Introduction: The OWASP Application Security Verification Standard
The OWASP Application Security Verification Standard (ASVS) is the industry's most widely adopted open framework for specifying, building, verifying and procuring secure web applications and web services. Unlike prescriptive tick-box regulations, ASVS is a technical control catalogue that answers a deceptively simple question: 'How much security does this application actually need, and how do I prove it has been achieved?' It provides a graduated hierarchy of testable requirements that engineering teams, penetration testers, procurement officers and auditors can all rally around a shared, unambiguous definition of what 'secure enough' means for a given application.
For CyberSigma clients, ASVS is invaluable because it is simultaneously a design specification, a secure-coding contract, a functional test plan and a penetration-testing rubric. Where compliance mandates such as PCI DSS, DPDP, ISO 27001 or SOC 2 tell you that applications must be 'secure', they rarely tell your developers precisely which authentication, session, access-control, cryptographic and input-validation controls to implement. ASVS closes that gap. It converts abstract governance obligations into concrete, verifiable engineering requirements that can be embedded into user stories, code review gates, CI/CD pipelines and third-party assurance reports.
This guide provides an auditor-grade deep dive into ASVS: its structure, its verification levels, every control domain, a master assessment checklist mapping each family to what a verifier must confirm and the evidence they should expect, plus a phased implementation approach, scoping guidance, audit methodology, evidence request lists, RACI, KPIs and mappings to adjacent frameworks. It reflects the modernised ASVS structure (v4.0.3 lineage through the v5.0 reorganisation) and is written for teams that must both build to ASVS and be assessed against it.
What is OWASP ASVS
OWASP ASVS is a catalogue of application security requirements, organised into control domains (chapters), each containing groups of related requirements (sections/families), each of which contains individually numbered, testable verification requirements. Every requirement is a positive assertion that can be answered 'verified' or 'not verified' against a target application. The standard is deliberately framed as verification requirements rather than vulnerabilities: instead of saying 'the application must not be vulnerable to SQL injection', ASVS says 'verify that the application uses parameterised queries or equivalent for all database access', which is directly testable and buildable.
ASVS serves several distinct audiences with a single artefact. Architects use it as a security requirements baseline during design. Developers use it as a secure-coding specification. Security testers and penetration testers use it as a coverage checklist so their testing is comprehensive and repeatable. Procurement and vendor-risk teams use it to define the security bar in contracts and RFPs ('the delivered system shall meet ASVS Level 2'). Auditors and assurance providers use it as a maturity benchmark and evidence framework.
Three defining characteristics distinguish ASVS from other application security resources. First, it is levelled: requirements are assigned to Level 1, 2 or 3, so effort scales with application risk. Second, it is verifiable: each requirement is written so a competent tester can determine pass/fail with defined evidence. Third, it is holistic: it spans the full stack, from architecture and authentication through cryptography, error handling, malicious-code resistance, business logic, files, API security, configuration and, in newer editions, the software supply chain.
ASVS is complemented by companion OWASP projects: the OWASP Testing Guide (WSTG) provides the how-to test procedures, the Proactive Controls provide developer-friendly implementation guidance, the Cheat Sheet Series provides deep implementation detail per topic, and the Mobile Application Security Verification Standard (MASVS) provides the equivalent for mobile apps. CyberSigma typically deploys ASVS as the verification backbone and pulls in WSTG and the Cheat Sheets for execution.
Who must comply with (or should adopt) OWASP ASVS
ASVS is a voluntary standard: no law mandates it by name. However, a broad range of organisations adopt it either directly or because a regulator, customer or auditor requires 'a recognised secure development standard'. ASVS is the default choice for most application-centric organisations. The table below summarises who should adopt it and at which typical level.
| Organisation / role | Why ASVS applies | Typical target level |
|---|---|---|
| SaaS and product engineering companies | Need a repeatable secure-build and verification bar across all releases | L2 baseline, L3 for security features |
| Financial services, fintech and payments | Handle money movement and sensitive financial data; regulators expect secure SDLC | L2 minimum, L3 for auth/crypto/transactions |
| Healthcare and health-tech | Process sensitive health data under DPDP/HIPAA-equivalent regimes | L2, L3 for records access |
| E-commerce and retail platforms | Process cardholder data; PCI DSS 6.x expects secure coding to a standard | L2, with PCI-relevant flows at L3 |
| Government and public-sector applications | Citizen data and critical services demand high assurance | L2 to L3 |
| Enterprises procuring software | Use ASVS to define the security bar in RFPs and vendor contracts | Specify L2 as contractual minimum |
| Penetration testing and assurance firms | Use ASVS as a coverage rubric for consistent, comprehensive testing | Scope to the app's assigned level |
| Startups and MVP teams | Establish security hygiene early without over-engineering | L1 baseline, plan for L2 |
| API-first and microservice platforms | Need explicit API and machine-to-machine control coverage | L2, plus API-specific requirements |
| Any team under ISO 27001 / SOC 2 / DPDP | Auditors expect secure development controls; ASVS provides the evidence | L2 aligned to control objectives |
In short: if you build or buy custom software that processes data of any sensitivity, ASVS applies to you. The only real decision is which verification level each application should target, driven by the data it handles and the impact of its compromise.
Structure of OWASP ASVS
ASVS is organised as a three-tier hierarchy: Chapters (control domains, historically numbered V1 to V14 in the v4 lineage) contain Sections (control families), which contain individual numbered Verification Requirements. Each requirement carries a level assignment (L1/L2/L3) and, in modern editions, a mapping to CWE. The v4.0.x structure comprises fourteen chapters; the v5.0 reorganisation consolidates and renames several chapters (for example splitting web frontend concerns, elevating self-contained tokens, and formalising secure communication and configuration), but the underlying control themes are stable. The table below presents the canonical v4 chapter set, which remains the most widely referenced mapping baseline, with notes on v5 evolution.
| Chapter (v4) | Control domain | Focus / examples | v5 evolution note |
|---|---|---|---|
| V1 | Architecture, Design and Threat Modelling | Secure SDLC, threat models, trust boundaries, design principles | Integrated into design and secure-coding chapters |
| V2 | Authentication | Passwords, MFA, credential storage, recovery, service auth | Retained as Authentication chapter |
| V3 | Session Management | Session tokens, lifecycle, cookies, logout, re-authentication | Split; self-contained tokens elevated |
| V4 | Access Control | Authorisation, RBAC/ABAC, IDOR/BOLA, privilege enforcement | Retained as Authorization |
| V5 | Validation, Sanitisation and Encoding | Input validation, output encoding, injection defence | Split across Validation/Encoding and Injection chapters |
| V6 | Stored Cryptography | Key management, algorithms, secrets, data-at-rest encryption | Retained as Cryptography chapter |
| V7 | Error Handling and Logging | Security logging, log content controls, error leakage | Retained as Logging chapter |
| V8 | Data Protection | Sensitive data handling, caching, client-side storage, privacy | Retained as Data Protection |
| V9 | Communication | TLS configuration, certificate validation, secure transport | Retained as Secure Communication |
| V10 | Malicious Code | Backdoors, integrity of code, subresource integrity, deployed code | Broadened into supply-chain themes |
| V11 | Business Logic | Anti-automation, sequencing, limits, business rule integrity | Retained as Business Logic |
| V12 | Files and Resources | Upload validation, path traversal, SSRF via files, downloads | Retained as File Handling |
| V13 | API and Web Service | REST/GraphQL/SOAP security, auth, schema, rate limiting | Retained as API and Web Service |
| V14 | Configuration | Dependency management, hardening, HTTP headers, secrets in config | Split into Configuration and Secure Installation |
Alongside the chapters, ASVS defines three Verification Levels (detailed later) that determine which requirements apply. A requirement present at L1 also applies at L2 and L3 (levels are cumulative). The combination of chapter + level gives every application a precise, contractual security specification.
Master assessment checklist
This is the operational heart of the guide. Below, every ASVS control domain is enumerated with its constituent families. For each, the checklist states what a verifier must confirm and the typical evidence they should collect. Use this as both a build specification and an audit workpaper. Requirement identifiers below follow the v4 chapter numbering; map to your current release before formal sign-off.
V1 - Architecture, Design and Threat Modelling
| What to verify | Typical evidence |
|---|---|
| A secure SDLC is defined with security requirements captured per component | SDLC policy, security requirements register, ASVS level assignment per app |
| Threat models exist for the application and are updated on significant change | Threat model documents (STRIDE/attack trees), review dates, updated diagrams |
| Trust boundaries and data flows are documented across all components | Data-flow diagrams, architecture diagrams marking trust zones |
| Security controls are centralised, reusable and not duplicated ad hoc | Shared security library/framework references, control inventory |
| Authentication and access-control decisions are enforced server-side | Design docs showing server-side enforcement, no client-only trust |
| Sensitive data is identified, classified and protection defined at design time | Data classification matrix, data inventory, protection requirements |
| Segregation of tiers and least-privilege service accounts is designed in | Deployment topology, service-account inventory, network segmentation design |
V2 - Authentication
| What to verify | Typical evidence |
|---|---|
| Passwords meet length/complexity policy and are checked against breach lists | Password policy config, breach-list integration (e.g. HIBP), screenshots |
| Credentials are stored using a strong adaptive hash (bcrypt/scrypt/Argon2/PBKDF2) | Code review of hashing routine, algorithm/params, salt handling |
| Multi-factor authentication is available and enforced for sensitive roles/actions | MFA configuration, enrolment flow, enforcement policy, test evidence |
| Account lockout / rate limiting protects against credential brute force | Rate-limit config, lockout thresholds, test logs of throttling |
| Credential recovery does not reveal account existence and uses secure tokens | Recovery flow walkthrough, token entropy/expiry, enumeration test results |
| Default, shared and hard-coded credentials are absent | Secret scan reports, code review, configuration review |
| Service/machine authentication uses secrets vaulting, not embedded keys | Vault references, absence of secrets in code, key rotation records |
| Session is established securely post-authentication with re-auth for sensitive ops | Test evidence of step-up auth, session fixation checks |
V3 - Session Management
| What to verify | Typical evidence |
|---|---|
| Session tokens are generated with sufficient entropy by a trusted framework | Framework/session config, token analysis, CSPRNG confirmation |
| Session cookies set Secure, HttpOnly and appropriate SameSite attributes | HTTP response header captures, cookie configuration |
| Sessions expire after inactivity and absolute timeouts | Timeout configuration, test evidence of expiry behaviour |
| Logout fully invalidates the session server-side | Test of post-logout token reuse, session store review |
| Session identifiers are rotated on privilege change / re-authentication | Fixation test evidence, code review of regeneration |
| Concurrent session handling and token binding are addressed where required | Session policy, concurrent-login test evidence |
| Self-contained/stateless tokens (JWT) validate signature, expiry and audience | JWT validation code, alg confirmation (no 'none'), claim checks |
V4 - Access Control
| What to verify | Typical evidence |
|---|---|
| Access control is enforced at a trusted server-side layer on every request | Code/config showing central authorisation, request-level checks |
| The principle of least privilege applies to users, roles and services | Role/permission matrix, entitlement review |
| Object-level authorisation prevents IDOR/BOLA on all direct object references | Test evidence of horizontal access attempts, ownership checks in code |
| Function-level authorisation prevents privilege escalation to admin functions | Vertical access test evidence, endpoint-to-role mapping |
| Access-control decisions default to deny (fail closed) | Code review of default deny, negative test results |
| Multi-tenant isolation prevents cross-tenant data access | Tenant-scoping tests, data-partitioning design |
| Administrative and sensitive functions require additional controls | Admin access logs, step-up auth evidence, IP restriction config |
V5 - Validation, Sanitisation and Encoding
| What to verify | Typical evidence |
|---|---|
| Input is validated against positive allow-lists (type, length, range, format) | Validation code/schema, rejection test evidence |
| Output is context-aware encoded to prevent XSS (HTML/JS/URL/CSS contexts) | Encoding library usage, XSS test results, CSP configuration |
| Database access uses parameterised queries / ORM to prevent SQL injection | Code review of query construction, SQLi test evidence |
| OS command, LDAP, XPath and template injection defences are in place | Injection test coverage, safe-API usage evidence |
| Deserialisation of untrusted data is avoided or safely constrained | Code review, allow-list of deserialisable types, test evidence |
| File and content-type validation prevents malicious payloads | Upload validation rules, MIME/extension checks, scan results |
| Untrusted data in redirects, headers and hosts is validated (open redirect/SSRF) | Redirect allow-list, SSRF test evidence, host header handling |
V6 - Stored Cryptography
| What to verify | Typical evidence |
|---|---|
| Approved, current algorithms and key lengths are used (no MD5/SHA1/DES/ECB) | Crypto inventory, algorithm/key-size config, code review |
| Cryptographic keys are managed with defined generation, storage and rotation | Key management policy, KMS/HSM/vault evidence, rotation logs |
| Secrets (keys, tokens, passwords) are never hard-coded or logged | Secret scanning reports, log review, vault integration |
| Sensitive data at rest is encrypted where required by policy/regulation | Encryption-at-rest config, data classification mapping |
| Random values use a cryptographically secure generator (CSPRNG) | Code review of RNG usage, no predictable seeds |
| Cryptographic modules and libraries are current and validated | Dependency versions, FIPS/validated module evidence where applicable |
V7 - Error Handling and Logging
| What to verify | Typical evidence |
|---|---|
| Security-relevant events are logged (auth, access-control, input failures) | Log samples, logging design, event catalogue |
| Logs exclude sensitive data (passwords, tokens, card/PII) or mask it | Log content review, masking rules, redaction config |
| Errors are handled gracefully without leaking stack traces or internals | Error-page tests, exception handling code, response captures |
| Logs are protected from tampering and forwarded to central SIEM | Log integrity/WORM config, SIEM ingestion evidence, access controls |
| Log timestamps, identity and source are captured for forensics | Log schema, sample entries with who/what/when/where |
| Time synchronisation (NTP) ensures consistent, correlatable timestamps | NTP configuration, time-sync monitoring |
V8 - Data Protection
| What to verify | Typical evidence |
|---|---|
| Sensitive data is classified and handled per its classification | Data classification policy, data inventory, handling rules |
| Client-side caching of sensitive data is controlled (Cache-Control headers) | Response header captures, no-store on sensitive pages |
| Sensitive data is not stored insecurely in browser storage/URLs | Client-storage review, URL-parameter review, test evidence |
| Data retention and secure deletion honour policy and regulation | Retention schedule, deletion/purge evidence, DPDP mapping |
| Personal data flows support privacy rights (access, erasure, minimisation) | Privacy design docs, DSAR handling, data-minimisation evidence |
| Sensitive data is protected in memory and cleared after use where feasible | Code review, memory-handling evidence for high-assurance apps |
V9 - Communication
| What to verify | Typical evidence |
|---|---|
| All traffic uses TLS with modern versions and cipher suites (TLS 1.2+) | TLS scan (SSL Labs), server config, protocol/cipher list |
| HTTP is redirected to HTTPS and HSTS is enforced | Redirect tests, HSTS header capture, preload status |
| Certificate validation is enforced for all outbound connections | Code review of TLS clients, no disabled verification, pinning where required |
| Internal service-to-service communication is also encrypted | Service-mesh/mTLS config, internal TLS evidence |
| Weak/deprecated protocols and ciphers are disabled | Scan output showing SSLv3/TLS1.0/1.1 and weak ciphers disabled |
| Certificates are managed with monitored expiry and trusted CAs | Cert inventory, expiry monitoring, issuance records |
V10 - Malicious Code
| What to verify | Typical evidence |
|---|---|
| Code integrity controls prevent unauthorised code changes reaching production | Signed commits/artefacts, protected branches, deployment approvals |
| Third-party scripts use Subresource Integrity (SRI) where loaded from CDNs | HTML/SRI attribute review, CSP for script sources |
| No backdoors, time bombs, hidden accounts or debug hooks exist in code | Code review, secret/anomaly scan, peer review records |
| Build and deployment pipeline is protected from tampering | CI/CD access controls, pipeline-as-code review, artefact provenance |
| Third-party and open-source components are inventoried and vetted | SBOM, SCA scan reports, component approval process |
| Anti-tamper / integrity verification exists for deployed artefacts | Checksums/signatures, runtime integrity checks where applicable |
V11 - Business Logic
| What to verify | Typical evidence |
|---|---|
| Business logic enforces expected sequence and cannot be bypassed out of order | Workflow tests, state-machine review, out-of-sequence test results |
| Anti-automation controls protect high-value functions (CAPTCHA/rate limits) | Rate-limit config, bot-protection evidence, abuse test results |
| Business limits (quantities, amounts, frequency) are enforced server-side | Limit configuration, boundary test evidence |
| Transactions are atomic and resistant to race conditions/double submission | Concurrency test evidence, idempotency keys, locking review |
| Logic cannot be manipulated via parameter tampering (prices, roles, totals) | Tampering test evidence, server-side recomputation of values |
| Time-based and monetary logic resist manipulation and replay | Replay test evidence, nonce/timestamp validation |
V12 - Files and Resources
| What to verify | Typical evidence |
|---|---|
| Uploaded files are validated by type, size and content, and stored safely | Upload validation rules, storage-location review, test evidence |
| Uploaded files cannot be executed on the server or served with wrong type | Storage config, content-type handling, execution test results |
| Path traversal is prevented for file read/write/download operations | Canonicalisation code review, traversal test evidence |
| File downloads enforce authorisation and prevent direct object access | Access-control tests on file endpoints, signed-URL review |
| SSRF via file/URL fetching is prevented (allow-lists, no internal access) | SSRF test evidence, egress allow-list, metadata-endpoint blocking |
| Uploaded content is scanned for malware where risk warrants | AV/scan integration evidence, quarantine handling |
V13 - API and Web Service
| What to verify | Typical evidence |
|---|---|
| APIs authenticate and authorise every request (no unauthenticated data leaks) | API auth config, endpoint inventory, access tests per endpoint |
| REST/GraphQL/SOAP schemas are validated and reject unexpected input | Schema definitions, validation evidence, fuzzing results |
| Rate limiting and quotas protect APIs from abuse and DoS | Rate-limit/throttle config, test evidence, quota policy |
| Sensitive data is not over-exposed in responses (mass assignment/excess data) | Response review, field-level filtering, mass-assignment tests |
| CORS is restrictively configured to trusted origins only | CORS header capture, allowed-origin list review |
| GraphQL-specific controls limit query depth/complexity and introspection | GraphQL config, depth-limit evidence, introspection status |
| API versioning, deprecation and error responses avoid information leakage | API docs, error-response review, version handling |
V14 - Configuration
| What to verify | Typical evidence |
|---|---|
| Dependencies are inventoried, current and free of known vulnerabilities | SBOM, SCA scan reports, patch/update records |
| Build/deployment removes debug features, sample apps and default content | Hardening checklist, production config, absence of debug endpoints |
| Security HTTP headers are set (CSP, X-Content-Type-Options, referrer policy) | Header capture, CSP policy review, header-scan results |
| Secrets are externalised to a vault and not present in configuration/repos | Secret scanning, vault integration, config review |
| Server and platform are hardened to a defined baseline | CIS benchmark/hardening evidence, configuration scan results |
| Environments are segregated (dev/test/prod) with controlled promotion | Environment topology, access controls, deployment approvals |
| Feature flags and admin interfaces are protected and not internet-exposed | Exposure scan, admin-interface access controls |
Scoping an ASVS assessment
Scoping is the single most important determinant of an ASVS engagement's value. Getting it right ensures effort is proportionate to risk; getting it wrong either wastes budget on low-risk assets or leaves critical flows unverified. Scoping proceeds along three axes: which applications, which components and which verification level.
First, define the application boundary. An ASVS 'application' includes its web/API frontends, backend services, databases, message queues, third-party integrations and the deployment configuration that binds them. Clearly document trust boundaries, data flows, authentication surfaces and where sensitive data is processed or stored. Micro-frontends and microservices should each be attributed to the application scope so no service is orphaned.
Second, select the verification level per application based on the data it handles and the impact of compromise. Applications handling only public or low-value data may target L1; applications processing personal data, financial transactions or B2B data typically target L2; applications where compromise causes serious harm (payments core, healthcare records, critical infrastructure, identity providers) target L3. It is common and sensible to run an application at L2 overall while elevating specific high-risk flows (authentication, cryptography, payment) to L3 requirements.
Third, define what is in and out of scope for testing. Third-party SaaS components you consume but do not control are typically covered by vendor assurance rather than direct ASVS testing, though their integration points remain in scope. Legacy systems scheduled for decommission may be risk-accepted. Document all exclusions with justification so the resulting attestation is honest and defensible.
Implementation approach (phased)
CyberSigma implements ASVS as a programme, not a one-off audit. The following five phases move an organisation from ad hoc security to repeatable, level-verified assurance embedded in the SDLC.
Phase 1 - Baseline and level assignment
Establish where you stand and what each application must achieve.
- Activities: inventory applications and services; classify data handled; assign an ASVS level to each application; perform a rapid gap self-assessment against the assigned level; identify quick wins and critical gaps.
- Deliverables: application inventory with level assignments, data classification matrix, initial gap register, prioritised remediation backlog.
Phase 2 - Requirements integration
Embed ASVS into how software is specified and built.
- Activities: translate the assigned-level requirements into engineering standards, definition-of-done criteria and security user stories; add ASVS-aligned checks to code review and design review; select supporting tooling (SAST, DAST, SCA, secret scanning).
- Deliverables: ASVS-derived secure-coding standard, security requirement templates, updated definition of done, tooling integrated into the pipeline.
Phase 3 - Remediation and control build-out
Close the gaps identified in the baseline.
- Activities: remediate prioritised gaps by domain (authentication, access control, crypto, input handling); implement centralised, reusable security controls; harden configuration and dependencies; establish threat modelling for high-risk apps.
- Deliverables: remediated controls with evidence, shared security library/framework, threat models, hardened baselines.
Phase 4 - Verification and testing
Prove each requirement is met at the assigned level.
- Activities: execute manual and automated verification per the master checklist; run penetration testing scoped to the ASVS level; validate control effectiveness; record pass/fail per requirement with evidence.
- Deliverables: completed ASVS verification workbook, penetration test report, evidence pack, residual-risk register.
Phase 5 - Continuous assurance
Sustain the level across future releases.
- Activities: gate releases on ASVS checks in CI/CD; re-verify on significant change; track metrics; schedule periodic reassessment and threat-model refresh; feed findings back into standards.
- Deliverables: automated ASVS gates, KPI dashboard, reassessment schedule, continuous-improvement loop.
Verification levels (ASVS scoring model)
ASVS defines three cumulative verification levels. Each higher level includes all requirements of the levels below it, plus additional, more rigorous controls. The level chosen expresses the assurance an application requires and is the primary 'score' in ASVS: an application is verified as meeting L1, L2 or L3 (fully) for its declared scope.
| Level | Name / assurance | Applies to | Typical verification depth |
|---|---|---|---|
| Level 1 | Opportunistic / minimum | Low-assurance apps; public or low-sensitivity data; MVPs | Fully testable via automated and light manual testing; the floor for all apps |
| Level 2 | Standard / recommended default | Apps handling personal, financial or B2B data; most business applications | Manual verification plus tooling; the recommended baseline for the majority of applications |
| Level 3 | Advanced / high assurance | Critical apps: payments, healthcare, identity, critical infrastructure | Deep manual verification, threat-model-driven, comprehensive evidence |
Because levels are cumulative, an L3 verification means every L1, L2 and L3 requirement in scope is met. Partial results are reported per requirement (verified / not verified / not applicable) so stakeholders see exactly which controls pass. CyberSigma reports both the headline level achievement and a domain-by-domain pass rate so remediation can be targeted.
| Reporting dimension | What it captures | Use |
|---|---|---|
| Level achieved | Highest fully-met level for the declared scope | Headline assurance statement / attestation |
| Per-domain pass rate | Percentage of requirements met per chapter | Targeting remediation, trend tracking |
| Not-applicable justification | Requirements excluded with rationale | Ensuring exclusions are defensible |
| Residual risk | Accepted gaps with owner and timeline | Risk governance and sign-off |
Assessment and audit approach
A rigorous ASVS assessment blends documentation review, configuration analysis, code review, dynamic testing and penetration testing. CyberSigma follows a structured, repeatable methodology so results are consistent and defensible.
- Confirm scope and level: agree the application boundary, components and target ASVS level with stakeholders; document trust boundaries and data flows.
- Gather documentation: collect architecture diagrams, threat models, policies, prior test reports and the requirement/level assignment.
- Prepare the verification workbook: instantiate the applicable requirements for the assigned level as a pass/fail workbook with evidence fields.
- Perform static verification: review source code, configuration and dependencies against relevant requirements (auth, crypto, input handling, config).
- Perform dynamic verification: exercise the running application, capturing headers, session behaviour, access-control responses and error handling.
- Conduct penetration testing: attempt to breach controls (IDOR/BOLA, injection, auth bypass, SSRF, business-logic abuse) scoped to the level.
- Record results per requirement: mark each verified / not verified / not applicable with supporting evidence and severity for gaps.
- Validate and retest: confirm findings with the team, retest remediated items, and finalise the residual-risk register.
- Report and attest: issue the ASVS verification report stating level achievement, per-domain pass rates, evidence and remediation roadmap.
- Schedule reassessment: define triggers (major release, architecture change) and a periodic cadence for re-verification.
Evidence request list
The following categorised evidence list supports an ASVS assessment. Provide current, production-representative artefacts; screenshots and configuration exports should be dated and attributable.
Governance and design
- Secure SDLC policy and secure-coding standard
- Application inventory with assigned ASVS levels
- Data classification matrix and data inventory
- Threat models and architecture / data-flow diagrams
- Prior penetration test and assessment reports
Authentication, session and access control
- Password policy and credential-hashing implementation details
- MFA configuration and enforcement policy
- Session and cookie configuration (timeouts, flags)
- Role/permission matrix and entitlement review evidence
- Access-control test results (IDOR/BOLA, privilege escalation)
Cryptography and data protection
- Cryptographic algorithm and key-length inventory
- Key management policy and KMS/HSM/vault evidence
- Encryption-at-rest and in-transit configuration
- Data retention and secure-deletion evidence
- Privacy / DSAR handling evidence
Input handling, files and APIs
- Input validation and output encoding code samples
- SQL/command/deserialisation defence evidence
- File upload/download validation and storage configuration
- API authentication, schema validation and rate-limiting configuration
- CORS and security-header configuration
Configuration, logging and supply chain
- SBOM and SCA scan reports
- Hardening baselines (CIS) and configuration scans
- Secret scanning results and vault integration
- Security event logging design and SIEM ingestion evidence
- CI/CD access controls and artefact provenance
Roles and responsibilities
Successful ASVS adoption depends on clear ownership across engineering, security and governance. The RACI below reflects a typical operating model.
| Role | Primary responsibilities | RACI on ASVS programme |
|---|---|---|
| CISO / Head of Security | Owns the ASVS mandate, level policy and risk acceptance | Accountable |
| Application Security team | Defines requirements, runs verification and testing | Responsible |
| Development / Engineering leads | Build to ASVS requirements; embed in definition of done | Responsible |
| Architects | Assign levels, produce threat models, design controls | Responsible |
| DevOps / Platform team | Implement pipeline gates, hardening, secrets management | Responsible |
| Product owners | Prioritise security stories; accept residual risk at feature level | Consulted |
| QA / Test engineering | Integrate ASVS test cases into functional testing | Consulted |
| Compliance / GRC | Map ASVS to regulatory obligations; maintain evidence | Consulted |
| Internal audit | Independently assures programme effectiveness | Informed |
| Vendor / third-party providers | Meet contractual ASVS level for delivered components | Responsible (for their scope) |
KPIs to track
- Percentage of applications with an assigned ASVS level and completed verification
- Per-domain ASVS pass rate (e.g. authentication, access control, cryptography) and trend over time
- Number of applications meeting their target level fully versus partially
- Mean time to remediate ASVS gaps by severity
- Percentage of releases passing automated ASVS pipeline gates
- Number of open critical/high ASVS findings and their ageing
- Coverage of threat modelling across L2/L3 applications
- Dependency vulnerability exposure (known-vulnerable components) and time to patch
- Percentage of high-risk flows elevated to and verified at L3
- Re-verification currency (percentage of apps re-verified within policy cadence)
Readiness checklist
- Every application has a documented, risk-based ASVS level assignment
- Data classification is complete and drives protection requirements
- Threat models exist and are current for all L2/L3 applications
- ASVS requirements are embedded in the secure-coding standard and definition of done
- Authentication uses strong credential storage, MFA and anti-brute-force controls
- Access control is server-side, least-privilege and tested for IDOR/BOLA
- Input validation, output encoding and parameterised queries are enforced
- Cryptography uses approved algorithms with managed keys and no hard-coded secrets
- All traffic uses TLS 1.2+ with HSTS and validated certificates
- Security events are logged, sensitive data masked, and forwarded to a SIEM
- Dependencies are inventoried (SBOM), scanned (SCA) and kept current
- Security headers, hardening baselines and environment segregation are in place
- CI/CD pipelines enforce ASVS gates and protect build integrity
- A verification workbook records pass/fail per requirement with evidence
- A residual-risk register with owners and timelines is maintained and approved
Common gaps
- Treating ASVS as a one-off penetration test rather than a build-time requirements baseline, so gaps recur every release
- Assigning no explicit level, leaving developers guessing how much security is 'enough'
- Client-side-only access-control enforcement, leaving IDOR/BOLA and privilege escalation exploitable server-side
- Weak or legacy credential storage (unsalted or fast hashes) and absent MFA on sensitive roles
- Hard-coded secrets and API keys committed to repositories or embedded in configuration
- Deprecated TLS/ciphers still enabled and missing HSTS or certificate validation on outbound calls
- Verbose error messages and stack traces leaking internal detail to users
- No SBOM and unmanaged third-party dependencies with known vulnerabilities
- Missing security logging or logs containing sensitive data with no SIEM forwarding
- Business-logic abuse (parameter tampering, race conditions, missing rate limits) untested by tooling and overlooked
- CORS misconfiguration (wildcard origins) and missing security headers
- Threat modelling skipped for high-risk applications, so design-level flaws go undetected
OWASP ASVS mapped to other frameworks
ASVS is complementary to governance and compliance frameworks: it provides the technical, testable application-layer controls those frameworks assume but rarely specify. The table maps ASVS to adjacent standards so a single ASVS verification can service multiple obligations.
| Framework | How ASVS supports it | Primary linkage |
|---|---|---|
| OWASP Top 10 | ASVS requirements provide the verifiable controls that prevent each Top 10 risk category | Top 10 = awareness; ASVS = verification |
| ISO/IEC 27001 | Supports secure development and system acquisition controls (A.8/A.14 lineage) | Secure development lifecycle controls |
| PCI DSS | Evidences secure coding and application security testing requirements (Req 6) | Requirement 6 secure development |
| SOC 2 (Trust Services) | Provides technical evidence for the Security/Processing Integrity criteria | Common Criteria control evidence |
| NIST SSDF (SP 800-218) | Supplies concrete verification tasks for produce/verify secure software practices | PW and RV practice families |
| DPDP Act / GDPR | Underpins data protection, minimisation and security-of-processing obligations | Technical safeguards for personal data |
| OWASP WSTG | WSTG provides test procedures that execute ASVS verification requirements | Testing methodology pairing |
| OWASP MASVS | Mobile equivalent of ASVS for mobile application verification | Sibling standard for mobile |
| CWE | Each ASVS requirement maps to CWE weakness identifiers | Weakness-to-control traceability |
| NIST 800-53 | Application controls support SA and SI control families | System and services acquisition/integrity |
Frequently asked questions
Need help with OWASP ASVS?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
