/SRI attribute review, CSP for script sources
No backdoors, time bombs, hidden accounts or debug hooks exist in codeCode review, secret/anomaly scan, peer review records
Build and deployment pipeline is protected from tamperingCI/CD access controls, pipeline-as-code review, artefact provenance
Third-party and open-source components are inventoried and vettedSBOM, SCA scan reports, component approval process
Anti-tamper / integrity verification exists for deployed artefactsChecksums/signatures, runtime integrity checks where applicable

V11 - Business Logic

What to verifyTypical evidence
Business logic enforces expected sequence and cannot be bypassed out of orderWorkflow tests, state-machine review, out-of-sequence test results
Anti-automation controls protect high-value functions (CAPTCHA/rate limits)Rate-limit config, bot-protection evidence, abuse test results
Business limits (quantities, amounts, frequency) are enforced server-sideLimit configuration, boundary test evidence
Transactions are atomic and resistant to race conditions/double submissionConcurrency test evidence, idempotency keys, locking review
Logic cannot be manipulated via parameter tampering (prices, roles, totals)Tampering test evidence, server-side recomputation of values
Time-based and monetary logic resist manipulation and replayReplay test evidence, nonce/timestamp validation

V12 - Files and Resources

What to verifyTypical evidence
Uploaded files are validated by type, size and content, and stored safelyUpload validation rules, storage-location review, test evidence
Uploaded files cannot be executed on the server or served with wrong typeStorage config, content-type handling, execution test results
Path traversal is prevented for file read/write/download operationsCanonicalisation code review, traversal test evidence
File downloads enforce authorisation and prevent direct object accessAccess-control tests on file endpoints, signed-URL review
SSRF via file/URL fetching is prevented (allow-lists, no internal access)SSRF test evidence, egress allow-list, metadata-endpoint blocking
Uploaded content is scanned for malware where risk warrantsAV/scan integration evidence, quarantine handling

V13 - API and Web Service

What to verifyTypical evidence
APIs authenticate and authorise every request (no unauthenticated data leaks)API auth config, endpoint inventory, access tests per endpoint
REST/GraphQL/SOAP schemas are validated and reject unexpected inputSchema definitions, validation evidence, fuzzing results
Rate limiting and quotas protect APIs from abuse and DoSRate-limit/throttle config, test evidence, quota policy
Sensitive data is not over-exposed in responses (mass assignment/excess data)Response review, field-level filtering, mass-assignment tests
CORS is restrictively configured to trusted origins onlyCORS header capture, allowed-origin list review
GraphQL-specific controls limit query depth/complexity and introspectionGraphQL config, depth-limit evidence, introspection status
API versioning, deprecation and error responses avoid information leakageAPI docs, error-response review, version handling

V14 - Configuration

What to verifyTypical evidence
Dependencies are inventoried, current and free of known vulnerabilitiesSBOM, SCA scan reports, patch/update records
Build/deployment removes debug features, sample apps and default contentHardening checklist, production config, absence of debug endpoints
Security HTTP headers are set (CSP, X-Content-Type-Options, referrer policy)Header capture, CSP policy review, header-scan results
Secrets are externalised to a vault and not present in configuration/reposSecret scanning, vault integration, config review
Server and platform are hardened to a defined baselineCIS benchmark/hardening evidence, configuration scan results
Environments are segregated (dev/test/prod) with controlled promotionEnvironment topology, access controls, deployment approvals
Feature flags and admin interfaces are protected and not internet-exposedExposure scan, admin-interface access controls

Scoping an ASVS assessment

Scoping is the single most important determinant of an ASVS engagement's value. Getting it right ensures effort is proportionate to risk; getting it wrong either wastes budget on low-risk assets or leaves critical flows unverified. Scoping proceeds along three axes: which applications, which components and which verification level.

First, define the application boundary. An ASVS 'application' includes its web/API frontends, backend services, databases, message queues, third-party integrations and the deployment configuration that binds them. Clearly document trust boundaries, data flows, authentication surfaces and where sensitive data is processed or stored. Micro-frontends and microservices should each be attributed to the application scope so no service is orphaned.

Second, select the verification level per application based on the data it handles and the impact of compromise. Applications handling only public or low-value data may target L1; applications processing personal data, financial transactions or B2B data typically target L2; applications where compromise causes serious harm (payments core, healthcare records, critical infrastructure, identity providers) target L3. It is common and sensible to run an application at L2 overall while elevating specific high-risk flows (authentication, cryptography, payment) to L3 requirements.

Third, define what is in and out of scope for testing. Third-party SaaS components you consume but do not control are typically covered by vendor assurance rather than direct ASVS testing, though their integration points remain in scope. Legacy systems scheduled for decommission may be risk-accepted. Document all exclusions with justification so the resulting attestation is honest and defensible.

Scoping tip
Assign the ASVS level during design, not at test time. When developers know from the first sprint that the payment service must meet L3 authentication and cryptography requirements, they build to that bar. Retrofitting L3 controls after the fact is dramatically more expensive and disruptive.

Implementation approach (phased)

CyberSigma implements ASVS as a programme, not a one-off audit. The following five phases move an organisation from ad hoc security to repeatable, level-verified assurance embedded in the SDLC.

Phase 1 - Baseline and level assignment

Establish where you stand and what each application must achieve.

  • Activities: inventory applications and services; classify data handled; assign an ASVS level to each application; perform a rapid gap self-assessment against the assigned level; identify quick wins and critical gaps.
  • Deliverables: application inventory with level assignments, data classification matrix, initial gap register, prioritised remediation backlog.

Phase 2 - Requirements integration

Embed ASVS into how software is specified and built.

  • Activities: translate the assigned-level requirements into engineering standards, definition-of-done criteria and security user stories; add ASVS-aligned checks to code review and design review; select supporting tooling (SAST, DAST, SCA, secret scanning).
  • Deliverables: ASVS-derived secure-coding standard, security requirement templates, updated definition of done, tooling integrated into the pipeline.

Phase 3 - Remediation and control build-out

Close the gaps identified in the baseline.

  • Activities: remediate prioritised gaps by domain (authentication, access control, crypto, input handling); implement centralised, reusable security controls; harden configuration and dependencies; establish threat modelling for high-risk apps.
  • Deliverables: remediated controls with evidence, shared security library/framework, threat models, hardened baselines.

Phase 4 - Verification and testing

Prove each requirement is met at the assigned level.

  • Activities: execute manual and automated verification per the master checklist; run penetration testing scoped to the ASVS level; validate control effectiveness; record pass/fail per requirement with evidence.
  • Deliverables: completed ASVS verification workbook, penetration test report, evidence pack, residual-risk register.

Phase 5 - Continuous assurance

Sustain the level across future releases.

  • Activities: gate releases on ASVS checks in CI/CD; re-verify on significant change; track metrics; schedule periodic reassessment and threat-model refresh; feed findings back into standards.
  • Deliverables: automated ASVS gates, KPI dashboard, reassessment schedule, continuous-improvement loop.

Verification levels (ASVS scoring model)

ASVS defines three cumulative verification levels. Each higher level includes all requirements of the levels below it, plus additional, more rigorous controls. The level chosen expresses the assurance an application requires and is the primary 'score' in ASVS: an application is verified as meeting L1, L2 or L3 (fully) for its declared scope.

LevelName / assuranceApplies toTypical verification depth
Level 1Opportunistic / minimumLow-assurance apps; public or low-sensitivity data; MVPsFully testable via automated and light manual testing; the floor for all apps
Level 2Standard / recommended defaultApps handling personal, financial or B2B data; most business applicationsManual verification plus tooling; the recommended baseline for the majority of applications
Level 3Advanced / high assuranceCritical apps: payments, healthcare, identity, critical infrastructureDeep manual verification, threat-model-driven, comprehensive evidence

Because levels are cumulative, an L3 verification means every L1, L2 and L3 requirement in scope is met. Partial results are reported per requirement (verified / not verified / not applicable) so stakeholders see exactly which controls pass. CyberSigma reports both the headline level achievement and a domain-by-domain pass rate so remediation can be targeted.

Reporting dimensionWhat it capturesUse
Level achievedHighest fully-met level for the declared scopeHeadline assurance statement / attestation
Per-domain pass ratePercentage of requirements met per chapterTargeting remediation, trend tracking
Not-applicable justificationRequirements excluded with rationaleEnsuring exclusions are defensible
Residual riskAccepted gaps with owner and timelineRisk governance and sign-off

Assessment and audit approach

A rigorous ASVS assessment blends documentation review, configuration analysis, code review, dynamic testing and penetration testing. CyberSigma follows a structured, repeatable methodology so results are consistent and defensible.

  1. Confirm scope and level: agree the application boundary, components and target ASVS level with stakeholders; document trust boundaries and data flows.
  2. Gather documentation: collect architecture diagrams, threat models, policies, prior test reports and the requirement/level assignment.
  3. Prepare the verification workbook: instantiate the applicable requirements for the assigned level as a pass/fail workbook with evidence fields.
  4. Perform static verification: review source code, configuration and dependencies against relevant requirements (auth, crypto, input handling, config).
  5. Perform dynamic verification: exercise the running application, capturing headers, session behaviour, access-control responses and error handling.
  6. Conduct penetration testing: attempt to breach controls (IDOR/BOLA, injection, auth bypass, SSRF, business-logic abuse) scoped to the level.
  7. Record results per requirement: mark each verified / not verified / not applicable with supporting evidence and severity for gaps.
  8. Validate and retest: confirm findings with the team, retest remediated items, and finalise the residual-risk register.
  9. Report and attest: issue the ASVS verification report stating level achievement, per-domain pass rates, evidence and remediation roadmap.
  10. Schedule reassessment: define triggers (major release, architecture change) and a periodic cadence for re-verification.

Evidence request list

The following categorised evidence list supports an ASVS assessment. Provide current, production-representative artefacts; screenshots and configuration exports should be dated and attributable.

Governance and design

  • Secure SDLC policy and secure-coding standard
  • Application inventory with assigned ASVS levels
  • Data classification matrix and data inventory
  • Threat models and architecture / data-flow diagrams
  • Prior penetration test and assessment reports

Authentication, session and access control

  • Password policy and credential-hashing implementation details
  • MFA configuration and enforcement policy
  • Session and cookie configuration (timeouts, flags)
  • Role/permission matrix and entitlement review evidence
  • Access-control test results (IDOR/BOLA, privilege escalation)

Cryptography and data protection

  • Cryptographic algorithm and key-length inventory
  • Key management policy and KMS/HSM/vault evidence
  • Encryption-at-rest and in-transit configuration
  • Data retention and secure-deletion evidence
  • Privacy / DSAR handling evidence

Input handling, files and APIs

  • Input validation and output encoding code samples
  • SQL/command/deserialisation defence evidence
  • File upload/download validation and storage configuration
  • API authentication, schema validation and rate-limiting configuration
  • CORS and security-header configuration

Configuration, logging and supply chain

  • SBOM and SCA scan reports
  • Hardening baselines (CIS) and configuration scans
  • Secret scanning results and vault integration
  • Security event logging design and SIEM ingestion evidence
  • CI/CD access controls and artefact provenance

Roles and responsibilities

Successful ASVS adoption depends on clear ownership across engineering, security and governance. The RACI below reflects a typical operating model.

RolePrimary responsibilitiesRACI on ASVS programme
CISO / Head of SecurityOwns the ASVS mandate, level policy and risk acceptanceAccountable
Application Security teamDefines requirements, runs verification and testingResponsible
Development / Engineering leadsBuild to ASVS requirements; embed in definition of doneResponsible
ArchitectsAssign levels, produce threat models, design controlsResponsible
DevOps / Platform teamImplement pipeline gates, hardening, secrets managementResponsible
Product ownersPrioritise security stories; accept residual risk at feature levelConsulted
QA / Test engineeringIntegrate ASVS test cases into functional testingConsulted
Compliance / GRCMap ASVS to regulatory obligations; maintain evidenceConsulted
Internal auditIndependently assures programme effectivenessInformed
Vendor / third-party providersMeet contractual ASVS level for delivered componentsResponsible (for their scope)

KPIs to track

  • Percentage of applications with an assigned ASVS level and completed verification
  • Per-domain ASVS pass rate (e.g. authentication, access control, cryptography) and trend over time
  • Number of applications meeting their target level fully versus partially
  • Mean time to remediate ASVS gaps by severity
  • Percentage of releases passing automated ASVS pipeline gates
  • Number of open critical/high ASVS findings and their ageing
  • Coverage of threat modelling across L2/L3 applications
  • Dependency vulnerability exposure (known-vulnerable components) and time to patch
  • Percentage of high-risk flows elevated to and verified at L3
  • Re-verification currency (percentage of apps re-verified within policy cadence)

Readiness checklist

  • Every application has a documented, risk-based ASVS level assignment
  • Data classification is complete and drives protection requirements
  • Threat models exist and are current for all L2/L3 applications
  • ASVS requirements are embedded in the secure-coding standard and definition of done
  • Authentication uses strong credential storage, MFA and anti-brute-force controls
  • Access control is server-side, least-privilege and tested for IDOR/BOLA
  • Input validation, output encoding and parameterised queries are enforced
  • Cryptography uses approved algorithms with managed keys and no hard-coded secrets
  • All traffic uses TLS 1.2+ with HSTS and validated certificates
  • Security events are logged, sensitive data masked, and forwarded to a SIEM
  • Dependencies are inventoried (SBOM), scanned (SCA) and kept current
  • Security headers, hardening baselines and environment segregation are in place
  • CI/CD pipelines enforce ASVS gates and protect build integrity
  • A verification workbook records pass/fail per requirement with evidence
  • A residual-risk register with owners and timelines is maintained and approved

Common gaps

  • Treating ASVS as a one-off penetration test rather than a build-time requirements baseline, so gaps recur every release
  • Assigning no explicit level, leaving developers guessing how much security is 'enough'
  • Client-side-only access-control enforcement, leaving IDOR/BOLA and privilege escalation exploitable server-side
  • Weak or legacy credential storage (unsalted or fast hashes) and absent MFA on sensitive roles
  • Hard-coded secrets and API keys committed to repositories or embedded in configuration
  • Deprecated TLS/ciphers still enabled and missing HSTS or certificate validation on outbound calls
  • Verbose error messages and stack traces leaking internal detail to users
  • No SBOM and unmanaged third-party dependencies with known vulnerabilities
  • Missing security logging or logs containing sensitive data with no SIEM forwarding
  • Business-logic abuse (parameter tampering, race conditions, missing rate limits) untested by tooling and overlooked
  • CORS misconfiguration (wildcard origins) and missing security headers
  • Threat modelling skipped for high-risk applications, so design-level flaws go undetected

OWASP ASVS mapped to other frameworks

ASVS is complementary to governance and compliance frameworks: it provides the technical, testable application-layer controls those frameworks assume but rarely specify. The table maps ASVS to adjacent standards so a single ASVS verification can service multiple obligations.

FrameworkHow ASVS supports itPrimary linkage
OWASP Top 10ASVS requirements provide the verifiable controls that prevent each Top 10 risk categoryTop 10 = awareness; ASVS = verification
ISO/IEC 27001Supports secure development and system acquisition controls (A.8/A.14 lineage)Secure development lifecycle controls
PCI DSSEvidences secure coding and application security testing requirements (Req 6)Requirement 6 secure development
SOC 2 (Trust Services)Provides technical evidence for the Security/Processing Integrity criteriaCommon Criteria control evidence
NIST SSDF (SP 800-218)Supplies concrete verification tasks for produce/verify secure software practicesPW and RV practice families
DPDP Act / GDPRUnderpins data protection, minimisation and security-of-processing obligationsTechnical safeguards for personal data
OWASP WSTGWSTG provides test procedures that execute ASVS verification requirementsTesting methodology pairing
OWASP MASVSMobile equivalent of ASVS for mobile application verificationSibling standard for mobile
CWEEach ASVS requirement maps to CWE weakness identifiersWeakness-to-control traceability
NIST 800-53Application controls support SA and SI control familiesSystem and services acquisition/integrity
How CyberSigma helps
CyberSigma operationalises OWASP ASVS end to end. Our CERT-In empanelled and PCI QSA assessors assign the right verification level to each of your applications, translate ASVS into engineering-ready secure-coding standards and definition-of-done criteria, and stand up threat modelling for your high-risk services. We integrate SAST, DAST, SCA and secret scanning into your CI/CD so ASVS becomes an automated release gate rather than an annual scramble. Our verification engagements produce an auditor-grade workbook with pass/fail per requirement, evidence and a prioritised remediation roadmap, plus penetration testing scoped precisely to your target level. Because we map ASVS to PCI DSS, ISO 27001, SOC 2, DPDP and the NIST SSDF, a single ASVS programme services multiple compliance obligations at once. Talk to CyberSigma to move from opportunistic security to level-verified, continuously assured applications.

Frequently asked questions

ASVS vs OWASP Top 10 — which do I use?
Use the Top 10 for awareness and quick risk scoping, and ASVS for detailed, testable verification requirements when building or assuring an application.
Official documents

Need help with OWASP ASVS?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.