OWASP : Application Security Verification Standard

Amit SangwanAmit Sangwan
5 min read

Link to the latest revision ( May , 2025 ) : click to download

OWASP: The Open Worldwide Application Security Project (formerly Open Web Application Security Project )

“ It is an open-source organisation that provides global guidelines, tools, and best practices to help improve application security and reduce software vulnerabilities.”

What is OWASP ASVS?

The OWASP Application Security Verification Standard (ASVS) is a comprehensive framework that defines security requirements for web applications and services.

It serves as an essential resource for developers, architects, and security professionals looking to design, develop, test, and maintain secure software.

Scope of the ASVS

ASVS gets its name from its four foundational pillars:

TermMeaning
ApplicationThe software product being developed; security controls must be integrated into it.
SecurityEach requirement must contribute to reducing the likelihood or impact of a security risk.
VerificationAll requirements must be verifiable, resulting in a clear pass/fail outcome.
StandardOnly requirements ("must") are defined — no recommendations ("should").

Requirement: The word requirement is used specifically in the ASVS as it describes what must be achieved to satisfy it. The ASVS only contains requirements (must) and does not contain recommendations (should) as the main condition.

ASVS Levels of Assurance

ASVS uses a three-level model to provide varying degrees of assurance depending on risk and use case.

LevelDescriptionReal-World Use Case
Level 1Minimal assurance for low-risk public appsMarketing sites, blogs, personal portfolios
Level 2Recommended default for most business appsSaaS platforms, dashboards, HRMS, CRMs
Level 3High assurance for safety-critical systemsFintech APIs, healthcare, defense/military apps

  • Level 1: ~20% of requirements. Easy adoption, first layer of defense.

  • Level 2: ~70% of total requirements (includes all of Level 1 + Level 2).

  • Level 3: Final ~30%. Suitable for high-security, regulated environments.

Note: Select your level based on your application's sensitivity and threat model. A startup may start with Level 1, while a bank must aim for Level 3.

How to Use ASVS

  • ASVS v5.0.0 contains approximately 350 requirements.

  • Divided into 17 chapters, each split into sections for easier filtering.

Example: If your app doesn’t use OAuth, you can ignore that chapter altogether.

ASVS Requirement Format

Each requirement follows this format:
<chapter>.<section>.<requirement> — e.g., 6.2.4

  • Chapter: Topic (e.g., Chapter 6 = Authentication)

  • Section: Subtopic (e.g., 6.2 = Password Security)

  • Requirement: Specific control (e.g., 6.2.4 = password blacklist check)

Examples

Chapter 5: File Handling →

Section 2: File Upload →

  • 5.2.1: Verify that the application will only accept files of a size which it can process without causing a loss of performance or a denial of service attack. ( Level 1 )

  • 5.2.6: Verify that the application rejects uploaded images with a pixel size larger than the maximum allowed, to prevent pixel flood attacks. ( Level 3 )

Chapter 6: Authentication →

Section 2: Password Security →

  • 6.2.1: Verify that user set passwords are at least 8 characters in length although a minimum of 15 characters is strongly recommended. ( Level 1)

  • 6.2.4: Check passwords against top 3000 common passwords. (Level 1)

  • 6.2.12: Check passwords against a breached password list. (Level 2)

  • 6.6.4: Use rate limiting for MFA push to prevent bombing. (Level 3)

Chapter 13: Configuration →

Section 3: Secret Management →

  • 13.3.2: Verify that access to secret assets adheres to the principle of least privilege. 2 ( Level 2 )

  • 13.3.4: Verify that secrets are configured to expire and be rotated based on the application’s documentation. ( Level 3 )

Referencing tip: Use versioned IDs like v5.0.0-6.2.4 to avoid confusion between ASVS versions.

OWASP ASVS v4.0.3 vs v5.0.0 – Summary of Changes

AspectASVS v4.0.3ASVS v5.0.0Remarks
Unchanged11Only 11 requirements remained untouched.
Grammatical Edits Only15Minor wording updates without changing meaning.
Removed109Cleaned up and simplified.
➤ Deleted50Obsolete or no longer relevant.
➤ Duplicates28Removed due to repetition.
➤ Merged31Combined with other controls.
New/RevisedMajorityMost controls were updated for clarity and coverage.
Requirement IDsFixedReorganizedAll IDs renumbered and grouped by context.
Mapping DocumentsNot NeededProvidedHelps migrate or audit based on older versions.

OWASP ASVS v5.0 Chapter List

  1. Architecture, Design, and Threat Modeling Requirements

  2. Authentication Verification Requirements

  3. Session Management Verification Requirements

  4. Access Control Verification Requirements

  5. Validation, Sanitization, and Encoding Verification Requirements

  6. Stored Cryptography Verification Requirements

  7. Error Handling and Logging Verification Requirements

  8. Data Protection Verification Requirements

  9. Communications Verification Requirements

  10. Malicious Code Verification Requirements

  11. Business Logic Verification Requirements

  12. Files and Resources Verification Requirements

  13. API and Web Service Verification Requirements

  14. Configuration Verification Requirements

Note:You can refer to the asvs v5 for a detailed read of chapters, sections and requirements, link is shared on the top!

0
Subscribe to my newsletter

Read articles from Amit Sangwan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

appsecdevowasp#cybersecuritySecurityOpen Sourceethicalhackingpentestingtechnologyasvs

Written by

Amit Sangwan
Amit Sangwan

💼 Automation Engineer | AI Enthusiast | Tech Blogger Passionate about automation, AI agents, and testing. Exploring innovations in QA while sharing insights on technology and career growth. Always learning, always evolving. 🚀