This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

How to specify verification requirements in contracts

Jump to: navigation, search

If you are specifying web application security verification requirements in contracts, you can use the OWASP Application Security Verification Standard (ASVS) to do so. One approach is to start with the OWASP Secure Software Contract Annex. The Annex helps software buyers and vendors discuss security and capture the important terms.

Neither the OWASP ASVS nor the OWASP Legal projects should be considered legal advice, and we strongly recommend that you find competent counsel to assist with your contract negotiations.

The contract annex and this article have been place in the public domain to facilitate use in private contracts. The OWASP Secure Software Contract Annex has been updated to make use of the OWASP Application Security Verification Standard as follows:

9(e) Security Analysis and Testing. Developer will perform 
application security analysis and testing (also called 
"verification") according to the verification requirements of 
an agreed-upon standard (such as the OWASP ASVS). The 
Developer shall document verification findings according to 
the reporting requirements of the standard. The Developer 
shall provide the verification findings to Client.