ASVS gap analysis
11.1.2 ASVS gap analysis
The Application Security Verification Standard (ASVS) is a long established OWASP flagship project, and is widely used to identify gaps in security as well as the verification of web applications.
It can be downloaded from the OWASP project page in various languages and formats: PDF, Word, CSV, XML and JSON. Having said that, the recommended way to consume the ASVS is to access the github markdown pages directly - this will ensure that the latest version is used.
What is ASVS?
The ASVS is an open standard that sets out the coverage and ‘level of rigor’ expected when it comes to performing web application security verification. For this reason it can be used to identify gaps in the security of web applications.
The ASVS is split into various sections:
- V1 Architecture, Design and Threat Modeling
- V2 Authentication
- V3 Session Management
- V4 Access Control
- V5 Validation, Sanitization and Encoding
- V6 Stored Cryptography
- V7 Error Handling and Logging
- V8 Data Protection
- V9 Communication
- V10 Malicious Code
- V11 Business Logic
- V12 Files and Resources
- V13 API and Web Service
- V14 Configuration
How to use it
The ASVS is a list of verification requirements that can be used to identify gaps in the security of web applications. If the ASVS suggests using a control then that control should be considered for the application security, it may be not applicable but at least the control should have been considered at some point in the development process.
The OWASP Spotlight series provides an overview of the ASVS and its uses: ‘Project 19 - OWASP Application Security Verification standard (ASVS)’.
The OWASP Cheat Sheets have been indexed specifically for each section of the ASVS, which can be used as documentation on controls for a given requirements category.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage