• Stars
    star
    2,720
  • Rank 16,742 (Top 0.4 %)
  • Language
    HTML
  • License
    Creative Commons ...
  • Created about 10 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Application Security Verification Standard

OWASP Application Security Verification Standard

CC BY-SA 4.0

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

CC BY-SA 4.0

Introduction

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to provide an open application security standard for web apps and web services of all types.

The standard provides a basis for designing, building, and testing technical application security controls, including architectural concerns, secure development lifecycle, threat modelling, agile security including continuous integration / deployment, serverless, and configuration concerns.

We gratefully recognise the organizations who have supported the project either through significant time provision or financially on our "Supporters" page!

Please log issues if you find any bugs or if you have ideas. We may subsequently ask you to open a pull request based on the discussion in the issue. We are also actively looking for translations of the 4.n branch.

Roadmap to ASVS 5.0

We have now published our roadmap and objectives for version 5.0 of the ASVS in this wiki page.

Latest Stable Version - 4.0.3

The latest stable version is version 4.0.3 (dated October 2021), which can be found:

The master branch of this repository will always be the "bleeding edge version" which might have in-progress changes or other edits open. The next release target will be version 5.0.

For information on changes between 4.0.2 and 4.0.3 of the standard, see this wiki page and for a full diff, see this pull request.

Translations

The OWASP Community effort with regards to translations is a best effort. Whilst we do our utmost to ensure the content is valid, from a structural perspective, there is only so much we can do to ensure the translations are correct. We rely on you, the community, to help make the ASVS as usable as possible to all around the globe, and translating the main branch into your language is important to the project.

If you think you can help with translations, or indeed ensuring the current list of translations below are correct, we'd love for you to join the community and make the ASVS amazing for all. For more information on translating the ASVS see the translations section of CONTRIBUTING.md.

Standard Objectives

The requirements were developed with the following objectives in mind:

  • Help organizations adopt or adapt a high quality secure coding standard
  • Help architects and developers build secure software by designing and building security in, and verifying that they are in place and effective by the use of unit and integration tests that implement ASVS tests
  • Help deploy secure software via the use of repeatable, secured builds
  • Help security reviewers use a comprehensive, consistent, high quality standard for hybrid code reviews, secure code reviews, peer code reviews, retrospectives, and work with developers to build security unit and integration tests. It is even possible to use this standard for penetration testing at Level 1
  • Assist tool vendors by ensuring there is an easily generatable machine readable version, with CWE mappings
  • Assist organizations to benchmark application security tools by the percentage of coverage of the ASVS for dynamic, interactive, and static analysis tools
  • Minimize overlapping and competing requirements from other standards, by either aligning strongly with them (NIST 800-63), or being strict supersets (OWASP Top 10 2017, PCI DSS 3.2.1), which will help reduce compliance costs, effort, and time wasted in accepting unnecessary differences as risks.

ASVS requirement lists are made available in CSV, JSON, and other formats which may be useful for reference or programmatic use.

How To Reference ASVS Requirements

Each requirement has an identifier in the format <chapter>.<section>.<requirement> where each element is a number, for example: 1.11.3.

  • The <chapter> value corresponds to the chapter from which the requirement comes, for example: all 1.#.# requirements are from the Architecture chapter.
  • The <section> value corresponds to the section within that chapter where the requirement appears, for example: all 1.11.# requirements are in the Business Logic Architecture section of the Architecture chapter.
  • The <requirement> value identifies the specific requirement within the chapter and section, for example: 1.11.3 which as of version 4.0.3 of this standard is:

Verify that all high-value business logic flows, including authentication, session management and access control are thread safe and resistant to time-of-check and time-of-use race conditions.

The identifiers may change between versions of the standard therefore it is preferable that other documents, reports, or tools use the format: v<version>-<chapter>.<section>.<requirement>, where: 'version' is the ASVS version tag. For example: v4.0.3-1.11.3 would be understood to mean specifically the 3rd requirement in the 'Business Logic Architecture' section of the 'Architecture' chapter from version 4.0.3. (This could be summarized as v<version>-<requirement_identifier>.)

Note: The v preceding the version portion is to be lower case.

If identifiers are used without including the v<version> element then they should be assumed to refer to the latest Application Security Verification Standard content. Obviously as the standard grows and changes this becomes problematic, which is why writers or developers should include the version element.

License

The entire project content is under the Creative Commons Attribution-Share Alike v3.0 license.

More Repositories

1

CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Python
27,397
star
2

owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
Python
11,723
star
3

Amass

In-depth Attack Surface Mapping and Asset Discovery
Go
7,941
star
4

wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Dockerfile
7,242
star
5

Go-SCP

Golang Secure Coding Practices guide
Go
4,841
star
6

Top10

Official OWASP Top 10 Document Repository
HTML
4,262
star
7

Nettacker

Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
Python
3,374
star
8

API-Security

OWASP API Security Project
Dockerfile
2,050
star
9

owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
Python
2,045
star
10

DevGuide

The OWASP Guide
2,011
star
11

NodeGoat

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
HTML
1,857
star
12

QRLJacking

QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.
Python
1,346
star
13

SecurityShepherd

Web and mobile application security training platform
Java
1,338
star
14

wrongsecrets

Vulnerable app with examples showing how to not use secrets
Java
1,196
star
15

crAPI

completely ridiculous API (crAPI)
Java
1,100
star
16

www-project-top-ten

OWASP Foundation Web Respository
HTML
1,098
star
17

www-community

OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.
HTML
1,078
star
18

joomscan

OWASP Joomla Vulnerability Scanner Project https://www.secologist.com/
Raku
1,062
star
19

threat-dragon

An open source threat modeling tool from OWASP
JavaScript
915
star
20

railsgoat

A vulnerable version of Rails that follows the OWASP Top 10
HTML
859
star
21

java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Java
788
star
22

OWASP-VWAD

The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
749
star
23

DevSecOpsGuideline

The OWASP DevSecOps Guideline can help us to embedding security as a part of the development pipeline.
Python
705
star
24

IoTGoat

IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
C
689
star
25

ZSC

OWASP ZSC - Shellcode/Obfuscate Code Generator https://www.secologist.com/
Python
645
star
26

Docker-Security

Getting a handle on container security
Dockerfile
630
star
27

OWASP-WebScarab

OWASP WebScarab
Java
582
star
28

MASTG-Hacking-Playground

Java
574
star
29

www-project-kubernetes-top-ten

OWASP Foundation Web Respository
HTML
554
star
30

SecureCodingDojo

The Secure Coding Dojo is a platform for delivering secure coding knowledge.
PHP
536
star
31

DVSA

a Damn Vulnerable Serverless Application
JavaScript
532
star
32

glue

Application Security Automation
Ruby
522
star
33

www-project-top-10-for-large-language-model-applications

OWASP Foundation Web Respository
TeX
514
star
34

owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
Java
488
star
35

OFFAT

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
Python
457
star
36

Python-Honeypot

OWASP Honeypot, Automated Deception Framework.
Python
429
star
37

www-project-web-security-testing-guide

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
HTML
429
star
38

rbac

PHP-RBAC is an authorization library for PHP. It provides developers with NIST Level 2 Standard Role Based Access Control and more, in the fastest implementation yet.
PHP
423
star
39

owasp.github.io

OWASP Foundation main site repository
HTML
423
star
40

iGoat-Swift

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
C
406
star
41

samm

SAMM stands for Software Assurance Maturity Model.
JavaScript
397
star
42

threat-model-cookbook

This project is about creating and publishing threat model examples.
Python
373
star
43

igoat

OWASP iGoat - A Learning Tool for iOS App Pentesting and Security by Swaroop Yermalkar
C
368
star
44

Vulnerable-Web-Application

OWASP Vulnerable Web Application Project https://github.com/hummingbirdscyber
PHP
345
star
45

O-Saft

O-Saft - OWASP SSL advanced forensic tool
Perl
344
star
46

vbscan

OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
Perl
323
star
47

Serverless-Goat

OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws
Python
312
star
48

SecureTea-Project

The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices)
JavaScript
285
star
49

RiskAssessmentFramework

The Secure Coding Framework
TypeScript
245
star
50

D4N155

OWASP D4N155 - Intelligent and dynamic wordlist using OSINT
Shell
223
star
51

Serverless-Top-10-Project

OWASP Serverless Top 10
210
star
52

pysap

pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.
Python
205
star
53

www-project-ai-security-and-privacy-guide

OWASP Foundation Web Respository
HTML
202
star
54

www-chapter-japan

OWASP Foundation Web Respository
HTML
198
star
55

phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197
star
56

json-sanitizer

Given JSON-like content, The JSON Sanitizer converts it to valid JSON.
Java
190
star
57

Maturity-Models

Node application to help managing Maturity Models like the ones created by BSIMM and OpenSAMM
JavaScript
184
star
58

passfault

OWASP Passfault evaluates passwords and enforces password policy in a completely different way.
JavaScript
169
star
59

ASST

OWASP ASST (Automated Software Security Toolkit) | A Novel Open Source Web Security Scanner.
JavaScript
152
star
60

IoT-Security-Verification-Standard-ISVS

OWASP IoT Security Verification Standard (ISVS)
TeX
133
star
61

Software-Component-Verification-Standard

Software Component Verification Standard (SCVS)
Python
133
star
62

owasp-summit-2017

Content for OWASP Summit 2017 site
CSS
128
star
63

BLT

OWASP BLT is a bug logging tool to report issues and get points, companies are held accountable.
HTML
124
star
64

www-project-secure-headers

The OWASP Secure Headers Project
Python
122
star
65

www-project-proactive-controls

OWASP Foundation Web Respository
Shell
122
star
66

www-project-code-review-guide

OWASP Code Review Guide Web Repository
HTML
119
star
67

SEDATED

SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure)
Shell
109
star
68

sonarqube

OWASP SonarQube Project
Dockerfile
109
star
69

raider

OWASP Raider: a novel framework for manipulating the HTTP processes of persistent sessions
Python
103
star
70

OWASP-Testing-Guide

OWASP Testing Guide
103
star
71

OWASPWebGoatPHP

A deliberately vulnerable web application for learning web application security.
PHP
99
star
72

user-security-stories

Repo to hold mapping of user-security-stories
99
star
73

KubeLight

OWASP Kubernetes security and compliance tool [WIP]
Python
97
star
74

owasp-istg

The IoT Security Testing Guide (ISTG) provides a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results.
Python
89
star
75

www-project-mobile-top-10

HTML
83
star
76

www-project-webgoat

OWASP Foundation Web Respository
HTML
81
star
77

Honeypot-Project

Python
79
star
78

NINJA-PingU

Python
77
star
79

threat-dragon-desktop

Desktop variant of OWASP Threat Dragon
77
star
80

OpenCRE

Python
77
star
81

www-project-developer-guide

OWASP Project Developer Guide - Document and Project Web pages
HTML
77
star
82

www-project-csrfguard

The aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer Tokens
Java
77
star
83

www-project-machine-learning-security-top-10

OWASP Machine Learning Security Top 10 Project
HTML
73
star
84

www-project-zap

OWASP Zed Attack Proxy project landing page.
HTML
72
star
85

www-project-threat-dragon

OWASP Foundation Threat Dragon Project Web Repository
HTML
70
star
86

SSO_Project

OWASP Single Sign-On allows a secure-by-default self-hosted SSO experience, including phishing-proof two-factor authentication, using state-of-the-art security mechanisms.
JavaScript
68
star
87

www-project-application-security-verification-standard

OWASP Foundation Web Respository
HTML
67
star
88

PHP-ESAPI

Migrated from code.google.com to a more active public repository.
PHP
65
star
89

www-project-security-knowledge-framework

OWASP Foundation Web Respository
HTML
64
star
90

wpBullet

Python
63
star
91

www-project-secure-coding-practices-quick-reference-guide

OWASP Foundation Project Web Repository for Secure Coding Practices Quick-reference Guide
HTML
63
star
92

www-project-top-10-low-code-no-code-security-risks

OWASP Low-Code/No-Code Top 10
HTML
62
star
93

www-project-top-10-ci-cd-security-risks

OWASP Foundation Web Respository
HTML
58
star
94

Container-Security-Verification-Standard

Container Security Verification Standard
Python
57
star
95

www-project-devsecops-guideline

The OWASP DevSecOps Guideline explains how we can implement a secure pipeline and use best practices and introduce tools that we can use in this matter. Also, the project is trying to help us promote the shift-left security culture in our development process.
HTML
49
star
96

www-project-devsecops-maturity-model

OWASP Foundation Web Respository
HTML
48
star
97

www-project-juice-shop

OWASP Foundation Web Respository
HTML
48
star
98

packman

A documentation and tracking project with the goal of making package management systems more secure.
48
star
99

www-project-api-security

OWASP Foundation Web Repository
HTML
47
star
100

WebGoat

This is a defunct code base. The project is located at: https://github.com/WebGoat
HTML
47
star