OWASP ASVS
What is OWASP ASVS?
OWASP ASVSThe OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
The OWASP Application Security Verification Standard (ASVS) is a community-maintained list of detailed, testable security requirements organized into chapters covering authentication, session management, access control, cryptography, validation, errors, data protection, communications, configuration, business logic, and more. ASVS defines three levels: Level 1 for opportunistic scanning, Level 2 for applications handling sensitive data, and Level 3 for high-assurance systems. Version 5.0 released in 2025 reorganizes the requirements around modern API and SPA architectures. Teams use ASVS as a contract between security and development, to drive code review checklists, threat modeling, pentest scoping, and compliance evidence for standards such as PCI DSS.
● Examples
- 01
A SaaS vendor publishing an ASVS L2 attestation to satisfy enterprise customer security questionnaires.
- 02
A pentest report that maps every finding to a specific ASVS v5 requirement ID.
● Frequently asked questions
What is OWASP ASVS?
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP ASVS mean?
The OWASP Application Security Verification Standard, a catalogue of testable security requirements for designing, building, and verifying web applications and APIs.
How does OWASP ASVS work?
The OWASP Application Security Verification Standard (ASVS) is a community-maintained list of detailed, testable security requirements organized into chapters covering authentication, session management, access control, cryptography, validation, errors, data protection, communications, configuration, business logic, and more. ASVS defines three levels: Level 1 for opportunistic scanning, Level 2 for applications handling sensitive data, and Level 3 for high-assurance systems. Version 5.0 released in 2025 reorganizes the requirements around modern API and SPA architectures. Teams use ASVS as a contract between security and development, to drive code review checklists, threat modeling, pentest scoping, and compliance evidence for standards such as PCI DSS.
How do you defend against OWASP ASVS?
Defences for OWASP ASVS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP ASVS?
Common alternative names include: Application Security Verification Standard, ASVS.
● Related terms
- compliance№ 781
OWASP Top 10
An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
- compliance№ 782
OWASP WSTG
The OWASP Web Security Testing Guide, a comprehensive open-source manual that describes how to test web applications for the most common security weaknesses.
- compliance№ 778
OWASP MASVS
The OWASP Mobile Application Security Verification Standard, a baseline of testable security requirements for iOS and Android mobile applications.
- compliance№ 780
OWASP SAMM
The OWASP Software Assurance Maturity Model, a framework for measuring and improving an organization's secure-software-development practices over time.
- appsec№ 982
Secure Coding
The practice of writing source code in ways that minimize security defects, following defensive patterns, language-specific rules and recognized guidelines.
- compliance№ 204
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
● See also
- № 774OWASP API Security Top 10
- № 783OWASP ZAP
- № 776OWASP Dependency-Check
- № 801PASTA Threat Model
- № 143CAPEC