OWASP ASVS
What is OWASP ASVS?
OWASP ASVSThe OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
The OWASP Application Security Verification Standard (ASVS) is a community-maintained list of detailed, testable security requirements organized into chapters covering authentication, session management, access control, cryptography, validation, errors, data protection, communications, configuration, business logic, and more. ASVS defines three levels: Level 1 for opportunistic scanning, Level 2 for applications handling sensitive data, and Level 3 for high-assurance systems. Version 5.0 released in 2025 reorganizes the requirements around modern API and SPA architectures. Teams use ASVS as a contract between security and development, to drive code review checklists, threat modeling, pentest scoping, and compliance evidence for standards such as PCI DSS.
● Examples
- 01
A SaaS vendor publishing an ASVS L2 attestation to satisfy enterprise customer security questionnaires.
- 02
A pentest report that maps every finding to a specific ASVS v5 requirement ID.
● Frequently asked questions
What is OWASP ASVS?
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP ASVS mean?
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
How do you defend against OWASP ASVS?
Defences for OWASP ASVS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP ASVS?
Common alternative names include: Application Security Verification Standard, ASVS.