This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Category:OWASP Application Security Verification Standard Project
About
What is ASVS?
Whereas the OWASP Top Ten Project is a tool that provides web application security awareness, the OWASP "Application Security Verification Standard" (also known as "ASVS") is a commercially-workable open standard that defines ranges in coverage and levels of rigor that can be used to perform application security verifications. There are three main parts to ASVS. ASVS defines (1) levels of application-level security verification that increase in breadth and depth as one moves up the levels, (2) verification requirements that prescribe a unique white-list approach for security controls, and (3) reporting requirements that ensure reports are sufficiently detailed to make verification repeatable. OWASP ASVS is the first standard that OWASP has published, and ASVS is the first internationally-recognized standard for performing application security assessments! There are currently versions in English.
What are some examples of how ASVS can be used?
- Web application developers can use ASVS as a yardstick with which to assess the degree of trust that can be placed in their web applications,
- Security control developers can use ASVS as guidance as to what to build into controls in order to satisfy web application security requirements, and
- ASVS can be used as a basis for specifying web application security verification requirements in contracts.
What's new?
- OWASP ASVS users/adopters updated to include ps_testware. Are you a user/adopter? Let the project lead know!
- OWASP ASVS users/adopters updated to include Federal Deposit Insurance Corporation (FDIC). Are you a user/adopter? Let the project lead know!
- OWASP ASVS was presented by Dave Wichers at OWASP Software Assurance Day DC 2009 in conjunction with the Software Assurance Forum sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.
FAQ
|
This project has produced a book that can be downloaded or purchased. Feel free to browse the full catalog of available OWASP books. |
More About OWASP ASVS
- Project Presentation (PowerPoint)
- Executive-Level Presentation (PowerPoint)
- Presentation Abstract (Word)
- One Page Datasheet (PDF, Word)
- Articles - More About ASVS and Using It
Related projects
Web Application Edition
Web Application Edition of OWASP ASVS - Beta (This is the current official release version)
Download free:
OWASP ASVS - Beta
Web Application Edition of OWASP ASVS Alpha Downloads
Download free:
OWASP ASVS - Alpha
Web Service Edition
Web Service Edition of ASVS - First release is under development
- Details will be filled in as work progresses. Volunteers wanted!
- Contact Mike Boberski for further details.
Cloud Computing Edition
Cloud Computing Edition of ASVS - Under consideration
- Contact Mike Boberski for further details.
Client Server Edition
Client Server of ASVS - Under consideration
- Contact Mike Boberski for further details.
News
Project News
- 04/08/2009 - OWASP ASVS users and adopters list updated to include ps_testware
- 04/06/2009 - OWASP ASVS users and adopters list updated to include Federal Deposit Insurance Corporation (FDIC)
- 03/13/2009 - OWASP ASVS is presented by Dave Wichers at OWASP Software Assurance Day DC 2009 in conjunction with the Software Assurance Forum sponsored by the US Department of Homeland Security, Department of Defense and National Institute of Standards and Technology.
- 02/25/2009 – OWASP ASVS proposed updates based on pilots being considered.
- 01/22/2009 - OWASP ASVS has been integrated into the OWASP Secure Software Contract Annex in the OWASP Legal Project.
- 01/08/2009 - OWASP ASVS is presented by Mike Boberski at the OWASP Washington VA Local Chapter meeting.
- 12/29/2008 - OWASP ASVS is the subject of an article by DarkReading.
- 12/08/2008 - OWASP ASVS Final assistance required! Please join the mailing list for more information and assignments.
- 12/05/2008 - OWASP ASVS exits the Summer of Code 2008! The Beta draft of the Web Application Edition is released! Mike Boberski, Jeff Williams, and Dave Wichers are the primary authors.
- 11/03/2008 - OWASP ASVS is presented by Jeff Williams at OWASP EU Summit 2008.
- 10/03/2008 - OWASP ASVS Alpha draft is released! Mike Boberski is the primary author.
- 04/16/2008 - OWASP ASVS Summer of Code 2008 proposal submitted by Mike Boberski wins!
Project Mail List
Subscribe here
Use here
Contributors/Users
Project Leader
Mike Boberski
Project Contributors
Jeff Williams
Dave Wichers
The OWASP ASVS project is co-sponsored by:
Users and Adopters
Pilots are already underway at various companies and agencies around the globe. A broad range of companies and agencies around the globe are also using OWASP ASVS, including:
Please let us know how your organization is using OWASP ASVS. Include your name, organization's name, and brief description of how you use the standard. The project lead can be reached at [email protected] Thanks for supporting OWASP!
Subscribe to the RSS ASVS announcement feed here
This project licensed under the Licensed under Creative Commons Attribution ShareAlike 3.0.
Articles Below - More About ASVS and Using It
Pages in category "OWASP Application Security Verification Standard Project"
The following 21 pages are in this category, out of 21 total.
H
- How to bootstrap the NIST risk management framework with verification activities
- How to bootstrap your SDLC with verification activities
- How to create verification project schedules
- How to perform a security architecture review at Level 1
- How to perform a security architecture review at Level 2
- How to specify verification requirements in contracts
- How to write verifier job requisitions
